Lines Matching full:branch
6 Spectre is a class of side channel attacks that exploit branch prediction
18 use branch prediction and speculative execution.
46 CVE-2017-5715 Branch target injection Spectre variant 2
55 buffers, and branch predictors. Malicious software may be able to
70 of speculative execution that bypasses conditional branch instructions
89 Spectre variant 2 (Branch Target Injection)
92 The branch target injection attack takes advantage of speculative
94 branch predictors inside the processor used to guess the target of
103 branches in the victim to gadget code by poisoning the branch target
104 buffer of a CPU used for predicting indirect branch addresses. Such
106 with the address offset of the indirect branch under the attacker's
107 control. Since the branch prediction on impacted hardware does not
108 fully disambiguate branch address and uses the offset for prediction,
109 this could cause privileged code's indirect branch to jump to a gadget
127 from the sibling thread, as level 1 cache and branch target buffer
130 steer its indirect branch speculations to gadget code, and measure the
135 Branch History Buffer (BHB) to speculatively steer an indirect branch
136 to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
137 associated with the source address of the indirect branch. Specifically,
162 is invalid, but bound checks are bypassed in the code branch taken
173 An attacker can train the branch predictor to speculatively skip the
203 A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
205 After entering the kernel, the kernel could use the poisoned branch
214 The kernel can protect itself against consuming poisoned branch
219 x86 CPUs with Enhanced Indirect Branch Restricted Speculation
226 attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature
244 :ref:`poisoning <poison_btb>` the branch target buffer. This can
245 influence the indirect branch targets for a victim process that either
250 by using the prctl() syscall to disable indirect branch speculation
252 from polluting the branch target buffer by disabling the process's
253 indirect branch speculation. This comes with a performance cost
254 from not using indirect branch speculation and clearing the branch
256 indirect branch speculation disabled, Single Threaded Indirect Branch
258 sibling thread from controlling branch target buffer. In addition,
259 the Indirect Branch Prediction Barrier (IBPB) is issued to clear the
260 branch target buffer when context switching to and from such process.
263 This prevents the branch target buffer from being used for branch
285 <poison_btb>` the branch target buffer or return stack buffer, causing
289 for indirect branches to bypass the poisoned branch target buffer,
294 indirect branch speculation disabled via prctl(). The branch target
310 :ref:`poisoning <poison_btb>` the branch target buffer or the return
316 and clearing the branch target buffer before switching to a new guest.
320 by turning off the unsafe guest's indirect branch speculation via
363 1. Indirect Branch Prediction Barrier (IBPB) to add additional
365 2. Single Thread Indirect Branch Predictors (STIBP) to add additional
389 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
396 - Indirect branch prediction barrier (IBPB) status for protection between
404 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks
407 - Single threaded indirect branch prediction (STIBP) status for protection
415 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks
432 - Branch History Injection (BHI) protection status:
489 -mindirect-branch=thunk-extern -mindirect-branch-register options.
504 indirect branch predictor entry, and although branch predictor entries are
509 On Intel's enhanced IBRS systems, this includes cross-thread branch target
521 On x86, indirect branch restricted speculation is turned on by default
537 This protects them from consuming poisoned entries in the branch
542 can disable indirect branch speculation via prctl() (See
546 flush the branch target buffer when switching to/from the program.
548 Restricting indirect branch speculation on a user program will
554 Programs that disable their indirect branch speculation will have
572 poisoned entries in branch target buffer left by rogue guests. It also
574 stack buffer underflow so poisoned branch target buffer could be used,
578 the branch target buffer is sanitized by flushing before switching
585 its indirect branch speculation disabled by administrator via prctl().
607 (indirect branch prediction) vulnerability. System may
615 (indirect branch speculation) vulnerability.
645 retpoline,lfence LFENCE; indirect branch
663 [X86] Control mitigation of Branch History Injection
690 disabling indirect branch speculation when the program is running
697 off by disabling their indirect branch speculation when they are run
699 This prevents untrusted programs from polluting the branch target
710 overhead as indirect branch speculations for all programs will be
713 On x86, branch target buffer will be flushed with IBPB when switching
719 whose indirect branch speculation is explicitly disabled,
721 program to clear the branch target buffer (See "ibpb" option in
741 … Retpoline: A branch target injection mitigation <https://software.intel.com/security-software-gui…
745 …Thread Indirect Branch Predictors <https://software.intel.com/security-software-guidance/insights/…
751 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
771 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…