[Cryptography] Spectre again (was Re: RISC-V branch predicting)

[Nemo]

"Perry E. Metzger" <perry at piermont.com> writes:

> On Sat, 10 Feb 2018 15:32:20 -0500 Jerry Leichter <leichter at lrw.com>
> wrote:
>> The Javascript is *intended* to be in a separate security domain
>> from the rest of the browser.

Yes, I know. I was just giving an example of how Spectre has nothing to
do with speculative code paths bypassing hardware access controls.

>> You want to run someone else's Javascript?  Run it in a separate
>> address space and process.

Except Spectre also crosses hardware privilege domains: The other
proof-of-concept was reading kernel memory from unprivileged user
code. True, they had to "cheat" by using eBPF... But someone with more
resources than a few motivated grad students could probably do
interesting things without cheating.

> The obvious fix for Spectre here isn't easy, it's to either run that
> hostile code only in its own process, or to provide hardware access
> isolation even inside a single process. For some things, the former is
> currently difficult.

Chrome already supports "site isolation"
(https://support.google.com/faqs/answer/7622138#chrome), which is a big
step along these lines.

But Spectre also crosses the kernel protection boundary, and almost all
of the mitigations for that could also be applied to a sandboxed app /
runtime boundary within a single process (e.g. retpolines, IBRS,
IBPB). So while I do not necessarily disagree with the principle you and
Jerry are advocating, I am not sure Spectre is a good example.

Quick list of search terms if you are curious about Spectre mitigations:

      retpoline
      Indirect Branch Restricted Speculation (IBRS)
      Indirect Branch Prediction Barrier (IBPB)
      Single Thread Indirect Branch Predictors (STIBP)

If you find (or author) a single document describing each of these in
detail, please send it along, because I have not found one
yet. Everything I know is just snippets.

 - Nemo
   https://self-evident.org/