search for: predicate_st

...oad-hardening> Example: void leak(int data);void example(int* pointer1, int* pointer2) { if (condition) leak(*pointer1); else leak(*pointer2);} After the applying the mitigation the code resembles like: void leak(int data); void example(int* pointer1, int* pointer2) { uintptr_t predicate_state = all_ones_mask; if (condition) { predicate_state = !condition ? all_zeros_mask : predicate_state; pointer1 &= predicate_state; leak(*pointer1); } else { int value2 = *pointer2 & predicate_state; leak(value2); } } Let's assume that the branch is mispredicte...

...ct during speculation, we mask with all_ones, the processor can follow the predicted branch to retire. But if the processor mispredicted the branch, it will revert back as soon as condition become available if this is the case then we don't execute speculatively the operations : pointer1 &= predicate_state - (if branch) and *pointer2 & predicted_state - (else branch) right? Or out-of-processor's allow such access? Plus, why we are masking with all_zeros_mask during mis-prediction. Is there any reason for choosing all_zeros_mask? Cheers, Praveen On Tue, 17 Sep 2019 at 17:08, Jeremy Lak...

...>> all_ones, the processor can follow the predicted branch to retire. >> But if the processor mispredicted the branch, it will revert back as soon >> as condition become available if this is the case then we don't execute >> speculatively the operations : pointer1 &= predicate_state - (if branch) >> and *pointer2 & predicted_state - (else branch) right? Or >> out-of-processor's allow such access? >> >> Plus, why we are masking with all_zeros_mask during mis-prediction. Is >> there any reason for choosing all_zeros_mask? >> >&gt...

...more code ... leak(*pointer2); } } ``` This would get transformed into something resembling the following: ``` uintptr_t all_ones_mask = std::numerical_limits<uintptr_t>::max(); uintptr_t all_zeros_mask = 0; void leak(int data); void example(int* pointer1, int* pointer2) { uintptr_t predicate_state = all_ones_mask; if (condition) { predicate_state = !condition ? all_zeros_mask : predicate_state; // ... lots of code ... // // Harden the pointer so it can't be loaded pointer1 &= predicate_state; leak(*pointer1); } else { predicate_state = condition ? a...