RASSLE: Return Address Stack based Side-channel LEakage

Micro-architectural attacks on computing systems often unearth from simple artefacts in the underlying architecture. In this paper, we focus on the Return Address Stack (RAS), a seemingly tiny hardware stack present in modern processors to reduce the branch miss penalty by storing the return addresses of each function call. The RAS is useful to handle specifically the branch predictions for the RET instructions which are not accurately predicted by the typical branch prediction units. In particular, we envisage a spy process who crafts an overflow condition in the RAS by filling it with arbitrary return addresses and wrestles with a concurrent process to establish a timing side-channel between them. We call this attack principle, RASSLE,1(Return Address Stack based Side-channel Leakage), which an adversary can launch on modern processors by first reverse engineering the RAS using a generic methodology exploiting the established timing channel. Subsequently, we show three concrete attack scenarios: i) How a spy can establish a covert channel with another co-residing process? ii) How RASSLE can be utilized to determine the secret key of the P−384curves in OpenSSL (v1.1.1 library). iii) How an ECDSA secret key on P−256curve of OpenSSL can be revealed using Lattice Attack on partially leaked nonces with the aid of RASSLE. In this attack, we show that the OpenSSL implementation of scalar multiplication on this curve has varying number of add-and-sub function calls, which depends on the secret scalar bits. We demonstrate through several experiments that the number of add-and-sub function calls can be used to template the secret bit, which can be picked up by the spy using the principles of RASSLE. Finally, we demonstrate a full end-to-end attack on OpenSSL’s Elliptic Curve Digital Signature Algorithm (ECDSA) using curve parameters of curve P−256. In this part of our experiments with RASSLE we abuse the deadline scheduler policy to attain perfect synchronization between the spy and victim, without any aids of induced synchronization from the victim code. This synchronization and timing leakage through RASSLE is sufficient to retrieve the Most Significant bits of the ephemeral nonces used while signature generation, from which we subsequently retrieve the secret signing key of the sender applying the Hidden Number Problem