Using the bounds check bypass method, malicious actors can use code gadgets ("confused deputy" code) to infer data values that have been used in speculative operations. At the program level this speculation is invisible, but because instructions were speculatively executed they might leave hints that a malicious actor can measure, such as which memory locations have been brought into cache. If it is incorrect, the processor will discard the wrong values and then go back and redo the computation with the correct values. To avoid the processor having to wait for data to arrive from memory, or for previous operations to finish, the processor may speculate as to what will be executed.
This document does not include any actual code from any real product or open source release, nor does it discuss or recommend any specific analysis tools.īounds check bypass takes advantage of the speculative execution used in processors to achieve high performance.
#Borderlands instanity check bypass how to
This document describes how to analyze potential bounds check bypass and bounds check bypass store vulnerabilities found by static analysis tools or manual code inspection and presents mitigation techniques that may be used. This document examines common instances of these vulnerabilities, including the bounds check bypass store variant, but should not be considered a comprehensive list. For an introduction to speculation and these methods, see the Intel Analysis of Speculative Execution Side Channels technical documentation, Speculative Execution Side Channel Mitigations technical documentation, and refer to the security research findings page on .īounds check bypass represents a broad class of vulnerabilities. Side channel methods are techniques that may allow a malicious actor to gain information through observing the system, such as measuring microarchitectural properties about the system. Refer to this page for the latest updates to this content, and be sure to read the disclosure overview for software developers. The information in this article was first published in a whitepaper.