Announcement

Collapse
No announcement yet.

KPTI + Retpoline Linux Benchmarking On Old Laptops

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by nanonyme View Post
    Who uses their PC for only gaming these days? This means you literally never use eg online banks, buy games online etc etc.
    PC is not just station to access and run remote services, there are many PCs who mainly just run one internaly usefull proggy and nothing else.

    Comment


    • #12
      Originally posted by cybertraveler View Post
      This setup I use also means I can keep my main system free of proprietary software (games, mods and drivers) which may contain naughty stuff.
      This seems silly, even with your gaming PC, sometimes you still need to sign in gaming accounts. You are no way to avoid from the risk.

      Comment


      • #13
        Originally posted by cybertraveler View Post
        If smartalgorithm uses a system to serve up static files over http, from what I've read about these vulnerabilities, there would be no risk to disabling these mitigation features. As I understand it, it is in instances where untrustworthy sources are able to run code on a system, that this untrustworthy user could exploit these vulnerabilities and gain access to memory which they should not have access to. So web browsers, rented virtual machines, shared web hosting with CGI are all potential targets. Private static-file serving web servers and many other privately controlled servers may be able to perfectly safely operate with these features disabled and not receive a performance hit.
        THIS

        It is my understanding, too. So unless you let someone execute arbitrary code on your computer, how could this be exploited? The browser with JS (always nice to have a selective whitelist here) would be the only thing coming to mind here. Especially with slower CPUs I think it will be difficult to achieve the necessary timing precision in JS to extract useful data. Given that browsers are being patched to lower timing resolution (https://blog.mozilla.org/security/20...timing-attack/), what exacty is the remaining attack vector for a single-user desktop PC?

        Comment


        • #14
          Originally posted by cybertraveler View Post
          I do. I have a gaming PC that I use only for gaming.
          Same here.

          Is your gaming rig on linux? Because if you have a separate gaming rig there are so much good reasons to just use Windows on it, and the point of smartalgorithm becomes quite weak.
          starshipeleven
          Premium Supporter
          Last edited by starshipeleven; 11 January 2018, 05:43 PM.

          Comment


          • #15
            Originally posted by MeFri View Post
            THIS

            It is my understanding, too. So unless you let someone execute arbitrary code on your computer, how could this be exploited? The browser with JS (always nice to have a selective whitelist here) would be the only thing coming to mind here. Especially with slower CPUs I think it will be difficult to achieve the necessary timing precision in JS to extract useful data. Given that browsers are being patched to lower timing resolution (https://blog.mozilla.org/security/20...timing-attack/), what exacty is the remaining attack vector for a single-user desktop PC?
            The exploit for this vuln would be probably used as a second stage, first stage is something that just compromises the browser so it loads something outside its sandbox but maybe not with root privileges, and this second stage allows the attacker to pwn the system somehow (looking at other processes to get root access, or steal info regardless of root access, or whatever).

            Malware is modular, serious ones have 2 stages or more and you can have them deliver your payload of choice.

            Comment


            • #16
              Originally posted by wsxy162 View Post
              This seems silly, even with your gaming PC, sometimes you still need to sign in gaming accounts. You are no way to avoid from the risk.
              Gaming accounts are not highly sensitive information, and you can buy/download games from your safe system.

              For Steam for example I can buy stuff with just a web browser and a Paypal account, and Steam is set to not remember my Paypal password so I have to authorize any transaction by authenticating into Paypal. Even if they managed to steal my steam account (I have also connected a phone number because of recovery purposes), my money would still be inaccessible.

              Maybe this won't work for Pay2Win games with an in-game store, but that's crap I don't buy (or play) anyway.

              Comment


              • #17
                And people where complaining about performance loss of micro kernels. Maybe time to go micro kernels for all the added benefits, not only security, but also stability when your NIC or audio driver has an off-by-one typo or two ;-)!

                Comment


                • #18
                  There are many scenarios where you would consider disabling KPTI, retpoline, and other security measures that have a runtime cost.
                  • A PC which is used exclusively for gaming
                  • A PC which is occasionally used for browsing, but the web browser's (PDF reader's, ...) JavaScript JIT is disabled.
                  • A HPC node which runs only trusted code
                  • A server which does not execute user code

                  Comment


                  • #19
                    I, too, game on a machine that I don't do anything else important on. It's because it's a windows machine and I don't trust the software security enough to trust it with anything important.

                    Comment


                    • #20
                      There's no point in disabling KPTI on a gaming rig. All performance tests say that the effect on the gaming performance is negligible.

                      Comment

                      Working...
                      X