On 13/01/18 12:21 PM, D. Hugh Redelmeier via talk wrote 
Now we get to Branch Target Injection, the second form of Spectre.

The indirect branch case is much trickier.  An indirect branch is
one where the target is not manifest in the instruction.  Instead, it
is somehow computed.  Think:

- call through a function pointer variable

- method call in an object oriented language (a call through a
  function pointer, at least in the general case)

- a return from a function

- a case statement

Fast processors nowadays predict where such a branch will lead.  The
heuristics used can be outsmarted by carefully crafted code and led
to speculate ANYWHERE in the address space.  This is awesomely scary.
You cannot add protective code on the target because there is no
single target.  This has similarities to the attack exploitation
method called "Return Oriented Programming": the attacker just has to
find a useful code fragment somewhere in your codebase and aim the
branch target prediction towards it.

Google researchers have devised a trick to prevent indirect branch
misprediction from doing a bad guy's bidding.  They constructed a
"retpoline" that essentially ties up misprediction in a harmless bit
of code.  See the "Construction (x86)" section of
<https://support.google.com/faqs/answer/7625886>
The cost is an ugly piece of code and no useful speculation.
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk

Thanks, Hugh!

Oracle and Fujitsu (who actually make the chips) still hasn't said which machine types will suffer from speculation attacks, but did implement a hardware cache change recently in the M7 and M8  series (the conventional, glow-in-the-dark 5 GHz chipsets that speculate wildly) which they market as "Silicon Secured Memory".

It reads as if they've been having trouble with "invalid [memory references], stale memory reference and buffer overflows", and have added microcode to cause SEGVs before the data arrives if you try to fetch a cache line that isn't the same "version" as your process. Version sounds like a short value used like a pid, but don't quote me on that: the papers are written by marketers, not engineers (;-))

See https://blogs.oracle.com/partnertech/sas-and-oracle-sparc-m7-silicon-secured-memory

--dave

-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb@spamcop.net           |                      -- Mark Twain