Lost Password?


Delphi Forum - Delphi Programming Kings of Code
Registration is OPEN!6 months VIP Access - 20 $ Donation - 1 year VIP Access - 30 $ Donation -2 years VIP Access - 50 $ Donation - Gold user For life VIP Access - 150 $ Donation... Delphifan Crew

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Login or Register
Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Meltdown, Spectre and Delphi
03-10-2018, 04:50 PM (This post was last modified: 03-10-2018 04:52 PM by AdminDF™.)
Post: #1
Meltdown, Spectre and Delphi
All applications are vulnerable to Spectre attacks. 
Unfortunately this also includes applications written in Delphi. Does this mean Delphi developers have been on high alert the past few weeks? Well, it all depends. If you’re creating software for a high-risk business with a large user base and public deployment, then probably yes. But in most cases it’s a no.

As you may already know, its sibling called Meltdown (Rogue data cache load, CVE-2017-5754), can be completely fixed with updates. Most of these are already available, so update your computers. Use some care though, some of these patches have been reported to cause reboots and blue screens on specific CPU versions from both Intel and for AMD as reported by Microsoft.

However, Spectre attacks can not really be mitigated with microcode updates or operating system updates alone. That’s because it attacks at the way that most CPU’s optimize code execution, which is not something you can simply turn off. The simplest CPU’s are the only ones that are not affected, as you can read in this rather easy to read article on RaspberryPI.

The Spectre attack requires the hacker to construct a specific attack for each specific piece of software. Setting this up takes some work as you need to trick the existing application to leak its information via a side channel attack through repeated iterations of having it call into specific instructions. In other words, suppose a vulnerable instruction sequence would be triggered by a click on a specific “button”; the hacker would have to write some code that would keep clicking this “button” while data is leaked from the applications protected memory locations.

This means the hacker would have to analyze the application beforehand and write an exploit specifically for this application, and somehow persuade the end-user to run this exploit side by side with the vulnerable application. This takes some serious effort. In fact, if you can already get such an exploit to run in the same user space, there are many more ways of attack that are far easier to perform. This means that a Delphi (or any other)  application with a small user base, say below 10.000 users and/or those without public deployment (not in any app store) have a relatively low risk of being attacked. It’s still possible though, just not very likely.

Does this mean we could just do nothing, like go Niksen? Well, that’s not exactly what I meant. What if someone analyzes the compiled code for one of the most popular used components of Delphi and writes an exploit for that? This hasn’t happened yet, but given time, someone will find a way to more easily exploit Spectre in a generic fashion. Need an example? The past weeks you could already exploit Spectre by just running JavaScript inside a browser, as described in the paper. Yes, this does mean that the Delphi TWebBrowser component, which is just a window to the underlying OS browser architecture, was vulnerable. Hopefully you’ve already got your browsers updated.

Ok, so what can we do? For variant 1 of Spectre (Bounds-Check bypass, CVE-2017-5753) Intel suggests using a LFENCE instruction. There is a compiler switch, that was previously undocumented that results in adding these LFENCE instructions for the MSVC compiler. In Delphi you can just add LFENCE instructions in your code using

but I’m not sure if you can place these LFENCE instructions in between pascal statements at exactly the right positions for this to always work out as we want. If I translate the example Microsoft uses for Bounds-Check bypass into Delphi:

PHP Code:
if (untrusted_index array1_lengththen
:= array1[untrusted_index];
value2 := array2[value 64];
this results in the following view in the disassembler
This looks OK, the LFENCE is placed at the same location as in the Microsoft example, so you could modify your existing sources with this code. Still, it’s probably better if adding these LFENCE instructions were handled by the compiler.

Google has proposed a solution on a compiler level to prevent the branch-target-injection variant of Spectre (CVE-2017-5715) using retpoline. Open source versions of the code have already been submitted to LLVM and GCC. However, there is no easy way to modify your Delphi code to introduce this solution. The indirect branch that is vulnerable is generated by the compiler, for instance when you write polymorphic code that calls a overridden virtual method of a subclass such as described in Google’s example. For the Delphi developer that’s just one line of code, with no easy way to add this new calling construction. This one needs to be handled by the compiler and for LLVM and GCC this change is being evaluated.

If this all works out that means we will have an option to mitigate these two variations of Spectre attacks on existing applications by just recompiling that application. These solutions could become part of all compilers out there, including all of the Delphi tool chains, LLVM-based or not. My preference would be to add this as a Compiler Option similar to the one we had for the Pentium FDIV bug. Because just like the FDIV bug, Spectre will also disappear with newer CPU’s that handle things a little differently, and then you can choose to disable that option again.

If you’re into a challenge and want to know more on the details of Meltdown and Spectre I suggest reading the original posting on You can't view the links! Click here to register.

You can't view the links! Click here to register
My Last Threads

You have no idea what you do not know!
                         Elon Musk

Quote this message in a reply
Post Reply 

Messages In This Thread
Meltdown, Spectre and Delphi - AdminDF™ - 03-10-2018 04:50 PM

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Video Portal by Delphi Fan AdminDF™ 0 103 12-29-2017 06:03 AM
Last Post: AdminDF™
  What is situation with Delphi in your Country? AdminDF™ 2 287 12-26-2017 09:39 AM
Last Post: Sandman
  Delphi vs C #. Which one is the best? AdminDF™ 1 1,074 10-05-2017 10:03 PM
Last Post: AbsaLootly
  Delphi Berlin Update 2 is coming AdminDF™ 8 1,126 11-18-2016 10:48 AM
Last Post: AdminDF™
  Linux -Delphi is Coming to Celebrate AdminDF™ 2 765 09-03-2016 03:59 PM
Last Post: DVi
  What’s New Roundup For Firemonkey In #Delphi 10.1 Berlin AdminDF™ 0 697 04-26-2016 06:08 AM
Last Post: AdminDF™
  Good News iOS/Android Application Development with Delphi AdminDF™ 11 3,568 03-03-2016 02:40 PM
Last Post: HDenis52
  Delphi 11 Berlin 24.0.22128.5503 is coming!!! Freak20888 9 2,609 02-12-2016 03:30 PM
Last Post: kassane
  Delphi empty projects (VCL x86/x64 release) size comparison AdminDF™ 1 851 12-21-2015 07:06 PM
Last Post: profepaco
  DevExpress 13.1.4 Delphi XE5 ilsouza 2 2,478 06-12-2015 04:47 AM
Last Post: samrids

Forum Jump:

User(s) browsing this thread: 1 Guest(s)

Theme designed by Delphifan (Sidebar created by Delphifan - Delphifan.com)
Copyright © 2018 Delphi Forum - Delphi Programming Kings of Code - All rights reserved.

For GOLD or Payment Vip User Please send PM to Administrator

Delphi,Embarcadero,Delphi XE6,Delphi XE7,Delphi XE5,TMS,Devexpress,Delphi Components,Full Delphi Download,Delphi Android,Delphi IOS,Delphi Mobile programming,Delphi Forum,Embarcadero Berlin 10.1