On 13/01/18 12:21 PM, D. Hugh Redelmeier via talk wrote
Now we get to Branch Target Injection, the second form of Spectre.
The indirect branch case is much trickier. An indirect branch is one where the target is not manifest in the instruction. Instead, it is somehow computed. Think:
- call through a function pointer variable
- method call in an object oriented language (a call through a function pointer, at least in the general case)
- a return from a function
- a case statement
Fast processors nowadays predict where such a branch will lead. The heuristics used can be outsmarted by carefully crafted code and led to speculate ANYWHERE in the address space. This is awesomely scary. You cannot add protective code on the target because there is no single target. This has similarities to the attack exploitation method called "Return Oriented Programming": the attacker just has to find a useful code fragment somewhere in your codebase and aim the branch target prediction towards it.
Google researchers have devised a trick to prevent indirect branch misprediction from doing a bad guy's bidding. They constructed a "retpoline" that essentially ties up misprediction in a harmless bit of code. See the "Construction (x86)" section of <https://support.google.com/faqs/answer/7625886> The cost is an ugly piece of code and no useful speculation. --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
Thanks, Hugh! Oracle and Fujitsu (who actually make the chips) still hasn't said which machine types will suffer from speculation attacks, but did implement a hardware cache change recently in the M7 and M8 series (the conventional, glow-in-the-dark 5 GHz chipsets that speculate wildly) which they market as "Silicon Secured Memory". It reads as if they've been having trouble with "invalid [memory references], stale memory reference and buffer overflows", and have added microcode to cause SEGVs before the data arrives if you try to fetch a cache line that isn't the same "version" as your process. Version sounds like a short value used like a pid, but don't quote me on that: the papers are written by marketers, not engineers (;-)) See https://blogs.oracle.com/partnertech/sas-and-oracle-sparc-m7-silicon-secured... --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain