search for: spectreattack

...ress space, and it does not matter what resides at the gadget address in the attacker’s address space; all that is required is that the branch used for training branches to use the same destination virtual address." [1] Kocher et.al.: Spectre Attacks: Exploiting Speculative Execution https://spectreattack.com/spectre.pdf Best Regards, Paul > E.g. if the code looks like this, then a branch funnel basically turns > into a standard type 1 pattern AFAICT: > > struct Base { >     virtual int f(long) = 0; > }; > > struct A : Base { >     int f(long x) override { >  ...

...oks like this, then a branch funnel basically turns into a standard type 1 pattern AFAICT: struct Base { virtual int f(long) = 0; }; struct A : Base { int f(long x) override { return 0; }; }; struct B : Base { int f(long x) override { // As in listing 1 in https://spectreattack.com/spectre.pdf return array2[array1[x] * 256]; } }; -- Sean Silva On Tue, Jan 23, 2018 at 4:44 PM, Peter Collingbourne via llvm-dev < llvm-dev at lists.llvm.org> wrote: > The proposed mitigation for variant 2 of CVE-2017-5715, “branch target > injection”, is to send all...

The proposed mitigation for variant 2 of CVE-2017-5715, “branch target injection”, is to send all indirect branches through an instruction sequence known as a retpoline. Because the purpose of a retpoline is to prevent attacker-controlled speculation, we also end up losing the benefits of benign speculation, which can lead to a measurable loss of performance. We can regain some of those benefits

...(a.k.a. Spectre Variant #2): Branch target injection * GPZ Variant #3 (a.k.a. Meltdown): Rogue data cache load For more details, see the Google Project Zero blog post and the Spectre research paper: * https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html * https://spectreattack.com/spectre.pdf The core problem of GPZ Variant #1 is that speculative execution uses branch prediction to select the path of instructions speculatively executed. This path is speculatively executed with the available data, and may load from memory and leak the loaded values through various side c...