<div dir="ltr"><div>Hi all,</div><div><br></div><div>I understand how the speculative information flow attack works. I'm trying get my head around the spectre v1 mitigation of LLVM.</div><div>In the design document here : <a href="https://llvm.org/docs/SpeculativeLoadHardening.html#speculative-load-hardening">https://llvm.org/docs/SpeculativeLoadHardening.html#speculative-load-hardening.</a></div><div><br></div><div>Example: <br></div><div><pre><span class="gmail-n">void</span> <span class="gmail-n">leak</span><span class="gmail-p">(</span><span class="gmail-nb">int</span> <span class="gmail-n">data</span><span class="gmail-p">);</span>
<span class="gmail-n">void</span> <span class="gmail-n">example</span><span class="gmail-p">(</span><span class="gmail-nb">int</span><span class="gmail-o">*</span> <span class="gmail-n">pointer1</span><span class="gmail-p">,</span> <span class="gmail-nb">int</span><span class="gmail-o">*</span> <span class="gmail-n">pointer2</span><span class="gmail-p">)</span> <span class="gmail-p">{</span>
<span class="gmail-k">if</span> <span class="gmail-p">(</span><span class="gmail-n">condition</span><span class="gmail-p">)</span><span class="gmail-p"></span><span class="gmail-o"></span><span class="gmail-o"></span><span class="gmail-n"></span><span class="gmail-n"></span><span class="gmail-n"></span><span class="gmail-o"></span>
<span class="gmail-n">leak</span><span class="gmail-p">(</span><span class="gmail-o">*</span><span class="gmail-n">pointer1</span><span class="gmail-p">);</span>
<span class="gmail-p"></span> <span class="gmail-k">else</span><span class="gmail-p"></span><span class="gmail-o"></span><span class="gmail-o"></span><span class="gmail-n"></span><span class="gmail-n"></span><span class="gmail-o"></span>
<span class="gmail-n">leak</span><span class="gmail-p">(</span><span class="gmail-o">*</span><span class="gmail-n">pointer2</span><span class="gmail-p">);</span><span class="gmail-p"></span>
<span class="gmail-p">}<br></span></pre><pre><span class="gmail-p">After the applying the mitigation the code resembles like:<br><br>void leak(int data);<br>void example(int* pointer1, int* pointer2) {
uintptr_t predicate_state = all_ones_mask;
if (condition) {
predicate_state = !condition ? all_zeros_mask : predicate_state;
pointer1 &= predicate_state;
leak(*pointer1);
} else {
int value2 = *pointer2 & predicate_state;
leak(value2);
}
}<br></span></pre><pre><span class="gmail-p"><span style="font-family:arial,sans-serif">Let's assume that the branch is mispredicted and if body is taken. The value predicate_state mask is depend on the "result of the condition" but which is not yet available </span>hence<font face="arial,sans-serif"> <br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif">speculative execution. My question whether the value of predicate_state is also guessed by the processor? If it is correct, then the value of predicate_state will be <br>predicate_state, if the processor mis-predicts the condition as true. Is my assumption is correct? i.e predicate_state = ! 1 ? all_zeros_mask : predicate_state, where processor predicts <br>condition as true. <br><br>Or Whether the execution stalls at "predicate_state = !condition ? all_zeros_mask : predicate_state until the result of condition became available? If this is true, why we have to <br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif">harden the pointers in the first place, because after the condition is actually computed, the processors will revert back right the execution trace of mis-prediction. <br><br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif">I know that I'm missing something fundamental here, I would highly appreciate your help on this? Please let me know if you more info!<br><br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif">Cheeers,<br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif">Praveen<br></font></span></pre><pre><span class="gmail-p"><font face="arial,sans-serif"><br></font></span></pre></div></div>