SpecROP: Speculative Exploitation of ROP Chains


Atri Bhattacharyya and Andrés Sánchez, EPFL; Esmaeil M. Koruyeh, Nael Abu-Ghazaleh, and Chengyu Song UC Riverside; Mathias Payer, EPFL


Speculative execution attacks, such as Spectre, reuse code from the victim’s binary to access and leak secret information during speculative execution. Every variant of the attack requires very particular code sequences, necessitating elaborate gadget-search campaigns. Often, victim programs contain few, or even zero, usable gadgets. Consequently, speculative attacks are sometimes demonstrated by injecting usable code sequences into the victim. So far, attacks search for monolithic gadgets, a single sequence of code which performs all the attack steps.

We introduce SpecROP, a novel speculative execution attack technique, inspired by classic code reuse attacks like Return-Oriented Programming to tackle the rarity of code gadgets. The SpecROP attacker uses multiple, small gadgets chained by poisoning multiple control-flow instructions to perform the same computation as a monolithic gadget. A key difference to classic code reuse attacks is that control-flow transfers between gadgets use speculative targets compared to targets in memory or registers.

We categorize SpecROP gadgets into generic classes and demonstrate the abundance of such gadgets in victim libraries. Further, we explore the practicality of influencing multiple control-flow instructions on modern processors, and demonstrate an attack which uses gadget chaining to increase the leakage potential of a Spectre variant, SMoTherSpectre.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {259705,
author = {Atri Bhattacharyya and Andr{\'e}s S{\'a}nchez and Esmaeil M. Koruyeh and Nael Abu-Ghazaleh and Chengyu Song and Mathias Payer},
title = {{SpecROP}: Speculative Exploitation of {ROP} Chains},
booktitle = {23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)},
year = {2020},
isbn = {978-1-939133-18-2},
address = {San Sebastian},
pages = {1--16},
url = {https://www.usenix.org/conference/raid2020/presentation/bhattacharyya},
publisher = {USENIX Association},
month = oct