Retbleed Hack: The Hardware Vulnerability Preying on Intel and AMD CPUs

July 18, 2022 by Jake Hertz

Researchers from ETH Zürich have discovered that some of the most popular processors on the market may have a backdoor to information theft.

In 2022 alone, a number of hardware vulnerabilities have been exposed in some of the industry’s most prominent processors. Between the Augury attack on Apple’s M1 and the more recent PACMAN attack, it's clear that no hardware is ever 100% secure.


Compromised processor

During a number of tests, ETH researchers specialized in cyber security found a serious vulnerability in common processors. Image (modified) used courtesy of ETH Zürich/Computer Security Group


Now the line of newly-discovered vulnerabilities includes both Intel and AMD processors. This week, researchers from ETH Zürich have discovered a new security vulnerability called Retbleed, which leverages speculative calculations to open a backdoor in the computer hardware.


Five-stage Pipeline and Branching

To better understand the Retbleed attack, it's helpful to understand the background of computer organization.

Most modern microprocessors, including those designed by Intel and AMD, use a pipelined architecture to improve performance. A standard five-stage pipeline includes: 

  1. Instruction fetch (IF)
  2. Instruction decode (ID)
  3. Execute (EX)
  4. Memory access (MEM)
  5. Write back (WB)

Each of these stages takes at least a single clock cycle to execute.


A standard five-stage pipeline with data forwarding

A standard five-stage pipeline with data forwarding. Image used courtesy of Berg et al


This architecture, however, faces a particular challenge when conditional branching instructions occur. Traditionally, program instructions are sequential, executing commands in order one after the other. In contrast, with control flow, programmers use conditional branching statements. These instructions tell a processor to check some conditional statement (e.g., a > b) and to branch off into a different part of the program if the conditional is met.


What is Speculative Execution? 

The challenge with branching is that it takes multiple clock cycles to fetch the operands, check the conditional, and then perform the actual branching if needed. This can severely slow down the CPU performance. To bypass this slowdown, processors instead use a technique known as speculative execution.


Speculative execution

Speculative execution is used to speed up processor performance. Image used courtesy of Kocher et al


With speculative execution, a processor performs branch prediction, attempting to predict whether or not a branch will be taken before the branch is even encountered. Beyond branch prediction, speculative execution will actually execute the first couple of instructions in the new branch.

If a branch is taken in error, then the changes are reverted and the correct path is taken instead. In modern processors, once a function has been executed, a return instruction causes the processor to return to a point in the computer program immediately after the original instruction that used the function.

In this way, speculative execution allows for faster performance in the CPU, where accurate branch predictions allow for instructions to be executed without waiting for the actual branch conditional to be determined through the processor pipeline.


ETH Zürich Reveals the Retbleed Attack

In the new paper from ETH Zürich, researchers described a new "Retbleed" attack they consider a serious vulnerability in both AMD and Intel processors.

The Retbleed attack leverages return instructions as an attack vector for speculative execution. Using this technique, the researchers demonstrated that return instructions behave like indirect branches under certain conditions. The researchers were able to reverse engineer these conditions to find that with speculative execution, a particularly large number of return statements become vulnerable through leaks in the system. 


In 908 test cases, the researchers found 1,069 vulnerable returns across 96 system calls

In 908 test cases, the researchers found 1,069 vulnerable returns across 96 system calls. Image used courtesy of Wikner et al


Under these conditions, returns in Intel systems began behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, was underflowed. On AMD systems, returns behaved like an indirect branch regardless of the state of their Return Address Stack. These results showed how researchers could take control of the system to achieve arbitrary speculative code execution.

Because of the widespread nature of Intel and AMD processors, the impacts of this attack could be significant for users. The researchers did note, however, that they notified Intel and AMD of their findings well before the paper was published. The companies have had time to work on mitigation techniques that are addressed in the most recent software updates for the affected systems.