Retpoline

Google has published details about a new coding technique created by the company's engineers that any developer can deploy and prevent Spectre attacks.

The company claims this new technique, called Retpoline, has a "negligible impact on performance" compared to other patches rolled out in the past few days that in some cases caused big CPU performance dips.

Authored by Paul Turner, Senior Staff Engineer for Google's Technical Infrastructure, the technique is described as a binary modification technique.

Google says it already deployed both Retpoline for the Linux-based servers deployed in its private data centers, where the company saw minimal performance impact.

Retpoline may end up in the Linux kernel

Turner also submitted a patch to the Linux kernel project to implement the Retpoline technique for the Linux kernel. In presenting the technique to other Linux kernel developers, Turner said that Retpoline added an "average overall overhead within the 0-1.5% range for our internal workloads, including some particularly high packet processing engines."

Retpoline also seems to have the support of Intel developers, such as Andi Kleen, who also commented favorably on using the technique for the Linux kernel.

"So we want to avoid speculative indirect calls in the kernel," Kleen said. "There's a special code sequence called a retpoline that can
do indirect calls without speculation."

Retpoline addresses "speculative execution"

By "speculation" Kleen is referring to "speculative execution," a code optimization technique used by all modern CPUs, and which is the root cause exploited by the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerabilities.

According to several developers commenting on the new technique, Retpoline creates something akin to an infinite loop that is never called in the actual code but keeps the CPU from entering speculative execution.

Developers can code their application binaries to use Retpoline and prevent exposing their apps to Spectre attacks.

"This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed," Google says.

Besides the Linux kernel, projects like GCC and LLVM are also working on adding support for the new technique.

Related Articles:

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

Intel 2018 Desktop Launch Tomorrow, 9th Gen CPUs Expected

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User