Semiconductor & Computer Engineering
(var 2) |
|||
| Line 3: | Line 3: | ||
== Overview == | == Overview == | ||
| − | {{see also|cve/cve-2017-5753#Overview|l1=Spectre, Variant | + | {{see also|cve/cve-2017-5753#Overview|l1=Spectre, Variant 1 § Overview}} |
''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. | ''Branch Target Injection'' leverages the [[speculative execution]] behavior of the [[microprocessor]] in order to cause some code to expose more information than intended. This method influences the [[indirect branch]] [[branch predictor|predictor]] in the microprocessor to [[speculative execution|speculative]] execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values. | ||
| − | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code that | + | A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in {{cve|cve-2017-5753|Spectre Variant 1}}, then the attacker can infer sensitive data from the victims memory space. |
[[category:cve]] | [[category:cve]] | ||
Revision as of 23:34, 25 January 2018
CVE-2017-5715 (Spectre, Variant 2, Branch Target Injection) is a microprocessor vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong branch target being temporarily chosen, changing the cache states of the microarchitecture, thereby leaking information through side-channel timing analysis.
Overview
- See also: Spectre, Variant 1 § Overview
Branch Target Injection leverages the speculative execution behavior of the microprocessor in order to cause some code to expose more information than intended. This method influences the indirect branch predictor in the microprocessor to speculative execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values.
A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in Spectre Variant 1, then the attacker can infer sensitive data from the victims memory space.
