1

Let's assume I have a computer with a pre-Skylake Intel processor that doesn't have microcode mitigating the Spectre V2 attack. Then to my understanding, if the kernel and all user-space applications are compiled with retpoline, they are protected, right?

But recompiling all user-space programs with retpoline is a chore, so I basically want to know which ones I should focus on and why.

What can a "Spectre V2 attack" against a particular user-space application do? Can such an attack get information from everything on the system, or only information "in" that user-space application? If the latter is true, then only applications with sensitive information needs to be compiled with retpoline, right?

Furthermore, how are user-space applications being attacked? Is the attack done by having them run a piece of malicious code? If so, then only applications able to execute code need to be patched? Also, is that why Firefox, despite not being compiled with retpoline, can't be attacked thanks to their fix reducing the resolution of timers?

I ask this in a Linux-context since, as far as I know, none of Microsoft and Apple use retpoline.

Edit A similar question is: Intel firmware/microcode updates that make processors "immune" to both Spectre and Meltdown? but this question is different. This question is about which user-space applications need to be compiled with retpoline and how Spectre V2 attacks on them work while the other is about how Spectre and Meltdown are mitigated in general.

Edit 2 A comment suggested this question and answer: Meltdown and Spectre Attacks is answering my question here. I have copied the (that I think) relevant parts below

How does Spectre work?

Spectre works on a different level and does not allow access to kernel-space data from user-space. In this attack, the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.

Are these attacks a remote code execution vulnerability?

No they aren't.

To be able to apply this attack, the attacker need to be able to execute code on the target host. Note however that if these are combined with other attack vectors, for example file upload or cross-site-scripting exploits, then there is a possibility of executing them remotely.

Can I be affected while visiting a website?

Yes, there's already a proof of concept of a Javascript exploit for Spectre (only).

But I don't understand how they answer my question. So I suppose this question boils down to how this other answer answers my question.

arcus_mannen
  • 115
  • 6
  • 1
    Please don't combine multiple separate question into a single one. The first one about microcode only protection is essentially a duplicate of [Intel firmware/microcode updates that make processors "immune" to both Spectre and Meltdown?](https://security.stackexchange.com/questions/177176/intel-firmware-microcode-updates-that-make-processors-immune-to-both-spectre-a). And the second one is covered by the generic question about [Meltdown and Spectre Attacks](https://security.stackexchange.com/questions/176803/meltdown-and-spectre-attacks). – Steffen Ullrich May 05 '18 at 09:20
  • @SteffenUllrich I have now updated my question – arcus_mannen May 05 '18 at 12:12
  • You are still asking two separate questions in one post. But in general - all programs where the execution flow can be somehow controlled by an attacker can be affected - and the more control the attacker has over the program flow and the more exact the timing can be controlled by the attacker the more likely is a successful attack. – Steffen Ullrich May 05 '18 at 13:01

0 Answers0