Semiconductor & Computer Engineering
From WikiChip
Editing cve/cve-2017-5715
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
This page supports semantic in-text annotations (e.g. "[[Is specified as::World Heritage Site]]") to build structured and queryable content provided by Semantic MediaWiki. For a comprehensive description on how to use annotations or the #ask parser function, please have a look at the getting started, in-text annotation, or inline queries help pages.
| Latest revision | Your text | ||
| Line 1: | Line 1: | ||
{{cve title|CVE-2017-5715 (Spectre, Variant 2)}} | {{cve title|CVE-2017-5715 (Spectre, Variant 2)}} | ||
[[File:spectre-text.svg|200px|right]] | [[File:spectre-text.svg|200px|right]] | ||
| − | ''' | + | '''CVE-2017-5715''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, resulting in {{cve|cve-2017-5753|Spectre Variant 1}} being executed, thus changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. |
== Overview == | == Overview == | ||
| Line 7: | Line 7: | ||
''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. | ''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. | ||
| − | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively | + | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims memory space. |
== Example == | == Example == | ||
| Line 34: | Line 34: | ||
The attacker needs to find code similar to the example above that when manipulated through the [[indirect branch|indirect]] [[branch predictor]], can lead the microprocessor to [[speculative execution|speculative execute]] code that results in in {{cve|cve-2017-5753|Spectre Variant 1}}. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space. | The attacker needs to find code similar to the example above that when manipulated through the [[indirect branch|indirect]] [[branch predictor]], can lead the microprocessor to [[speculative execution|speculative execute]] code that results in in {{cve|cve-2017-5753|Spectre Variant 1}}. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== See also == | == See also == | ||
| Line 153: | Line 42: | ||
* Kocher, Paul, et al. "[https://arxiv.org/abs/1801.01203 Spectre Attacks: Exploiting Speculative Execution]." arXiv preprint arXiv:1801.01203 (2018). | * Kocher, Paul, et al. "[https://arxiv.org/abs/1801.01203 Spectre Attacks: Exploiting Speculative Execution]." arXiv preprint arXiv:1801.01203 (2018). | ||
* "CVE-2017-5715", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715 | * "CVE-2017-5715", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715 | ||
| − | |||
| − | |||
| − | |||
[[category:cve]] | [[category:cve]] | ||
