Ugh... I can't afford Epyc based servers at the moment. I will be building out a Threadripper box though. I'm done with Intel for a while.

Sucks to be trying to sell "hostless lambdas" or whatever the cloud geeks think is cool at the moment, and it seems that running contemporary JavaScript on the same machine that handles your secrets and does your real work might not be such a good idea, but I don't think that this is the end of the world. The problem, such as it is, arises from letting malicious code share hardware that has lots of hidden (non-architectural) state, (because it turns out not to be very well hidden). Seems obvious that rather than slowing the machine down by orders of magnitude, by preventing any of that hidden state from doing its job, the much better approach would be to just keep the malicious code somewhere more isolated, where it can't see the hidden state of other code. That may require operating system changes, so that task switches don't just swap visible register state, but do some more work to flush that hidden state, at least when switching between different "trust" domains. That is: you can separate in time, and you can separate in space. Modern processors are growing cores like rabbits (those new Amazon Graviton2, for example: 64 single-threaded cores) so much more often threads will not have to time-slice at all, they'll just spin up another core and own it for the duration.

Oh, and the good old rule of not running malicious code in the first place seems like a keeper, too. Besides sticking with open source, and being careful around the trust of your sources when you can't. Surely it's not beyond the wit of man to detect code that spends a lot of cycles doing nothing obviously useful while looking at the high-res clock, and just knocking it on the head? Perhaps deciding that an advertising-sponsored browser plugin or mobile app might not be a great idea after all?

btw...all this security issues are not only a concern for personal data. i think those drm people might be also ...lets say not amused. this makes all the psp and intel secure code efforts look like a joke. i hope netflix etc will not restrict their service on x86 more...at the moment 4k or proper full hd is not avsilable in the classic browser.....i really start to hate what happens to the pc world...restrictions, strange bugs, strange intel me and psp crap, trojan browsers, drm...

I don't know anything about hostvoid lambdas but I can assure you if you are are going to try to sandbox using VM's on a quadcore intel that would be annoyingly slow, I would not use intel at all for VM's personally. As far as JS goes yeaê—yeah, No! I knew it was just a matter of time before someone cleverly engineered some JS that could simply latch on to an average Joe's machine and install a botnet or jack their bank login credentials.

It's only going to get much worse for intel users. I would get off intel as soon as possible to whom-ever is reading this. My opinion of Java Script is that it should be completely removed from the web, its really bad stuff in my opinion. Java=Code slop+data integrity risk+who knows what the hell is in there.

Personally I am not going to use VM's until I have at least a dodeca-core cause I am a resource and latency snob.

Lynx anyone?

I was fixing to ask this question. Since the attack vector, for me, would come from a web browser wouldn't spinning up a single core *BSD virtual machine to only use for surfing be the best mitigation?

Or would, say, Kodi running natively on the Linux install be a possible vector?

I was fixing to ask this question. Since the attack vector, for me, would come from a web browser wouldn't spinning up a single core *BSD virtual machine to only use for surfing be the best mitigation?

Or would, say, Kodi running natively on the Linux install be a possible vector?

Bulldozer has always been an elegant design. I am frustrated that AMD had to scrap it and go copy Intel's SMT design. Now Zen is just a me-too Core architecture with slightly worse IPC but more cores per dollar.