Downloaded 31 times
![IMAGE_DYNAMIC_RELOCATION
typedef struct _IMAGE_DYNAMIC_RELOCATION {
ULONGLONG Symbol; // Contains the static symbol (PTR) value
DWORD BaseRelocSize;
// IMAGE_BASE_RELOCATION BaseRelocations[0];
} IMAGE_DYNAMIC_RELOCATION;
IMAGE_BASE_RELOCATION](https://image.slidesharecdn.com/0927-track2-am-retpoline-theanti-spectretype2mitigationinwindows-181012163929/75/BlueHat-v18-Retpoline-the-anti-spectre-type-2-mitigation-in-windows-13-2048.jpg)
![// From SYSTEM_INFORMATION_CLASS enumeration
#define SystemSpeculationControlInformation 201
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
// ...
ULONG SpecCtrlRetpolineEnabled : 1; // [13]
ULONG SpecCtrlImportOptimizationEnabled : 1; // [14]
} SYSTEM_SPECULATION_CONTROL_INFORMATION;
NtStatus = ZwQuerySystemInformation(SystemSpeculationControlInformation, (PVOID)&SpecCtrl,
sizeof(SYSTEM_SPECULATION_CONTROL_INFORMATION), &dwBytesIo);](https://image.slidesharecdn.com/0927-track2-am-retpoline-theanti-spectretype2mitigationinwindows-181012163929/75/BlueHat-v18-Retpoline-the-anti-spectre-type-2-mitigation-in-windows-37-2048.jpg)
Uploaded byBlueHat Security Conference
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
The document discusses various structures and processes related to CPU hardware speculation control, including different types of dynamic relocation structures. It also addresses issues and solutions for managing speculative execution vulnerabilities, specifically through the use of retpoline and import optimization. The document further provides insight into querying system information for speculation control settings.
More Related Content
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
- 1.
- 6.
- 8. Source Process VictimProcess
- 9.
- 10. • The attackercould speculate only on *INDIRECT* branches
- 11.
- 13. IMAGE_DYNAMIC_RELOCATION typedef struct _IMAGE_DYNAMIC_RELOCATION{ ULONGLONG Symbol; // Contains the static symbol (PTR) value DWORD BaseRelocSize; // IMAGE_BASE_RELOCATION BaseRelocations[0]; } IMAGE_DYNAMIC_RELOCATION; IMAGE_BASE_RELOCATION
- 14. typedef struct _IMAGE_BASE_RELOCATION{ DWORD VirtualAddress; DWORD SizeOfBlock; } IMAGE_BASE_RELOCATION;
- 15.
- 18. typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION{ ULONG PageRelativeOffset : 12; ULONG IndirectCall : 1; // 1 - the opcode is a CALL // 0 – the opcode is a JMP ULONG IATIndex : 19; } IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION;
- 20. typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION{ USHORT PageRelativeOffset : 12; USHORT IndirectCall : 1; USHORT RexWPrefix : 1; USHORT CfgCheck : 1; USHORT Reserved : 1; } IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION;
- 22. typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION{ USHORT PageRelativeOffset : 12; USHORT RegisterNumber : 4; } IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION;
- 23.
- 24.
- 26. ▪ CPU hardwarespeculation control features ▪ Memory Manager Features Settings
- 27. Retpoline is applied ImportOptimization applied a 64-Kbyte VA space
- 28. reserves a codepage IMPORTANT:
- 29.
- 37. // From SYSTEM_INFORMATION_CLASSenumeration #define SystemSpeculationControlInformation 201 typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION { // ... ULONG SpecCtrlRetpolineEnabled : 1; // [13] ULONG SpecCtrlImportOptimizationEnabled : 1; // [14] } SYSTEM_SPECULATION_CONTROL_INFORMATION; NtStatus = ZwQuerySystemInformation(SystemSpeculationControlInformation, (PVOID)&SpecCtrl, sizeof(SYSTEM_SPECULATION_CONTROL_INFORMATION), &dwBytesIo);
- 42.