Retpoline

Google has published details about a new coding technique created by the company's engineers that any developer can deploy and prevent Spectre attacks.

The company claims this new technique, called Retpoline, has a "negligible impact on performance" compared to other patches rolled out in the past few days that in some cases caused big CPU performance dips.

Authored by Paul Turner, Senior Staff Engineer for Google's Technical Infrastructure, the technique is described as a binary modification technique.

Google says it already deployed both Retpoline for the Linux-based servers deployed in its private data centers, where the company saw minimal performance impact.

Retpoline may end up in the Linux kernel

Turner also submitted a patch to the Linux kernel project to implement the Retpoline technique for the Linux kernel. In presenting the technique to other Linux kernel developers, Turner said that Retpoline added an "average overall overhead within the 0-1.5% range for our internal workloads, including some particularly high packet processing engines."

Retpoline also seems to have the support of Intel developers, such as Andi Kleen, who also commented favorably on using the technique for the Linux kernel.

"So we want to avoid speculative indirect calls in the kernel," Kleen said. "There's a special code sequence called a retpoline that can
do indirect calls without speculation."

Retpoline addresses "speculative execution"

By "speculation" Kleen is referring to "speculative execution," a code optimization technique used by all modern CPUs, and which is the root cause exploited by the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerabilities.

According to several developers commenting on the new technique, Retpoline creates something akin to an infinite loop that is never called in the actual code but keeps the CPU from entering speculative execution.

Developers can code their application binaries to use Retpoline and prevent exposing their apps to Spectre attacks.

"This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed," Google says.

Besides the Linux kernel, projects like GCC and LLVM are also working on adding support for the new technique.

Related Articles:

Here's the Status of Meltdown and Spectre Mitigations in Windows

Google and Microsoft Reveal New Spectre Attack

Get 98% off The Ultimate Backend Developer Bundle Deal

FacePause Chrome Extension Pauses a YouTube Video When You Look Away

Microsoft Fixes Faulty Debian Package That Messed With Users' Settings