"ZombieLoad": a new set of speculative-execution attacks
Posted May 14, 2019 18:40 UTC (Tue)
by SMK (guest, #131799)
[Link]
Posted May 14, 2019 21:23 UTC (Tue)
by flussence (guest, #85566)
[Link] (15 responses)
Sprinkle some more fairy dust on the JS sandbox (but not too much - gotta win those synthetic benchmarks), squeeze out another PR fluff piece trumpeting about how much We Care⢠More Than The Company Over The Road Who Pays Our Bills, and keep on laggin'!
We'll have forgotten all about it by the time next month's vulnerability rolls around and this dance of insanity can happen again and again. Forever.
Posted May 14, 2019 21:59 UTC (Tue)
by pyellman (guest, #4997)
[Link] (10 responses)
I well understand that "real" programmers and software engineers are contemptuous of Javascript and those who use it to build software and websites, but I think there's more than a little bit of envy in there as well. Yes, Javascript has a chaotic, undisciplined ecosystem of add-in functionality, but that ecosystem is also both enormously useful and just plain enormous. Futhermore, Javascript has been a vehicle and driver for widespread popularization of some decent ideas about what a high level language should offer (even if Javascript didn't necessarily invent those ideas). Again, I sometimes detect a hint of envy from "real" programmers in this regard.
Finally, I find it particularly unreasonable that this particular security threat, which has been brought to us by arguably some of the most highly skilled "real" computing engineers on the planet, should be your excuse for going on a rant about Javascript.
Posted May 15, 2019 9:17 UTC (Wed)
by weberm (guest, #131630)
[Link] (1 responses)
Posted May 15, 2019 14:00 UTC (Wed)
by pyellman (guest, #4997)
[Link]
Posted May 15, 2019 9:22 UTC (Wed)
by LtWorf (subscriber, #124958)
[Link] (6 responses)
Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.
Posted May 15, 2019 9:59 UTC (Wed)
by eru (subscriber, #2753)
[Link]
That is not quite true, there are quite a lot of string functions in the built-ins, one could argue all the "BASIC":s are there :-). Even regexes. But there are also some strange omissions, like no built-in sprintf() equivalent.
Posted May 15, 2019 10:30 UTC (Wed)
by roc (subscriber, #30627)
[Link] (3 responses)
Curse it if you like, but if it goes away you'd better enjoy whichever vendor-controlled walled garden you end up in.
Posted May 15, 2019 13:11 UTC (Wed)
by LtWorf (subscriber, #124958)
[Link] (2 responses)
Posted May 15, 2019 19:21 UTC (Wed)
by samth (guest, #1290)
[Link]
Posted May 15, 2019 22:39 UTC (Wed)
by roc (subscriber, #30627)
[Link]
Posted May 15, 2019 14:08 UTC (Wed)
by pyellman (guest, #4997)
[Link]
Posted May 15, 2019 14:25 UTC (Wed)
by nix (subscriber, #2304)
[Link]
The problem isn't the language: the problem is the hardware. Whining about the language will not fix the ever-worsening flood of hardware vulns.
Posted May 15, 2019 15:20 UTC (Wed)
by dvdeug (guest, #10998)
[Link]
Maybe the Internet could be better, but if billions of people are on the Internet, billions of people are going to be executing random code, either directly or by downloading it. Directly would be worse; maybe a world where the only way to run code on your computer for most people was download it from the **** Store might be safer, but not more free.
Posted May 15, 2019 21:50 UTC (Wed)
by excors (subscriber, #95769)
[Link] (2 responses)
So you're always going to end up dealing with the security implications of essentially executing untrusted code, and it seems better to be honest about it and do it in a real programming language (like JS) rather than pretending it's just data and must be inherently safe.
In the context of Spectre, there's also the NetSpectre attack, which explains how you can attack a remote target by sending not-even-vaguely-code-like data to the target system. You just send some requests that trigger a speculative array read based on secret data, which leaks into the cache state, then measure the cache state via the latency of network responses. The only way to truly solve that problem (without disabling speculation) is to disconnect from the internet entirely. Limiting the expressivity of data won't help.
Posted May 21, 2019 16:24 UTC (Tue)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted May 21, 2019 18:37 UTC (Tue)
by excors (subscriber, #95769)
[Link]
I accept that making attacks much slower can still be worthwhile in practice; security doesn't require perfect solutions. You can try to calculate how many requests the attacker would have to make to average out the level of jitter you're adding and extract one bit of secret data, and decide how many bits the attacker needs to extract for a meaningful attack, and how many requests per second they can do, etc. If the cost to the attacker is greater than the value they would get from attacking you, with a safety margin of a few orders of magnitude, then you've probably done enough. But that's a complicated decision process and involves a lot of estimating and you'll probably get the numbers very wrong, so it's nowhere near as good as properly fixing the vulnerability so that you don't even need to think about it.
The annoying thing about Spectre is that it revealed a whole class of extremely complicated things you need to think about. Every patch in the kernel or microcode or hardware to mitigate the problem is just making the situation even more complicated to think about, and it will only stop when it's so immensely complicated that researchers give up trying to find new speculative-execution attacks and pick on easier targets.
Posted May 14, 2019 23:08 UTC (Tue)
by jcm (subscriber, #18262)
[Link]
I wrote a blog that includes some detail about the uarch behavior for those interested, here: https://www.redhat.com/en/blog/understanding-mds-vulnerab...
Posted May 15, 2019 9:05 UTC (Wed)
by voxadam (guest, #50716)
[Link]
There is also a full academic paper available on the Fallout issue (which is ancillary to "ZombieLoad" aaugh i hate named vulnerabilities.
And for those that are more ..visual...Red Hat has create a video explainer too.
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
In the context of Spectre, there's also the NetSpectre attack, which explains how you can attack a remote target by sending not-even-vaguely-code-like data to the target system. You just send some requests that trigger a speculative array read based on secret data, which leaks into the cache state, then measure the cache state via the latency of network responses. The only way to truly solve that problem (without disabling speculation) is to disconnect from the internet entirely. Limiting the expressivity of data won't help.
You can also solve it by measuring the average latency of responses, then adding artificial latency and jitter that are much larger than the observed value. However, non-attackers aren't likely to be very happy with this, and non-attackers are indistinguishable from attackers :(
"ZombieLoad": a new set of speculative-execution attacks
"ZombieLoad": a new set of speculative-execution attacks
Intel has also posted Deep Dive: Intel Analysis of Microarchitectural Data Sampling.
"ZombieLoad": a new set of speculative-execution attacks