Google creates software protection technique to ward off Spectre bug

9/01/2018

As companies scramble to put out patches and fixes for the recent Meltdown and Spectre vulnerabilities, Google has come up with a new technique to help developers mitigate the risks.

The company has developed Retpoline, a binary modification technique designed to mitigate risks against Spectre’s branch target injection attack.

“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution.  This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Paul Turner, senior staff engineer of technical infrastructure at Google, wrote in a post. “The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’  It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”

Spectre made headlines last week along with the bug Meltdown. The bugs were discovered by Google’s Project Zero team. It has been reported that that almost every system is affected by Spectre, and while it is harder to exploit Spectre than it is to exploit Meltdown, it is harder to mitigate the bug. “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre,” according to the bug’s website.

Google Cloud has already updated its hypervisor using Reptoline.

Spectre also has another variant of the bug that enables a bounds check bypass attack. “Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary,” Google wrote.

According to the company, mitigating the Meltdown bug requires patching the operating system.

More information is available here.

Deel dit nieuws op

LAATSTE NIEUWSBERICHTEN

Huawei en Microsoft lanceren hybride cloud Azure Stack

Huawei en Microsoft hebben een hybride cloudoplossing voor Azure Stack aangekondigd. Deze gezamenlijke oplossing is bedoeld voor grotere ondernemingen die voor de uitdaging staan zowel een privé- als een publieke cloudarchitectuur te beheren. Volgens Qiu Long, topman van Huawei’s server-productlijn, wil Huawei samen met ...
LEES MEER

Outsystems haalt 360 miljoen dollar op

Het investeringsfonds KKR heeft samen met de zakenbank Goldman Sachs een ‘significant’ minderheidsaandeel genomen in Outsystems, een platform voor applicatieontwikkeling. De investering waardeert Outsystems op meer dan een miljard dollar. Met het geld wil Outsystems aan bedrijfsexpansie doen en via ...
LEES MEER

Microsoft confirms GitHub acquisition

Microsoft is confirming the rumors that it is acquiring the software development platform GitHub are true. Microsoft has announced it is acquiring GitHub for $7.5 billion in Microsoft stock. “Microsoft is a developer-first company, and by joining forces with GitHub ...
LEES MEER

JOUW BERICHT HIER?

NEEM CONTACT OP

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *