RIP ROP, COP, JOP? Intel to bring anti-exploit tech to market in this year's Tiger Lake chip family • The Register Forums

Monday 15th June 2020 13:10 GMT Anonymous Coward

Surely an extra NOOP that uses a fetch/execute cycle to retrieve and verify it's a valid destination target to branch to in tight loops that get executed billions of times per second will reduce IPC?

2 1 Reply

Monday 15th June 2020 18:07 GMT Richard 12

Not really, the main cost is a little bit of space in an instruction cache line.

The fetch was happening anyway. Is basically "jump to X", then X performs an "am I a valid jump target?" trap. With hardware support the cost of that can be zero time (but does cost transistors!) Though on CPUs without support there's a decode & NOP.

Will add more state to context switches, as this will obviously need to be explicitly enabled by processes, but context switch is already expensive.

2 0 Reply

Monday 15th June 2020 13:35 GMT Dave Pickles

COMEFROM?

It seems Intel have rediscovered the mythical COMEFROM instruction.

7 0 Reply

Monday 15th June 2020 14:00 GMT IGotOut

Exploit in

3...2....1

SGX anyone?

3 0 Reply

Monday 15th June 2020 14:14 GMT iron

Intel... hardware... security... No, please STOP!

I'm laughing so hard my sides are splitting.

8 4 Reply

Tuesday 16th June 2020 06:01 GMT Anonymous Coward

I see the Intel employees are out downvoting you!

2 2 Reply
Tuesday 16th June 2020 12:30 GMT Anonymous Coward

Why not? They bought McAfee!

1 0 Reply

Monday 15th June 2020 14:31 GMT Anonymous Coward

nearly impossible to address with software-based mitigation

So not impossible? Which then makes me wonder why go to all the trouble of changing the hardware when it should be the software that does it anyway, is it not an extra risk to put something else in?

1 3 Reply

Monday 15th June 2020 18:09 GMT Richard 12

Re: nearly impossible to address with software-based mitigation

You'd need to add a lot of extra guard instructions to do it in software.

That really would be quite expensive.

3 0 Reply
1. Monday 15th June 2020 20:11 GMT Anonymous Coward
  
  Re: nearly impossible to address with software-based mitigation
  
  Fair point, a trade off between speed and security but won't the guard instruction take speed off the processor if it's working on mitigating a threat.
  
  1 0 Reply
  1. Tuesday 16th June 2020 08:54 GMT Richard 12
    
    Re: nearly impossible to address with software-based mitigation
    
    The difference is that the CPU knows it just returned, so can immediately check whether the jumped-to instruction is one of the "ok" targets.
    
    An application wanting to do the same has to add code to function prologues to mark as "entered function properly" and also add "did we enter this function properly?" checks at various places.
    
    Can probably get most of it by adding checks to the prologue and epilogue to trap if the function was entered without leaving the previous one, or left without entering it, but of course this is several times more code.
    
    0 0 Reply

Monday 15th June 2020 14:49 GMT Anonymous Coward

So what exactly will stop the bad people from putting ENDBRANCH in their exploit code too?

2 1 Reply

Monday 15th June 2020 18:12 GMT Richard 12

This is about preventing exploits where they smash up the stack to make it call a lot of pieces of code that are already in the process - in an evil order.

3 0 Reply
1. Monday 15th June 2020 23:42 GMT Anonymous Coward
  
  This is where the old 6809 got things right. You had one stack for program control and another for local data storage. If the data stack ended up with malicious garbage, the instruction pointer would still be restored to the right value after returning from the subroutine.
  
  4 0 Reply
  1. Tuesday 16th June 2020 13:53 GMT Anonymous Coward
    
    So what stopped the control stack from getting mangled? It's just memory, after all.
    
    0 0 Reply

Monday 15th June 2020 15:13 GMT IgorS

ARM equivalent?

> Other architectures, such as Arm, have something similar

Anyone knows what the equivalent ARM mechanism is?

2 0 Reply

Monday 15th June 2020 16:50 GMT John Savard

Re: ARM equivalent?

Apparently it's called Pointer Authentication, and it was introduced in version 8.3 of the ARM architecture.

3 0 Reply
1. Monday 15th June 2020 18:10 GMT John Savard
  
  Re: ARM equivalent?
  
  And it turns out that IBM has done something in this area for its z/Architecture...
  
  https://patents.google.com/patent/US9891919B2/en
  
  3 0 Reply

Monday 15th June 2020 18:55 GMT Anonymous Coward

Scotty said it best

The more they overthink the plumbing, the easier it is to stop up the drain.

5 0 Reply

Monday 15th June 2020 21:19 GMT Duncan Macdonald

Older programs ?

Most systems have a lot of older code running as well as the latest most up to date stuff. An application obtained as a binary which the supplier has not updated will have a lot of branches that do not have ENDBRANCH as targets. The CET will have to be something that is turned on at a per application level with the default being off or many applications will break. (Given the extreme speed that some suppliers work, there will still be non conforming applications in 2040 !!)

Icon for systems that enable CET without checking for non-compatible programs.

========================>

5 1 Reply

Monday 15th June 2020 23:34 GMT Anonymous Coward

Re: Older programs ?

True, but if you protect all of the system and user libraries that get pulled into a process space, it should reduce some exposure.

1 0 Reply

Tuesday 16th June 2020 14:24 GMT A random security guy

I can see a lazy programmer disabling it if he can

Just finished some audit of code and the programmer ranting about DEP. Seems like it got in his way of inserting unsigned and un-tested code.

0 0 Reply

Topics

Special Features

Vendor Voice

Resources

COMMENTS

COMEFROM?

Exploit in

nearly impossible to address with software-based mitigation

Re: nearly impossible to address with software-based mitigation

Re: nearly impossible to address with software-based mitigation

Re: nearly impossible to address with software-based mitigation

ARM equivalent?

Re: ARM equivalent?

Re: ARM equivalent?

Scotty said it best

Older programs ?

Re: Older programs ?

I can see a lazy programmer disabling it if he can

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

Intel's effort to build a foundry biz is costing far more – and taking longer – than expected

Intel Gaudi's third and final hurrah is an AI accelerator built to best Nvidia's H100

Intel's foundry business bled $7B in 2023 with more to come

Intel's neuromorphic 'owl brain' swoops into Sandia labs

Meteor Lake CPUs splash down in socketed motherboards for edge and embedded workloads

Intel over the Moon as Lunar Lake’s NPU performance TOPS Meteor Lake

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Intel fuels Huawei's AI PC ambitions with Meteor Lake CPUs in MateBook X Pro

US lawmakers rage over Intel Meteor Lake-powered Huawei PC

Intel preps export-friendly lower-power Gaudi 3 AI chips for China

Intel CEO suggests AI can help to create a one-person Unicorn

Next Vision, or Vision Next? What we really thought about Google and Intel's AI events

About Us

Our Websites

Your Privacy