By: --- (---.delete@this.redheron.com), July 15, 2022 11:14 am
Room: Moderated Discussions
Anon4 (no.delete@this.example.com) on July 14, 2022 2:17 pm wrote:
> anon2 (anon.delete@this.anon.com) on July 13, 2022 10:03 pm wrote:
> > anonymous2 (anonymous2.delete@this.example.com) on July 13, 2022 3:14 pm wrote:
> > > https://en.wikipedia.org/wiki/Retbleed
> >
> > Does not seem to be anything new in hardware just spectre variant 2 software fix in Linux was not complete.
>
> Variant 2 was against forward jump instructions, the mitigation was to turn forward jumps in to returns
> which are architecturally similar but have a very different effect on the microarchitecture.
>
> This was 'retpoline' retbleed attacks the retpoline itself in a similar way to
> the way variant 2 attacked jumps. It makes use of the fact that returns start behaving
> like jumps when certain internal state is overflowed. So this is novel.
>
> Anything which uses retpolines is vulerable and that includes
> Windows and possibly macOS it's not just a Linux issue.
Unclear for macOS. The branch security tags patent
(2018) https://patents.google.com/patent/US20200192672A1
is easily extended to the return stack, and in fact Ampere have a specific patent to that effect (using a grossly simplified security tag)
(2020) https://patents.google.com/patent/WO2022031816A1
So to some extent it boils down to some question of
(a) did Apple, after the initial patent, think of RAS as one more predictor that should be protected in this way?
(b) are these sorts of HW security mitigations considered strategic, and jealously guarded (so Apple and Ampere [and ARM and Intel...] don't talk)? Or is this considered a communal problem, and at the point that Ampere realized this was worth doing, they mentioned it to Apple, Arm, Intel, etc?
> anon2 (anon.delete@this.anon.com) on July 13, 2022 10:03 pm wrote:
> > anonymous2 (anonymous2.delete@this.example.com) on July 13, 2022 3:14 pm wrote:
> > > https://en.wikipedia.org/wiki/Retbleed
> >
> > Does not seem to be anything new in hardware just spectre variant 2 software fix in Linux was not complete.
>
> Variant 2 was against forward jump instructions, the mitigation was to turn forward jumps in to returns
> which are architecturally similar but have a very different effect on the microarchitecture.
>
> This was 'retpoline' retbleed attacks the retpoline itself in a similar way to
> the way variant 2 attacked jumps. It makes use of the fact that returns start behaving
> like jumps when certain internal state is overflowed. So this is novel.
>
> Anything which uses retpolines is vulerable and that includes
> Windows and possibly macOS it's not just a Linux issue.
Unclear for macOS. The branch security tags patent
(2018) https://patents.google.com/patent/US20200192672A1
is easily extended to the return stack, and in fact Ampere have a specific patent to that effect (using a grossly simplified security tag)
(2020) https://patents.google.com/patent/WO2022031816A1
So to some extent it boils down to some question of
(a) did Apple, after the initial patent, think of RAS as one more predictor that should be protected in this way?
(b) are these sorts of HW security mitigations considered strategic, and jealously guarded (so Apple and Ampere [and ARM and Intel...] don't talk)? Or is this considered a communal problem, and at the point that Ampere realized this was worth doing, they mentioned it to Apple, Arm, Intel, etc?
| Topic | Posted By | Date |
|---|---|---|
| Retbleed | anonymous2 | 2022/07/13 03:14 PM |
| Retbleed | anon2 | 2022/07/13 10:03 PM |
| Retbleed | Adrian | 2022/07/14 12:05 AM |
| Retbleed | Anon4 | 2022/07/14 02:17 PM |
| Retbleed | anon2 | 2022/07/14 04:29 PM |
| Retbleed | Anon4 | 2022/07/14 05:05 PM |
| Retbleed | anon2 | 2022/07/14 05:37 PM |
| Retbleed | anon2 | 2022/07/14 06:40 PM |
| Retbleed | dmcq | 2022/07/15 04:54 AM |
| Retbleed | anon2 | 2022/07/17 07:17 AM |
| Retbleed | Michael S | 2022/07/15 07:08 AM |
| Retbleed | Ben T | 2022/07/16 05:06 AM |
| Retbleed | Michael S | 2022/07/16 11:41 AM |
| Public cloud infrastructure | Ben T | 2022/07/16 04:50 PM |
| Public cloud infrastructure | Rayla | 2022/07/16 09:15 PM |
| Public cloud infrastructure | me | 2022/07/17 09:19 AM |
| Public cloud infrastructure | Brett | 2022/07/18 12:38 PM |
| Public cloud infrastructure | Adrian | 2022/07/18 01:19 PM |
| Public cloud infrastructure | me | 2022/07/18 03:54 PM |
| Public cloud infrastructure | Brett | 2022/07/20 03:35 PM |
| Public cloud infrastructure | Brett | 2022/07/21 01:18 PM |
| Public cloud infrastructure | inthestratosphere | 2022/07/21 02:46 PM |
| Public cloud infrastructure | Brett | 2022/07/21 10:38 PM |
| What’s needed for a viable Apple server? | Ben T | 2022/07/22 05:31 AM |
| What’s needed for a viable Apple server? | Michael S | 2022/07/22 09:09 AM |
| More DRAM capacity? | Mark Roulo | 2022/07/22 09:48 AM |
| More DRAM capacity? | Doug S | 2022/07/22 11:05 AM |
| More DRAM capacity? | Mark Roulo | 2022/07/22 11:20 AM |
| More DRAM capacity? | Doug S | 2022/07/22 01:48 PM |
| More DRAM capacity? | Wes Felter | 2022/07/22 04:49 PM |
| Public cloud infrastructure | anon2 | 2022/07/18 04:25 PM |
| Putting 12 processor packages in a 1U server | Ben T | 2022/07/22 10:02 PM |
| Putting 12 processor packages in a 1U server | rwessel | 2022/07/23 07:15 AM |
| Putting 12 processor packages in a 1U server | Daniel B | 2022/07/23 04:15 PM |
| Putting 12 processor packages in a 1U server | Ben T | 2022/07/24 05:29 AM |
| Multi-system cluster design space | Paul A. Clayton | 2022/07/24 08:49 AM |
| Retbleed | Anon4 | 2022/07/15 03:00 AM |
| Retbleed | Michael S | 2022/07/15 06:59 AM |
| Retbleed | --- | 2022/07/15 11:14 AM |