The 2021 Pwnie Nominee For Most Innovative Research

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

Researcher Names: Ofek Kirzner and Adam Morrison

Link: https://www.usenix.org/system/files/sec21summer_kirzner.pdf

Defense is hard! This research shows that the Linux kernel’s Spectre mitigations stop only a subset of Spectre v1 attacks, making Linux vulnerable to a new “speculative type confusion” vector for which there is no effective defense.

A speculative type confusion attack uses branch misprediction to make the kernel execute with variables holding values of the wrong type and thereby leak memory content. The paper found multiple exploitable and potentially exploitable speculative type confusion attacks on the Linux kernel, with PoC’s, of course. It demonstrated a full memory disclosure attack, capable of reading all of physical memory, by bypassing Linux eBPF’s Spectre mitigations.

The paper also showed that speculative type confusion could occur due to compiler optimizations, which developers cannot control or reason about. Finally, the paper analyzed Linux’s approach for reducing retpoline overhead by replacing retpolines with a sequence of direct branches to possible valid targets. This work shows that Spectre v1 attacks are a very real-world threat for which there’s no satisfactory, efficient mitigation.