Originally posted by NobodyXu
View Post
Announcement
Collapse
No announcement yet.
Google Engineers Argue For Linux "ASI" To Better Deal With Speculative Execution Attacks
Collapse
X
-
Originally posted by Vorpal View PostI would love if it was possible to only apply mitigations to certain processes. I.e. Windows VMs and the browser.
If you run your browser in such a VM (with Linux this time) it should also be fine.
Comment
-
Originally posted by V1tol View PostYou could not make more bold statement lol. Unless you have CPU, firmware, OS and all the software reviewed by your bare eyes.
​Originally posted by Vorpal View PostI suspect (after thinking about it for 10 seconds, so take it with a grain of salt) that meltdown might be possible to mitigate per process in theory. Spectre and retbleed probably not.
​​​​​​​Originally posted by Weasel View PostExcept it doesn't have the timing precision required to pull this off.
- Likes 2
Comment
-
browsers had to impair js timers on purpose as a temporary measure to avoid js exploitation of spectre when it first came up... back then they intended to give js back the ability to use more precise timers, but since the vulnerabilities didn't stop popping up those degraded timers might still be in place...
...and then there is dev ingenuity, crafting ways to increase timer precision by joining several methods creatively, etc... so that was explicitly only a stopgap measure to buy OSs time to devise more proper mitigations
- Likes 1
Comment
-
Doesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
Comment
-
Originally posted by lilunxm12 View PostDoesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
But seriously though, I don't think a lot of people can do that.
Comment
-
Originally posted by NobodyXu View Post
Even temporarily closing the tabs of untrusted websites might work.
But seriously though, I don't think a lot of people can do that.
Comment
-
Originally posted by lilunxm12 View PostDoesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
- Likes 1
Comment
-
Originally posted by lilunxm12 View Post
Or browser vendors could develop a deep refresh feature, restart the page in a new process and close the old one. Then we could use those existing tab refresher extensions.
If you are doing banking or performing some critical operations that uses Javascript, then refreshing would cause all these pages to be invalidated and potentially requires you to start from scratch to refill information.
Providing an API so that some plugins to do it might be OK, but still the performance of this is going to be terrible.
Comment
Comment