Hyperbleed - Current state of spectre-BTI mitigations on cloud
Version 1.0 Introduction During our tests for reverse spectre attacks 123, we have observed that the behavior of the spectre-BTI4 mitigations differs between a bare-metal and a cloud-based scenario. The Linux kernel allows userspace processes to enable mitigations by calling prctl5 with the PR_GET_SPECULATION_CTRL which disables the speculation feature or by using seccomp6. The default behavior changed over time (from using IBPB/STIBP to IBRS). We have measured that on some instances of Google, AWS, Azure and Oracle, the spectre-BTI mitigation using prctl still leaves the victim exposed to attacks in some cases....