GhostKnight: Breaching Data Integrity via Speculative Execution
This addresses a critical security vulnerability in computer systems by extending speculative execution attacks to data integrity, potentially affecting all users of affected hardware.
The paper tackles the problem of speculative execution attacks being limited to data confidentiality by introducing GhostKnight, which breaches data integrity by inducing permanent bit flips in DRAM through frequent speculative accesses to illegitimate addresses, enabling attackers to write exploitable bits across privilege boundaries.
Existing speculative execution attacks are limited to breaching confidentiality of data beyond privilege boundary, the so-called spectre-type attacks. All of them utilize the changes in microarchitectural buffers made by the speculative execution to leak data. We show that the speculative execution can be abused to break data integrity. We observe that the speculative execution not only leaves traces in the microarchitectural buffers but also induces side effects within DRAM, that is, the speculative execution can trigger an access to an illegitimate address in DRAM. If the access to DRAM is frequent enough, then architectural changes (i.e., permanent bit flips in DRAM) will occur, which we term GhostKnight. With the power of of GhostKnight, an attacker is essentially able to cross different privilege boundaries and write exploitable bits to other privilege domains. In our future work, we will develop a GhostKnight-based exploit to cross a trusted execution environment, defeat a 1024-bit RSA exponentiation implementation and obtain a controllable signature.