Linux Kernel 5.10 Introduces Static Calls to Prevent Speculative Execution Attacks
You might be familiar with Spectre, a speculative execution vulnerability within x86 processors that breaks the isolation between various applications, allowing an attacker to trick programs into leaking secrets to the hacker. To make matters worse, the safety checks created to protect against such attacks actually make those applications even more vulnerable to Spectre.
The likes of Spectre and Spectre version 2 (otherwise known as the branch target injection — CVE-2017-5715) are operating system agnostic, so every platform on the market had to take steps to protect users and data against such an attack.
The release of the Linux 5.10 kernel brings a new feature that does just that — protect against speculative execution attacks. That feature is called static calls and is a replacement for global function pointers in the Linux kernel.
The new static call function is static_call() which uses code patching to allow direct calls (as opposed to indirect calls) and offer the flexibility of function pointers with an improved performance, especially in cases where retpolines would be used.
Wait, what?
What Is a Retpoline?
A retpoline is a return trampoline that makes use of an infinite loop that is never executed to prevent a CPU from speculating the target of an indirect jump. This system also uses a Return Stack Buffer (RSB) as a prediction structure, similar to a branch predictor for return instructions. To make sure the RSB cannot be maliciously trained out of the infinite loop, retpolines always start with a direct call to make sure the RSB predicts an infinite loop.
Retpolines were not the original mitigation against Spectre, but were created by Google after the original Spectre mitigation was found to cause relative slowdowns on certain CPU architectures (both AMD and Intel) and under specific workloads.
You can check to see if your running kernel contains full retpoline support by issuing the command:
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
You should see something similar to:
Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
After Microsoft realized its original solution couldn’t compete with Google’s, it implemented the retpoline in Windows 10. In 2018, retpolines found their way into the Linux kernel, thereby protecting the open source platform against such attacks.
However, retpolines were never an ideal solution. Developers had to go out of their way to avoid indirect calls, as they had to now be implemented with retpolines.
What is an indirect call? These calls happen when the address of a function to be called isn’t known at compile time. Instead, the address is stored in a pointer variable so it can then be used at run time. As many have (unfortunately) discovered, those indirect calls are easily exploitable by speculative execution attacks.
Retpolines avoided storing addresses in pointer variables. However, retpolines introduce the following problems:
- Slows down when correctly predicted.
- Drastically slows down when incorrectly predicted.
- Interferes with Intel’s CET and other protections.
- It’s overly complicated.
So, much to the dismay of developers, retpolines weren’t that much better than the original Spectre mitigation.
Static Calls to the Rescue
Since the inception of retpolines, kernel developers have been scrambling to find a better solution, one that doesn’t work from a location within writable memory where the indirect jumps can be found.
That’s where static calls come into play. A static call uses a location in executable memory (instead of writable memory) that contains a jump instruction pointing to a target function. Executing a static call requires a call to the special location, which then jumps to the actual target. This is called a classic code trampoline and completely avoids the use of retpolines.
How to Declare a Static Call
Before you can use a static call, you must first declare them with one of two macros:
|
1 |
DEFINE_STATIC_CALL(name, target); |
or
|
1 |
DECLARE_STATIC_CALL(name, target); |
DEFINE_STATIC_CALL creates a new static call with a given name that points at the function target(). DECLARE_STATIC_CALL declares the existence of a static call that is elsewhere defined.
The actual calling of a static call is handled with:
|
1 |
static_call(name)(args...); |
You define the call with name, which will cause a jump through the trampoline, directly to the target function. If the function returns, say, a value of X, then static_call() will return a value of X.
Welcome Static Calls to the Linux Kernel
As of kernel 5.10, static calls are now a reality. That means the foundation of the Linux operating system is protected against the likes of Spectre V1/2, without suffering from the issues introduced by retpolines.
Read more about the Linux kernel static calls (written by Josh Poimboeuf) here, where you can see the kernel patch he created to employ this new feature.
Although the Linux kernel 5.10 hasn’t found its way into the majority of distributions (as of now, most Ubuntu-based distributions are running kernel 5.8), you should expect this kernel to hit the likes of Ubuntu in April 2021, in version 21.04.