Google creates software protection technique to ward off Spectre bug


As companies scramble to put out patches and fixes for the recent Meltdown and Spectre vulnerabilities, Google has come up with a new technique to help developers mitigate the risks.

The company has developed Retpoline, a binary modification technique designed to mitigate risks against Spectre’s branch target injection attack.

“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution.  This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Paul Turner, senior staff engineer of technical infrastructure at Google, wrote in a post. “The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’  It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”

Spectre made headlines last week along with the bug Meltdown. The bugs were discovered by Google’s Project Zero team. It has been reported that that almost every system is affected by Spectre, and while it is harder to exploit Spectre than it is to exploit Meltdown, it is harder to mitigate the bug. “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre,” according to the bug’s website.

Google Cloud has already updated its hypervisor using Reptoline.

Spectre also has another variant of the bug that enables a bounds check bypass attack. “Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary,” Google wrote.

According to the company, mitigating the Meltdown bug requires patching the operating system.

More information is available here.

Deel dit nieuws op



Angular 6 wants to be smaller, faster and easier-to-use

The next major release of Angular is expected to be revealed any week now. Angular 6 will continue the team’s focus of being smaller, faster and easier to use. Earlier this week, the team released the version’s fifth release candidate, ...

GitHub launches learning and training lab for developers

GitHub launched the GitHub Learning Lab today, a program that aims to help developers learn new skills without having to leave GitHub. In addition to learning and surfacing new skills, the lab will also help developers apply those skills to ...

Altova zeros in on JSON Processing in latest release

Altova announced version 2018 release 2 of its MissionKit desktop developer tools and server software products today. MissionKit is the company’s software development suite of XML, SQL and UML tools. The latest release has a major focus on JSON processing ...



Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *