Editing cve/cve-2017-5715

{{cve title|CVE-2017-5715 (Spectre, Variant 2)}}
[[File:spectre-text.svg|200px|right]]
'''[[cve id::CVE-2017-5715]]''' ('''Spectre''', '''Variant 2''', '''Branch Target Injection''') is a [[microprocessor]] vulnerability that allows an attacker to cause otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong [[branch target]] being temporarily chosen, resulting in {{cve|cve-2017-5753|Spectre Variant 1}} being executed, thus changing the cache states of the [[microarchitecture]], thereby leaking information through [[side-channel analysis|side-channel timing analysis]]. For this attack to work, only [[speculatively execution]] is needed; the processor can still be [[in-order]].

== Overview ==
{{see also|cve/cve-2017-5753#Overview|l1=Spectre, Variant 1 § Overview}}
''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values.

A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims memory space. 

== Example ==
Consider simple [[C++]] {{c++|inheritance}} such as the example below:

<source lang=C++>
class Shape {
 public:
  virtual void Draw() = 0;
};

class Circle : public Shape {
 public:
  void Draw() override { … }
};
</source>

Where <code>Shape</code> is the {{c++|base class}} and <code>Circle</code> is a {{c++|derived class}}. Now consider the following code segment.

<source lang=C++>
Shape* obj = new Circle;
obj->Draw();
</source>

In typical polymorphic code such as the example above, the target address of {{c++|virtual function}} <code>Draw()</code> cannot be determined at compile time, thus resulting in an indirect branch that must be resolved at run-time. During run-time, a dynamic lookup is performed to find the matching function. While this happening, the microprocessor guess the target address and right away starts to [[speculative execution|speculative execute]] that code.

The attacker needs to find code similar to the example above that when manipulated through the [[indirect branch|indirect]] [[branch predictor]], can lead the microprocessor to [[speculative execution|speculative execute]] code that results in in {{cve|cve-2017-5753|Spectre Variant 1}}. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space. 

== Affected Processors ==
Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the ones we were able to verify.

{| class="wikitable"
|-
! colspan="3" | List of Processors affected by Spectre, Variant 2
|-
! Designer !! Processor/Architecture !! Related Notes
|-
| rowspan="6" | [[Apple]] || {{apple|Swift|l=arch}} ({{apple|A6}}/{{apple|A6X}}) || rowspan="6" | [https://support.apple.com/en-us/HT201222 Post]<br>[https://support.apple.com/en-us/HT208331 Post]
|-
| {{apple|Cyclone|l=arch}} ({{apple|A7}})
|-
| {{apple|Typhoon|l=arch}} ({{apple|A8}}/{{apple|A8X}})
|-
| {{apple|Twister|l=arch}} ({{apple|A9}}/{{apple|A9X}})
|-
| {{apple|Hurricane|l=arch}} ({{apple|A10}}/{{apple|A10X}})
|-
| {{apple|Monsoon|l=arch}} ({{apple|A11}}/{{apple|A11X}})
|-
| rowspan="5"| [[AMD]] || {{amd|Bulldozer|l=arch}} || rowspan="5" | [https://www.amd.com/en/corporate/speculative-execution Post]
|-
| {{amd|Piledriver|l=arch}}
|-
| {{amd|Steamroller|l=arch}}
|-
| {{amd|Excavator|l=arch}}
|-
| {{amd|Zen|l=arch}}
|-
| rowspan="10" | [[ARM Holdings|ARM]] || {{armh|Cortex-R7|l=arch}} || rowspan="10" | [https://developer.arm.com/support/security-update Post]
|-
| {{armh|Cortex-R8|l=arch}}
|-
| {{armh|Cortex-A8|l=arch}}
|-
| {{armh|Cortex-A9|l=arch}}
|-
| {{armh|Cortex-A15|l=arch}}
|-
| {{armh|Cortex-A17|l=arch}}
|-
| {{armh|Cortex-A57|l=arch}}
|-
| {{armh|Cortex-A72|l=arch}}
|-
| {{armh|Cortex-A73|l=arch}}
|-
| {{armh|Cortex-A75|l=arch}}
|-
| rowspan="3" | [[Fujitsu]] || [[SPARC64 X+]] || rowspan="3" | [http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp Post]
|-
| [[SPARC64 XIfx]]
|-
| [[SPARC64 XII]]
|-
| rowspan="10" | [[IBM]] || {{ibm|PowerPC 970}}
|-
| {{ibm|POWER6|l=arch}}
|-
| {{ibm|POWER7|l=arch}} || rowspan="5" | [https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ Post]<br>[http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811 Security Bulletin]
|-
| {{ibm|POWER7+|l=arch}}
|-
| {{ibm|POWER8|l=arch}}
|-
| {{ibm|POWER8+|l=arch}}
|-
| {{ibm|POWER9|l=arch}}
|-
| {{ibm|z12|l=arch}} || rowspan="3" | 
|-
| {{ibm|z13|l=arch}}
|-
| {{ibm|z14|l=arch}}
|-
| rowspan="13" | [[Intel]] || {{intel|Nehalem|l=arch}} || rowspan="2" | 
|-
| {{intel|Westmere|l=arch}}
|-
|{{intel|Sandy Bridge|l=arch}} || rowspan="11" | [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Post]
|-
| {{intel|Ivy Bridge|l=arch}}
|-
| {{intel|Haswell|l=arch}}
|-
| {{intel|Broadwell|l=arch}}
|-
| {{intel|Skylake|l=arch}}
|-
| {{intel|Kaby Lake|l=arch}}
|-
| {{intel|Coffee Lake|l=arch}}
|-
| {{intel|Silvermont|l=arch}}
|-
| {{intel|Airmont|l=arch}}
|-
| {{intel|Goldmont|l=arch}}
|-
| {{intel|Goldmont Plus|l=arch}}
|-
| rowspan="2" | {{mipstech|-|MIPS}} || {{mipstech|P5600}} || rowspan="2" | [https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/ Post]
|-
| {{mipstech|P6600}}
|-
| [[Motorola]] || {{motorola|PowerPC 74xx}} || rowspan="3" | [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Post]
|}
{{expand list}}

== See also ==
* {{cve|CVE-2017-5753}}, Spectre, Variant 1
* {{cve|CVE-2017-5754}}, Meltdown, Variant 3

== References ==
* Kocher, Paul, et al. "[https://arxiv.org/abs/1801.01203 Spectre Attacks: Exploiting Speculative Execution]." arXiv preprint arXiv:1801.01203 (2018).
* "CVE-2017-5715", https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715

== Documents ==
* [[:File:intel-ref-336983-001.pdf|White Paper: Intel Analysis of Speculative Execution Side Channels]] 


[[category:cve]]