The AMD Branch (Mis)predictor: New Types & Methods of Straight-Line Speculation(SLS) Vulnerabilities скачать в хорошем качестве

The AMD Branch (Mis)predictor: New Types & Methods of Straight-Line Speculation(SLS) Vulnerabilities

Abstract: ------------------- In modern super-scalar and out-of-order processors, branch prediction is a crucial component in maximizing instruction throughput and thereby achieving high performance of processing units. A good and robust design of the branch prediction unit (BPU) is key to performance, but as demonstrated by the Spectre v1 and Spectre v2 vulnerabilities, it is also an important element of system security. A flaw in the branch predication unit, a hardware component, may lead to unexpected negative consequences for software security. In this talk, we discuss a flaw recently discovered in AMD x86 processors of various microarchitectures: Zen1, Zen2 and Zen3, and its role in a speculative execution vulnerability type called straight-line speculation (SLS). We begin with a brief overview of the AMD BPU specification, focusing on its sub-components involved in branch prediction of direct unconditional and conditional branches. Next, we discuss direct conditional branches misprediction and methods to reliably achieve it across privilege boundaries or cross hyper-threads, followed by a discussion of the resulting speculation window and its potential to create exploitable Spectre v1 gadgets. We also demonstrate why Spectre v1 gadgets are not limited to array out-of-bound access and memory access latency related speculation. Next, we present details of a new and surprising vulnerability of some AMD processors: direct unconditional branch SLS (CVE-2021-26341). After a quick introduction to the SLS topic, we analyze the resulting speculation window, cross hyper-threads influence and potential ways of finding and exploiting the unexpected SLS gadgets. Finally, we take a quick survey over proposed mitigations for the vulnerabilities in direct unconditional and conditional branches speculation. Speaker Bio: ---------------------- Pawel Wieczorkiewicz is a Security Researcher at Open Source Security Inc., a company developing the state-of-the-art Linux kernel hardening solution known as grsecurity. His research focuses on offensive security aspects of transient and speculative execution vulnerabilities, side-channels, and the effectiveness of defensive mitigations in OSes and hypervisors. Pawel's deep interest in low-level security of software and hardware has resulted in the discovery of a number of vulnerabilities in AMD and Intel processors in addition to the Linux kernel and Xen hypervisor system software. #Speculation #AMD #hardwaresecurity #hardwear_io ------------------------------------------------------------------------------------- Website: https://hardwear.io Twitter:   / hardwear_io   Facebook:   / hardwear.io   LinkedIn:   / hardwear.io-hardwaresecurityconferenceandt...