According to Google’s JavaScript team; Spectre mitigation doomed to failure

SFB

Weaksauce
Joined
Feb 21, 2011
Messages
73
Working Link --> blog/spectrev8.dev/blog/spectre

Fortunately or unfortunately, our offensive research advanced much faster than our defensive research, and we quickly discovered that software mitigation of all possible leaks due to Spectre was infeasible. This was due to a variety of reasons. First, the engineering effort diverted to combating Spectre was disproportionate to its threat level. In V8 we face many other security threats that are much worse, from direct out-of-bound reads due to regular bugs (faster and more direct than Spectre), out-of-bound writes (impossible with Spectre, and worse) and potential remote code execution (impossible with Spectre and much, much worse). Second, the increasingly complicated mitigations that we designed and implemented carried significant complexity, which is technical debt and might actually increase the attack surface, and performance overheads. Third, testing and maintaining mitigations for microarchitectural leaks is even trickier than designing gadgets themselves, since it’s hard to be sure the mitigations continue working as designed. At least once, important mitigations were effectively undone by later compiler optimizations. Fourth, we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software, even after a heroic effort by our partners at Apple to combat the problem in their JIT compiler.
 
Last edited:
So stop bloating websites with mountains of fragile and cobbled together Javascript frameworks and libraries?
I find it disingenuous to refer to security mitigations as "tech debt" and make no mention of the bullshit that is the "modern" web.
 
So stop bloating websites with mountains of fragile and cobbled together Javascript frameworks and libraries?
I find it disingenuous to refer to security mitigations as "tech debt" and make no mention of the bullshit that is the "modern" web.
I think this sums up your argument quite well:

http://www.commitstrip.com/en/2019/04/19/its-better-with-javascript/

Strip-Trop-de-JS-dans-le-web-650-finalenglish.jpg
 

Hehe yeah that's basically how it works -- although the server/cook is increasingly at fault as well nowadays.
I think I posted this here before, but this write-up really resonated with me: https://tonsky.me/blog/disenchantment/

I work in CPU/system design and firmware/kernel development precisely because there is still a focus on efficiency, performance, and cleanliness.
 
  • Like
Reactions: SFB
like this
To stay with the theme, many websites after loading up on javascript, place orders for more 'food' from a lot of other restaurants, many of which haven't passed basic health dept inspections. Becomes pretty easy for a bad cook to slip in some infected food and poof, you have a bad case of Spectre diarrhea.
 
I thought James Bond sorted Spectre out ...
Wheres Austin Powers?
 
Back
Top