关联漏洞
标题:Intel和ARM CPU芯片信息泄露漏洞 (CVE-2017-5715)Description:ARM Cortex-R7等都是英国ARM公司的产品。ARM Cortex-R7是一款中央处理器(CPU)。Cortex-R8是一款中央处理器(CPU)。Intel Xeon CPU E5-1650等都是美国英特尔(Intel)公司的产品。Xeon CPU E5-1650是一款中央处理器(CPU)。 Intel和ARM CPU芯片中存在信息泄露漏洞,该漏洞源于处理器数据边界机制中存在缺陷。本地攻击者可通过滥用‘错误推测执行’利用该漏洞读取内存信息。以下产品和版本受到影响:ARM Cortex-R7;Cor
Description
A quick-and-dirty tool to verify that userspace executables are immune to Spectre variant 2 (CVE-2017-5715).
介绍
retpoline-audit
===============
A quick-and-dirty utility to verify that an executable or shared object is using
[retpolines](https://support.google.com/faqs/answer/7625886) to mitigate the [Spectre](https://spectreattack.com) vulnerability
(Variant 2: branch target injection, CVE-2017-5715). Specifically, `retpoline-audit` searches for indirect branches in a binary
and its shared object dependencies.
This is currently known to compile on and work with userspace binaries for the following systems:
* GNU/Linux (`i386`, `x86_64`)
* macOS (Intel)
Other systems may also work, but don't count on it.
At this time (January 2018), very few executables in the wild have been compiled with retpoline support, and compiler support is
still in the process of trickling down to end users. For now, running this program on random binaries will show indirect
branches in nearly everything.
Note that `retpoline-audit` is still somewhat of a prototype at this point.
Security
--------
Do not run `retpoline-audit` on untrusted executables, or executables which link with untrusted shared objects.
`retpoline-audit` uses [ldd(1)](http://man7.org/linux/man-pages/man1/ldd.1.html) to find dependencies, which "may lead to the
execution of whatever code is defined in the program's ELF interpreter, and perhaps to execution of the program itself."
Other issues
------------
`retpoline-audit` will not be able to detect all indirect branches, including but not limited to the following scenarios:
* Code in data sections
* Code generated at runtime
* Indirect branches in the [vDSO](http://man7.org/linux/man-pages/man7/vdso.7.html)
* The disassembler can (usually briefly) get out of sync with the instruction stream in the padding between legitimate code
sequences.
* `retpoline-audit` checks for x86 CALL and JMP instructions; it does not check other instructions that perform indirect jumps
like SYSCALL, INT, or GETSEC[EXITAC].
In addition:
* Binaries with `" => "` or parenthesis in the name can break dependency scanning.
* Shared object dependencies with the same name as the system's vDSO may be skipped during dependency scanning.
* Dependency scanning won't work for binaries that aren't supported by the host system.
* Fat binaries on macOS always have all slices checked. Dependency chains can differ for different architectures, and
`retpoline-audit` may bring in binaries that a slice normally wouldn't load.
* macOS: Some sections show up with slightly different names, e.g. `__TEXT.__text` shows up as just `.text`.
Building
--------
### Prerequisites
* `libbfd` and `libopcodes` from [GNU Binutils](https://www.gnu.org/software/binutils/). Debian and Ubuntu: use `binutils-dev`.
* C++11 compiler
* [autoconf](https://gnu.org/s/autoconf) 2.69
### Then, type:
$ autoreconf -I.
$ ./configure
$ make
$ ./retpoline-audit [program]
Usage
-----
* `-n 4` Display up to 4 indirect branch locations (per binary)
* `-x` Do not scan shared object dependencies
* `-h` Show help
* `-V` Show version
License
-------
`retpoline-audit` is copyright (C) 2018 Dave Odell <<dmo2118@gmail.com>>
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, version 3.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see
<https://www.gnu.org/licenses/>.
文件快照
[4.0K] /data/pocs/949411b6e2bc85c05be6921f446494654953bfb8
├── [ 23K] audit.cpp
├── [4.0K] audit.hpp
├── [2.7K] ax_append_flag.m4
├── [4.9K] ax_cflags_warn_all.m4
├── [ 20K] ax_cxx_compile_stdcxx.m4
├── [1.2K] ax_require_defined.m4
├── [1.3K] configure.ac
├── [ 284] errno_exception.cpp
├── [ 604] errno_exception.hpp
├── [ 34K] LICENSE
├── [1.9K] main.cpp
├── [ 384] Makefile.in
├── [1.2K] malloc_ptr.hpp
├── [1.1K] malloc_vector.hpp
└── [3.6K] README.md
0 directories, 15 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。