[GTALUG] Spectre type 2: Branch Target Injection

David Collier-Brown davec-b at rogers.com
Sat Jan 13 13:54:06 EST 2018

On 13/01/18 12:21 PM, D. Hugh Redelmeier via talk wrote
> Now we get to Branch Target Injection, the second form of Spectre.
> The indirect branch case is much trickier.  An indirect branch is
> one where the target is not manifest in the instruction.  Instead, it
> is somehow computed.  Think:
> - call through a function pointer variable
> - method call in an object oriented language (a call through a
>    function pointer, at least in the general case)
> - a return from a function
> - a case statement
> Fast processors nowadays predict where such a branch will lead.  The
> heuristics used can be outsmarted by carefully crafted code and led
> to speculate ANYWHERE in the address space.  This is awesomely scary.
> You cannot add protective code on the target because there is no
> single target.  This has similarities to the attack exploitation
> method called "Return Oriented Programming": the attacker just has to
> find a useful code fragment somewhere in your codebase and aim the
> branch target prediction towards it.
> Google researchers have devised a trick to prevent indirect branch
> misprediction from doing a bad guy's bidding.  They constructed a
> "retpoline" that essentially ties up misprediction in a harmless bit
> of code.  See the "Construction (x86)" section of
> <https://support.google.com/faqs/answer/7625886>
> The cost is an ugly piece of code and no useful speculation.
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk

Thanks, Hugh!

Oracle and Fujitsu (who actually make the chips) still hasn't said which 
machine types will suffer from speculation attacks, but did implement a 
hardware cache change recently in the M7 and M8  series (the 
conventional, glow-in-the-dark 5 GHz chipsets that speculate wildly) 
which they market as "Silicon Secured Memory".

It reads as if they've been having trouble with "invalid [memory 
references], stale memory reference and buffer overflows", and have 
added microcode to cause SEGVs before the data arrives if you try to 
fetch a cache line that isn't the same "version" as your process. 
Version sounds like a short value used like a pid, but don't quote me on 
that: the papers are written by marketers, not engineers (;-))



David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20180113/7e8a52a8/attachment.html>

More information about the talk mailing list