SQ14131
Detected Windows executable files that do not implement retpoline vulnerability mitigation protection.
priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
---|---|---|---|---|---|
None | pass | low | medium | None | None |
About the issueโ
Retpoline vulnerability mitigation protects sensitive user data from being accessed by untrusted code. This family of security issues is caused by speculative instruction order execution at the hardware level. Speculative execution is a processor feature meant to improve the speed of code execution. By executing possible indirect function call targets in parallel, the processor can have an answer ready regardless of the path taken by the application. Since possible branches get executed, the processor branch predictor can be forced to access data for which the lower privilege code does not have access rights.
How to resolve the issueโ
- It's highly recommended to enable this option for all software components used across security privilege boundaries, such as isolated processes, or for user-to-kernel mode transitions. Although there is still a performance impact to having this vulnerability mitigation enabled, those side-effects have been greatly reduced in newer operating system versions.
- To enable this mitigation, refer to your programming language toolchain documentation.
- In Microsoft VisualStudio, you can enable retpoline mitigation by passing the /Qspectre parameter to the compiler and linker.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Retpoline: A Branch Target Injection Mitigation (External resource - Intel)
- What Is Speculative Execution? (External resource - ExtremeTech)
- Branch predictor (External resource - Wikipedia)