Bypassing memory safety mechanisms through speculative control flow hijacks
This is an incremental finding that exposes vulnerabilities in existing security mechanisms for software systems, potentially affecting programs relying on these defenses.
The paper demonstrates that memory corruption defenses like stack canaries, control flow integrity, and bounds checks can be bypassed using speculative execution attacks, enabling information leakage through speculative control flow hijacks and speculative return-oriented programming.
The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program. In this paper, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, in a speculative return-oriented programming attack. We discuss and implement software mitigations, showing moderate performance impact.