I was looking up everywhere and could not find any mitigations for Spectre attack by the Rust compiler(s)! Do you know if there are any mitigations for different kinds of Spectre attacks Specter v1 (Spectre-PHT), v2 (Spectre-BTB), v4 (Spectre-STL) and v5 (Spectre-RSB) at the compiler level for Rust?
Looking forward to hearing from you guys 
There are several mitigations for transient execution attacks available in LLVM and therefore rustc.
- Speculative load hardening (x86-speculative-load-hardening option)
-
Load value injection control flow integrity (
lvi-cfitarget feature) -
Load value injection load hardening (
lvi-load-hardeningtarget feature) -
Speculative execution side effect suppression (
sesestarget feature)
For example, the x86_64-fortanix-unknown-sgx target enables LVI load hardening & CFI by default.
2 Likes
Thanks. I'm assuming these mitigations are only capable of solving the problem for Spectre v1 and v2. Please correct me if I'm wrong but I think they don't deal with other variants.
I believe that it actually does not mitigate Spectre v2 and it's only a mitigation for Spectre v1.
I'd think LVI-CFI deals with some of the later ones?
It replces 'ret', and 'ret' is one of the ways to trigger v2, however we can trigger using call and jump too. So I don't honestly see it as a mitigation to other variants.
You can just try it out and see what may or may not be missing?
pub fn add_1(v: &mut dyn core::ops::AddAssign<i32>) {
v.add_assign(1);
}
with LVI load hardening:
0000000000000000 <_ZN9indirtest5add_117h35adf97a3c3c13bbE>:
0: 0f ae e8 lfence
3: 48 8b 46 18 mov 0x18(%rsi),%rax
7: be 01 00 00 00 mov $0x1,%esi
c: ff e0 jmpq *%rax
and with LVI-CFI + LVI-LH or SESES:
0000000000000000 <_ZN9indirtest5add_117h35adf97a3c3c13bbE>:
0: 0f ae e8 lfence
3: 4c 8b 5e 18 mov 0x18(%rsi),%r11
7: be 01 00 00 00 mov $0x1,%esi
c: e9 00 00 00 00 jmpq 11
0000000000000000 <__llvm_lvi_thunk_r11>:
0: 0f ae e8 lfence
3: 41 ff e3 jmpq *%r11
RELOCATION RECORDS FOR [.text._ZN9indirtest5add_117h35adf97a3c3c13bbE]:
OFFSET TYPE VALUE
000000000000000d R_X86_64_PLT32 __llvm_lvi_thunk_r11-0x0000000000000004
Oh and I missed the retpoline-related features:
-
retpoline-indirect-callstarget feature -
retpoline-indirect-branchestarget feature
Side note: there are also efforts to insert more heavy-handed mitigations on compiled binaries (see the commits in that BOLT fork adding the --lfence-* options), which incidentally are easier to verify, if the immense performance hit is acceptable depending on the application.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.