| 1 |
On Wed, May 9, 2018 at 2:18 PM Martin Vaeth <martin@×××××.de> wrote: |
| 2 |
|
| 3 |
> Rich Freeman <rich0@g.o> wrote: |
| 4 |
> > On Tue, May 8, 2018 at 4:19 AM Martin Vaeth <martin@×××××.de> wrote: |
| 5 |
> > |
| 6 |
> >> Rich Freeman <rich0@g.o> wrote: |
| 7 |
> >> > |
| 8 |
> >> > Higher-level languages will probably become nearly immune to Spectre |
| 9 |
> > just |
| 10 |
> >> > as most are nearly immune to buffer overflows. |
| 11 |
> > |
| 12 |
> >> Quite the opposite: Higher-level languages *always* do some checks |
| 13 |
> >> for array-length etc, and it is the _checks_ which are vulnerable. |
| 14 |
> >> You can only make them non-vulnerable by making them horribly slow |
| 15 |
> >> (by omitting speculative execution completely for the corresponding |
| 16 |
> >> conditionals). |
| 17 |
> > |
| 18 |
> > Sure, but my point is that you CAN make them non-vulnerable by changing |
| 19 |
the |
| 20 |
> > compiler. |
| 21 |
|
| 22 |
> Which would be the horribly slow case I mentioned above. |
| 23 |
|
| 24 |
I'm saying that high-level languages can be made safe. |
| 25 |
|
| 26 |
You're saying that making high-level languages safe comes at a performance |
| 27 |
cost. |
| 28 |
|
| 29 |
These are not in contradiction. In fact the whole reason low-level |
| 30 |
languages still exist to this day (besides legacy code) is that most of the |
| 31 |
benefits of high-level languages come at a performance cost. Safety is just |
| 32 |
one of them. |
| 33 |
|
| 34 |
This is just as true for buffer overflows and memory management. If you |
| 35 |
take a lot of care, you can avoid the need for bounds checks on every array |
| 36 |
access. If you get it wrong, it can go horribly wrong. High-level |
| 37 |
languages tend to compensate by doing bounds checks even when they might |
| 38 |
not be needed. A lot of C programmers do the same with manual bounds |
| 39 |
checks or equivalent functions like strncpy. Again, I'm using buffer |
| 40 |
overflows as a more familiar analogy for others - I fully understand that |
| 41 |
bounds checks actually make Spectre worse. |
| 42 |
|
| 43 |
> If slowness is not the issue, one could fix the C compiler in the same way |
| 44 |
> by avoiding speculative exection for every conditional jump. |
| 45 |
|
| 46 |
Sure, but that is way more overhead than necessary. We only need to |
| 47 |
sterilize these for data passed from an untrusted source (I think). If a |
| 48 |
function declares an internal variable as a loop counter you don't need to |
| 49 |
disable speculative execution every time you increment and check the |
| 50 |
counter, and a loop is obviously exactly where you want to make this |
| 51 |
distinction. |
| 52 |
|
| 53 |
A low level language needs to use heuristics to try to figure out if a |
| 54 |
conditional jump is safe to speculatively execute (probably at compile |
| 55 |
time). A high-level language has access to more context and can probably |
| 56 |
more reliably determine which ones need protection. On the other hand it |
| 57 |
will probably do a lot more bounds-checking in general. I'm not sure which |
| 58 |
would end up costing more to make reliably safe. |
| 59 |
|
| 60 |
I think that in general language features that more clearly separate |
| 61 |
trusted vs untrusted data would probably help here. |
| 62 |
|
| 63 |
-- |
| 64 |
Rich |
Archives