Announcement

Collapse
No announcement yet.

Retpoline v5 Published For Fending Off Spectre Branch Target Injection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Retpoline v5 Published For Fending Off Spectre Branch Target Injection

    Phoronix: Retpoline v5 Published For Fending Off Spectre Branch Target Injection

    David Woodhouse of Amazon has sent out the latest quickly-revising patches for introducing the "Retpoline" functionality to the Linux kernel for mitigating the Spectre "variant 2" attack...

    http://www.phoronix.com/scan.php?pag...e-v5-Published

  • #2
    Without getting too convoluted... Does every program have to be recompiled with the new GCC, or just the kernel?

    Comment


    • #3
      Retpoline = trampoline return = Some kind of indirect return to defend against return oriented programming?

      Just guessing.

      > Does every program have to be recompiled

      Since we're talking about Spectre, yes, that must be the null hypothesis. But the kernel is also more important to defend than the sum of all userspace programs, considering that the kernel can access other programs' memory.
      Last edited by andreano; 01-06-2018, 11:55 AM.

      Comment


      • #4
        I'm guessing these patches will be back-ported to 4.14 or 4.15 once they're in 4.16-rc*. Which GCC versions (5.x, 6.x) will be getting the patches?

        Comment


        • #5
          Originally posted by eydee View Post
          Without getting too convoluted... Does every program have to be recompiled with the new GCC, or just the kernel?
          Every program.

          https://support.google.com/faqs/answer/7625886

          Comment


          • #6
            Originally posted by eydee View Post
            Without getting too convoluted... Does every program have to be recompiled with the new GCC, or just the kernel?
            Only programs that run untrusted code and tries to implement user-level separation of memory, so browsers.

            OR you can leave your browser unpatched and work-around it everything else, but why would you do that?

            Comment


            • #7
              Originally posted by audi100quattro View Post
              I'm guessing these patches will be back-ported to 4.14 or 4.15 once they're in 4.16-rc*. Which GCC versions (5.x, 6.x) will be getting the patches?
              hence all this patches need to be backported to androids running 3.xx kernels is going to take a long time to update all those android devices, for a long time a lot will be exposed.

              Comment


              • #8
                Originally posted by Mark Rose View Post
                Every program.
                only kernel. programs do not share memory mappings with attacker

                Comment


                • #9
                  Originally posted by pal666 View Post
                  only kernel. programs do not share memory mappings with attacker
                  I don't follow you. Isn't the whole point of Spectre to read memory from one userspace program to another (not via the kernel)?

                  Comment


                  • #10
                    Originally posted by carewolf View Post

                    Only programs that run untrusted code and tries to implement user-level separation of memory, so browsers.

                    OR you can leave your browser unpatched and work-around it everything else, but why would you do that?
                    The kernel, and all programs on systems that want their user space to have enforcing isolation. Without this, root exploits become trivial with local code execution. So then any system which has a risk of remote arbitrary code execution (anything with a web browser, email client, users, or network-accessible services) needs to have at a minimum all binaries that might be run by root recompiled in order to prevent Sally hijacking root, and all binaries that will be run by users recompiled to prevent Sally from hijacking Bob. Basically without this patch there's no longer meaningful posix groups, permissions, ACLs, namespaces, SELINUX or AppArmor.

                    Just to be clear, recompiling protects the recomplied binary only, not other parts of the system, so if you recompiled everything but the browser then users could hijack each other's browser, and trojans from another user could access your browser while it is running. This isn't a big deal for single-user systems where you can point the finger at yourself, but its a huge problem for shared systems with potentially mutually-untrusting users like CPanel accounts.

                    One of the reasons Linux users like to believe their systems are more secure than Windows is the set of isolation enforcing security mechanisms, all of which can be bypassed with branch target injection.

                    Retpoline solves one type of branch target injection. There will be more patches coming. Spectre affords a lot more opportunities than just branch target injection... this is going to be a very interesting year.

                    I've read that Nested Paging is unaffected by Spectre, so perhaps instead of KPTI (Kernel Page Table Isolation) we will have PPTPI (Per-Process Page Table Isolation) inside this year, and then Spectre attacks will be limited to attacks between threads of a process. The overhead will be significant but at least we'll have working isolation again. Until then, I recommend running your browser in Virtualbox and using its shared folder feature to share your Downloads folder with the VM, and if you are keeping documents that you want protected, run the related apps in another Virtualbox, snapshot the volumes daily, and keep backups on a NAS via crontab/rsync. It's a pain but I'd rather waste 30 seconds a day saving a snapshot than lose an entire day's (or worse) work.
                    Last edited by linuxgeex; 01-07-2018, 12:35 PM.

                    Comment

                    Working...
                    X