Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5715 PoC — Intel和ARM CPU芯片信息泄露漏洞

Source
https://github.com/dmo2118/retpoline-audit
Associated Vulnerability
Title:Intel和ARM CPU芯片信息泄露漏洞 (CVE-2017-5715)
Description:Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Description
A quick-and-dirty tool to verify that userspace executables are immune to Spectre variant 2 (CVE-2017-5715).
Readme
retpoline-audit
===============

A quick-and-dirty utility to verify that an executable or shared object is using
[retpolines](https://support.google.com/faqs/answer/7625886) to mitigate the [Spectre](https://spectreattack.com) vulnerability
(Variant 2: branch target injection, CVE-2017-5715). Specifically, `retpoline-audit` searches for indirect branches in a binary
and its shared object dependencies.

This is currently known to compile on and work with userspace binaries for the following systems:

* GNU/Linux (`i386`, `x86_64`)
* macOS (Intel)

Other systems may also work, but don't count on it.

At this time (January 2018), very few executables in the wild have been compiled with retpoline support, and compiler support is
still in the process of trickling down to end users. For now, running this program on random binaries will show indirect
branches in nearly everything.

Note that `retpoline-audit` is still somewhat of a prototype at this point.

Security
--------

Do not run `retpoline-audit` on untrusted executables, or executables which link with untrusted shared objects.
`retpoline-audit` uses [ldd(1)](http://man7.org/linux/man-pages/man1/ldd.1.html) to find dependencies, which "may lead to the
execution of whatever code is defined in the program's ELF interpreter, and perhaps to execution of the program itself."

Other issues
------------

`retpoline-audit` will not be able to detect all indirect branches, including but not limited to the following scenarios:

* Code in data sections
* Code generated at runtime
* Indirect branches in the [vDSO](http://man7.org/linux/man-pages/man7/vdso.7.html)
* The disassembler can (usually briefly) get out of sync with the instruction stream in the padding between legitimate code
  sequences.
* `retpoline-audit` checks for x86 CALL and JMP instructions; it does not check other instructions that perform indirect jumps
  like SYSCALL, INT, or GETSEC[EXITAC].

In addition:

* Binaries with `" => "` or parenthesis in the name can break dependency scanning.
* Shared object dependencies with the same name as the system's vDSO may be skipped during dependency scanning.
* Dependency scanning won't work for binaries that aren't supported by the host system.
* Fat binaries on macOS always have all slices checked. Dependency chains can differ for different architectures, and
  `retpoline-audit` may bring in binaries that a slice normally wouldn't load.
* macOS: Some sections show up with slightly different names, e.g. `__TEXT.__text` shows up as just `.text`.

Building
--------

### Prerequisites

* `libbfd` and `libopcodes` from [GNU Binutils](https://www.gnu.org/software/binutils/). Debian and Ubuntu: use `binutils-dev`.
* C++11 compiler
* [autoconf](https://gnu.org/s/autoconf) 2.69

### Then, type:
	$ autoreconf -I.
	$ ./configure
	$ make
	$ ./retpoline-audit [program]

Usage
-----

* `-n 4` Display up to 4 indirect branch locations (per binary)
* `-x` Do not scan shared object dependencies
* `-h` Show help
* `-V` Show version

License
-------

`retpoline-audit` is copyright (C) 2018 Dave Odell <<dmo2118@gmail.com>>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, version 3.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program.  If not, see
<https://www.gnu.org/licenses/>.
File Snapshot

 [4.0K]  /data/pocs/949411b6e2bc85c05be6921f446494654953bfb8
├── [ 23K]  audit.cpp
├── [4.0K]  audit.hpp
├── [2.7K]  ax_append_flag.m4
├── [4.9K]  ax_cflags_warn_all.m4
├── [ 20K]  ax_cxx_compile_stdcxx.m4
├── [1.2K]  ax_require_defined.m4
├── [1.3K]  configure.ac
├── [ 284]  errno_exception.cpp
├── [ 604]  errno_exception.hpp
├── [ 34K]  LICENSE
├── [1.9K]  main.cpp
├── [ 384]  Makefile.in
├── [1.2K]  malloc_ptr.hpp
├── [1.1K]  malloc_vector.hpp
└── [3.6K]  README.md

0 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →