search for: mistrain

...return 1; }; }; static int aCompletelyUnrelatedFunction() { someOtherCode(); Gadget: int z = array2[array1[somethingInTheSameRegisterAsX] * 256]; return z; } Here the attacker could train the predictor to continue execution at "Gadget". To quote from [1] "To mistrain the BTB, the attacker finds the virtual ad- dress of the gadget in the victim’s address space, then performs indirect branches to this address. This training is done from the attacker’s address space, and it does not matter what resides at the gadget address in the attacker’s address space; all...

Wouldn't a branch funnel open the door to a type 1 attack? E.g. if the code looks like this, then a branch funnel basically turns into a standard type 1 pattern AFAICT: struct Base { virtual int f(long) = 0; }; struct A : Base { int f(long x) override { return 0; }; }; struct B : Base { int f(long x) override { // As in listing 1 in

The proposed mitigation for variant 2 of CVE-2017-5715, “branch target injection”, is to send all indirect branches through an instruction sequence known as a retpoline. Because the purpose of a retpoline is to prevent attacker-controlled speculation, we also end up losing the benefits of benign speculation, which can lead to a measurable loss of performance. We can regain some of those benefits