Google creates software protection technique to ward off Spectre bug

9/01/2018

As companies scramble to put out patches and fixes for the recent Meltdown and Spectre vulnerabilities, Google has come up with a new technique to help developers mitigate the risks.

The company has developed Retpoline, a binary modification technique designed to mitigate risks against Spectre’s branch target injection attack.

“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution.  This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Paul Turner, senior staff engineer of technical infrastructure at Google, wrote in a post. “The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’  It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”

Spectre made headlines last week along with the bug Meltdown. The bugs were discovered by Google’s Project Zero team. It has been reported that that almost every system is affected by Spectre, and while it is harder to exploit Spectre than it is to exploit Meltdown, it is harder to mitigate the bug. “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre,” according to the bug’s website.

Google Cloud has already updated its hypervisor using Reptoline.

Spectre also has another variant of the bug that enables a bounds check bypass attack. “Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary,” Google wrote.

According to the company, mitigating the Meltdown bug requires patching the operating system.

More information is available here.

Deel dit nieuws op

LAATSTE NIEUWSBERICHTEN

Screen Shot 2018-01-19 at 10.38.17 AM

Fast feedback betekent testen in productie

Testen is nooit een doel op zich. Softwarekwaliteit is dat wel. Daarom streven we naar Quality Infected Teams. In zijn reeks blogartikelen op de site van Bartosz over dit onderwerp geeft Robert Lourens uitleg over wat we daarmee bedoelen. Eén ...
LEES MEER
Screen Shot 2018-01-18 at 8.53.02 AM

Fast feedback betekent testen in productie

Testen is nooit een doel op zich. Softwarekwaliteit is dat wel. Daarom streven we naar Quality Infected Teams. In zijn reeks blogartikelen op de site van Bartosz over dit onderwerp geeft Robert Lourens uitleg over wat we daarmee bedoelen. Eén ...
LEES MEER
Screen Shot 2018-01-17 at 8.19.11 AM

Microsoft remains committed to Git

Microsoft made a lot of contributions to Git in 2017. Now that the year is over, the company is taking time to reflect on some of those contributions. Early last year, the company announced the Git Virtual File System (GVFS), ...
LEES MEER

JOUW BERICHT HIER?

NEEM CONTACT OP

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *