1 |
On Wed, May 9, 2018 at 2:18 PM Martin Vaeth <martin@×××××.de> wrote: |
2 |
|
3 |
> Rich Freeman <rich0@g.o> wrote: |
4 |
> > On Tue, May 8, 2018 at 4:19 AM Martin Vaeth <martin@×××××.de> wrote: |
5 |
> > |
6 |
> >> Rich Freeman <rich0@g.o> wrote: |
7 |
> >> > |
8 |
> >> > Higher-level languages will probably become nearly immune to Spectre |
9 |
> > just |
10 |
> >> > as most are nearly immune to buffer overflows. |
11 |
> > |
12 |
> >> Quite the opposite: Higher-level languages *always* do some checks |
13 |
> >> for array-length etc, and it is the _checks_ which are vulnerable. |
14 |
> >> You can only make them non-vulnerable by making them horribly slow |
15 |
> >> (by omitting speculative execution completely for the corresponding |
16 |
> >> conditionals). |
17 |
> > |
18 |
> > Sure, but my point is that you CAN make them non-vulnerable by changing |
19 |
the |
20 |
> > compiler. |
21 |
|
22 |
> Which would be the horribly slow case I mentioned above. |
23 |
|
24 |
I'm saying that high-level languages can be made safe. |
25 |
|
26 |
You're saying that making high-level languages safe comes at a performance |
27 |
cost. |
28 |
|
29 |
These are not in contradiction. In fact the whole reason low-level |
30 |
languages still exist to this day (besides legacy code) is that most of the |
31 |
benefits of high-level languages come at a performance cost. Safety is just |
32 |
one of them. |
33 |
|
34 |
This is just as true for buffer overflows and memory management. If you |
35 |
take a lot of care, you can avoid the need for bounds checks on every array |
36 |
access. If you get it wrong, it can go horribly wrong. High-level |
37 |
languages tend to compensate by doing bounds checks even when they might |
38 |
not be needed. A lot of C programmers do the same with manual bounds |
39 |
checks or equivalent functions like strncpy. Again, I'm using buffer |
40 |
overflows as a more familiar analogy for others - I fully understand that |
41 |
bounds checks actually make Spectre worse. |
42 |
|
43 |
> If slowness is not the issue, one could fix the C compiler in the same way |
44 |
> by avoiding speculative exection for every conditional jump. |
45 |
|
46 |
Sure, but that is way more overhead than necessary. We only need to |
47 |
sterilize these for data passed from an untrusted source (I think). If a |
48 |
function declares an internal variable as a loop counter you don't need to |
49 |
disable speculative execution every time you increment and check the |
50 |
counter, and a loop is obviously exactly where you want to make this |
51 |
distinction. |
52 |
|
53 |
A low level language needs to use heuristics to try to figure out if a |
54 |
conditional jump is safe to speculatively execute (probably at compile |
55 |
time). A high-level language has access to more context and can probably |
56 |
more reliably determine which ones need protection. On the other hand it |
57 |
will probably do a lot more bounds-checking in general. I'm not sure which |
58 |
would end up costing more to make reliably safe. |
59 |
|
60 |
I think that in general language features that more clearly separate |
61 |
trusted vs untrusted data would probably help here. |
62 |
|
63 |
-- |
64 |
Rich |