Spectre mitigations in Rust

I was looking up everywhere and could not find any mitigations for Spectre attack by the Rust compiler(s)! Do you know if there are any mitigations for different kinds of Spectre attacks Specter v1 (Spectre-PHT), v2 (Spectre-BTB), v4 (Spectre-STL) and v5 (Spectre-RSB) at the compiler level for Rust? Looking forward to hearing from you guys :slight_smile:

There are several mitigations for transient execution attacks available in LLVM and therefore rustc.

For example, the x86_64-fortanix-unknown-sgx target enables LVI load hardening & CFI by default.

2 Likes

Thanks. I'm assuming these mitigations are only capable of solving the problem for Spectre v1 and v2. Please correct me if I'm wrong but I think they don't deal with other variants.

I believe that it actually does not mitigate Spectre v2 and it's only a mitigation for Spectre v1.

I'd think LVI-CFI deals with some of the later ones?

It replces 'ret', and 'ret' is one of the ways to trigger v2, however we can trigger using call and jump too. So I don't honestly see it as a mitigation to other variants.

You can just try it out and see what may or may not be missing?

pub fn add_1(v: &mut dyn core::ops::AddAssign<i32>) {
    v.add_assign(1);
}

with LVI load hardening:

0000000000000000 <_ZN9indirtest5add_117h35adf97a3c3c13bbE>:
   0:	0f ae e8             	lfence 
   3:	48 8b 46 18          	mov    0x18(%rsi),%rax
   7:	be 01 00 00 00       	mov    $0x1,%esi
   c:	ff e0                	jmpq   *%rax

and with LVI-CFI + LVI-LH or SESES:

0000000000000000 <_ZN9indirtest5add_117h35adf97a3c3c13bbE>:
   0:	0f ae e8             	lfence 
   3:	4c 8b 5e 18          	mov    0x18(%rsi),%r11
   7:	be 01 00 00 00       	mov    $0x1,%esi
   c:	e9 00 00 00 00       	jmpq   11

0000000000000000 <__llvm_lvi_thunk_r11>:
   0:	0f ae e8             	lfence 
   3:	41 ff e3             	jmpq   *%r11

RELOCATION RECORDS FOR [.text._ZN9indirtest5add_117h35adf97a3c3c13bbE]:
OFFSET           TYPE              VALUE 
000000000000000d R_X86_64_PLT32    __llvm_lvi_thunk_r11-0x0000000000000004

Oh and I missed the retpoline-related features:

  • retpoline-indirect-calls target feature
  • retpoline-indirect-branches target feature

Side note: there are also efforts to insert more heavy-handed mitigations on compiled binaries (see the commits in that BOLT fork adding the --lfence-* options), which incidentally are easier to verify, if the immense performance hit is acceptable depending on the application.