This paper provides the first systematic analysis of a synergistic threat model encompassing memory corruption vulnerabilities and microarchitectural side-channel vulnerabilities. We study speculative shield bypass attacks that leverage speculative execution attacks to leak secrets that are critical to the security of memory corruption mitigations (i.e., the shields), and then use the leaked secrets to bypass the mitigation mechanisms and successfully conduct memory corruption exploits, such as control-flow hijacking. We start by systematizing a taxonomy of the state-of-the-art memory corruption mitigations focusing on hardware-software co-design solutions. The taxonomy helps us to identify 10 likely vulnerable defense schemes out of 20 schemes that we analyze. Next, we develop a graph-based model to analyze the 10 likely vulnerable defenses and reason about possible countermeasures. Finally, we present three proof-of-concept attacks targeting an already-deployed mitigation mechanism and two state-of-the-art academic proposals.

翻译：本文首次系统性地分析了内存破坏漏洞与微架构侧信道漏洞协同攻击威胁模型。我们研究了"推测性护盾绕过攻击"，此类攻击利用推测执行漏洞窃取对内存破坏缓解机制（即"护盾"）安全性至关重要的秘密信息，进而利用所窃取的秘密绕过缓解机制，成功实施内存破坏利用（如控制流劫持）。首先，我们以软硬件协同设计方案为重点，对当前最先进的内存破坏缓解机制进行了系统化的分类整理。该分类体系帮助我们识别出20种待分析方案中10种存在潜在漏洞的防御方案。随后，我们构建了基于图的分析模型，对这10种潜在漏洞防御措施进行剖析并推演可能的应对策略。最后，我们针对一个已部署的缓解机制和两个最先进的学术提案，提出了三项概念验证攻击。