Remix clone Hacker News

new | show | ask | jobs Github

	▲	nneonneo 11 hours ago
		What a fun problem to think about. My first instinct, knowing less about this domain than maybe I should, would be to abuse the return address predictor. I believe CPUs will generally predict the target of a “ret” instruction using an internal stack of return addresses; some ARM flavours even make this explicit (https://developer.arm.com/documentation/den0042/0100/Unified...). The way to abuse this would be to put send() on the normal return path and call abandon() by rewriting the return address. In code: `void resolve(Transaction t) { predict(t); send(t); } void predict(Transaction t) { if (!should_send(t)) (void *)__builtin_return_address(0) = &abandon; }` This isn’t exactly correct because it ignores control flow integrity (which you’d have to bypass), doesn’t work like this on every architecture, and abandon() would need to be written partly in assembly to deal with the fact that the stack is in a weird state post-return, but hopefully it conveys the idea anyway. The if in predict() is implementable as a branchless conditional move. The return address predictor should guess that predict() will return to send(), but in most cases you’ll smash the return address to point at abandon() instead.
	▲	3 hours ago \| parent [-]
		[deleted]