From WikiChip
Difference between revisions of "cve/cve-2017-5715"
< cve

(Affected Processors)
(Affected Processors)
Line 44: Line 44:
 
| {{mipstech|-|MIPS}} || P6600
 
| {{mipstech|-|MIPS}} || P6600
 
|-
 
|-
| [[Motorola]] || {{motorola|PowerPC 74xx}} || rowspan="2" | [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Post]
+
| [[Motorola]] || {{motorola|PowerPC 74xx}} || rowspan="3" | [https://tenfourfox.blogspot.co.at/2018/01/actual-field-testing-of-spectre-on.html Post]
 
|-
 
|-
 
| [[IBM]] || {{ibm|PowerPC 970}}
 
| [[IBM]] || {{ibm|PowerPC 970}}

Revision as of 22:27, 26 January 2018

spectre-text.svg

CVE-2017-5715 (Spectre, Variant 2, Branch Target Injection) is a microprocessor vulnerability that allows an attacker to cause an otherwise correctly executing code to expose information to the attacker that wouldn't normally be exposed due to a wrong branch target being temporarily chosen, resulting in Spectre Variant 1 being executed, thus changing the cache states of the microarchitecture, thereby leaking information through side-channel timing analysis. For this attack to work, only speculatively execution is needed; the processor can still be in-order.

Overview

See also: Spectre, Variant 1 § Overview

Branch Target Injection leverages the speculative execution behavior of the microprocessor in order to cause some code to expose more information than intended. This method influences the indirect branch predictor in the microprocessor to speculative execute execute malicious code which will leave behind a microarchitectural state that the attacker can then use to infer data values.

A conditional direct branch only has two possible paths that can be speculatively executed. A target branch may be taken or alternatively the execution may "fall-through" to subsequent instructions to be executed. Unlike direct branches, an indirect branch can cause the microprocessor to speculatively execute a very wide range of possible targets. This attack is done by causing an direct branch to speculatively execute a segment of code. If the attacker carefully chooses code that effectively result in Spectre Variant 1, then the attacker can infer sensitive data from the victims memory space.

Example

Consider simple C++ inheritance such as the example below:

class Shape {
 public:
  virtual void Draw() = 0;
};

class Circle : public Shape {
 public:
  void Draw() override {  }
};

Where Shape is the base class and Circle is a derived class. Now consider the following code segment.

Shape* obj = new Circle;
obj->Draw();

In typical polymorphic code such as the example above, the target address of virtual function Draw() cannot be determined at compile time, thus resulting in an indirect branch that must be resolved at run-time. During run-time, a dynamic lookup is performed to find the matching function. While this happening, the microprocessor guess the target address and right away starts to speculative execute that code.

The attacker needs to find code similar to the example above that when manipulated through the indirect branch predictor, can lead the microprocessor to speculative execute code that results in in Spectre Variant 1. The attacker can then use the first variant of the attack to infer sensitive data from the victims memory space.

Affected Processors

Designer Processor/Architecture Related Notes
MIPS P5600 Post
MIPS P6600
Motorola PowerPC 74xx Post
IBM PowerPC 970
IBM POWER6
IBM POWER7 Post
Security Bulletin
IBM POWER7+
IBM POWER8
IBM POWER8+
IBM POWER9
IBM z12
IBM z13
IBM z14

This list is incomplete; you can help by expanding it.

See also

References

Documents