Originally posted by patstew
View Post
Announcement
Collapse
No announcement yet.
If Mitigations Weren't Already Bad Enough: Slow Build Times Now Lead To An Unoptimized Intel LVI Pass
Collapse
X
-
Originally posted by andyprough View Post
Except in many cases the hackers are nation states who own the prisons and are looking to fill them with their hacking victims.
Comment
-
Originally posted by mzs.112000 View PostWelp, looks like it's time to get a POWER computer(my taste says Talos, budget says old PowerMac G5).
Too bad there are no POWER laptops...
Comment
-
Originally posted by zyxxel View PostIn short - don't argue about security based on already documented attacks. It's not them that are the main threat. It's the attacks that are currently been developed - the flawed machines will not go away in a good many years.
For a recent example, this didn't warrant the same phoronix coverage these CPU issues get but it's much more serious https://www.thezdi.com/blog/2020/4/8...m-verificationLast edited by patstew; 15 June 2020, 11:56 AM.
Comment
-
Originally posted by patstew View PostExactly, and most kernels have some critical flaw that allows privilege escalation.
Originally posted by patstew View PostFor a recent example, this didn't warrant the same phoronix coverage these CPU issues get but it's much more serious https://www.thezdi.com/blog/2020/4/8...m-verification
Originally posted by patstew View PostThere's almost certainly loads more that aren't publicly known. You can't safely run untrusted code, and once you've accepted that, these mitigations are shutting the stable door after the horse has bolted.
Comment
-
Originally posted by hotaru View Posthow many of those flaws can be exploited by sandboxed JavaScript running in a browser?
And if that's insufficient the browser could opt in to kernel level mitigations.
Obviously Javascript also can't access x86 instructions like RDRAND or special CPU registers either, so some recent issues are impossible to exploit from javascript anyway.Last edited by patstew; 15 June 2020, 12:53 PM.
Comment
-
Originally posted by patstew View PostThe simple measure of denying all access to high resolution timers is enough to cut out 99% of these side channel issues, including the ones that haven't been discovered yet. Javascript doesn't have multiple threads so you can't make your own timers, unless you're on a network with a ridiculously low latency to an attacker controlled machine. That could be mitigated too, e.g. by adding a tiny bit of random jitter to javascript requests, but I'm skeptical that it's practical in the first place.
JavaScript does have multiple threads.
there are ways to work around jitter, too.
Originally posted by patstew View PostAnd if that's insufficient the browser could opt in to kernel level mitigations.
Originally posted by patstew View PostObviously Javascript also can't access x86 instructions like RDRAND or special CPU registers either, so some recent issues are impossible to exploit from javascript anyway.
- Likes 1
Comment
Comment