[GTALUG] Spectre type 2: Branch Target Injection
David Collier-Brown
davec-b at rogers.com
Sat Jan 13 13:54:06 EST 2018
On 13/01/18 12:21 PM, D. Hugh Redelmeier via talk wrote
> Now we get to Branch Target Injection, the second form of Spectre.
>
> The indirect branch case is much trickier. An indirect branch is
> one where the target is not manifest in the instruction. Instead, it
> is somehow computed. Think:
>
> - call through a function pointer variable
>
> - method call in an object oriented language (a call through a
> function pointer, at least in the general case)
>
> - a return from a function
>
> - a case statement
>
> Fast processors nowadays predict where such a branch will lead. The
> heuristics used can be outsmarted by carefully crafted code and led
> to speculate ANYWHERE in the address space. This is awesomely scary.
> You cannot add protective code on the target because there is no
> single target. This has similarities to the attack exploitation
> method called "Return Oriented Programming": the attacker just has to
> find a useful code fragment somewhere in your codebase and aim the
> branch target prediction towards it.
>
> Google researchers have devised a trick to prevent indirect branch
> misprediction from doing a bad guy's bidding. They constructed a
> "retpoline" that essentially ties up misprediction in a harmless bit
> of code. See the "Construction (x86)" section of
> <https://support.google.com/faqs/answer/7625886>
> The cost is an ugly piece of code and no useful speculation.
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
Thanks, Hugh!
Oracle and Fujitsu (who actually make the chips) still hasn't said which
machine types will suffer from speculation attacks, but did implement a
hardware cache change recently in the M7 and M8 series (the
conventional, glow-in-the-dark 5 GHz chipsets that speculate wildly)
which they market as "Silicon Secured Memory".
It reads as if they've been having trouble with "invalid [memory
references], stale memory reference and buffer overflows", and have
added microcode to cause SEGVs before the data arrives if you try to
fetch a cache line that isn't the same "version" as your process.
Version sounds like a short value used like a pid, but don't quote me on
that: the papers are written by marketers, not engineers (;-))
See
https://blogs.oracle.com/partnertech/sas-and-oracle-sparc-m7-silicon-secured-memory
--dave
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net | -- Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20180113/7e8a52a8/attachment.html>
More information about the talk
mailing list