The company has developed Retpoline, a binary modification technique designed to mitigate risks against Spectre’s branch target injection attack.
“‘Retpoline’ sequences are a software construct which allow indirect branches to be isolated from speculative execution. This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches,” Paul Turner, senior staff engineer of technical infrastructure at Google, wrote in a post. “The name ‘retpoline’ is a portmanteau of ‘return’ and ‘trampoline.’ It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly.”
Spectre made headlines last week along with the bug Meltdown. The bugs were discovered by Google’s Project Zero team. It has been reported that that almost every system is affected by Spectre, and while it is harder to exploit Spectre than it is to exploit Meltdown, it is harder to mitigate the bug. “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre,” according to the bug’s website.
Google Cloud has already updated its hypervisor using Reptoline.
Spectre also has another variant of the bug that enables a bounds check bypass attack. “Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary,” Google wrote.
According to the company, mitigating the Meltdown bug requires patching the operating system.
More information is available here.