I believe this is the article Wes wanted to link to: https://www.thomas-krenn.com/en/wiki/Safety_instructions_for_Meltdown_and_Spectre
On Mon, Sep 17, 2018 at 6:10 PM Wes Turner <wes.tur...@gmail.com> wrote: > > To summarize: > > - CPython may be vulnerable to speculative execution vulnerabilities, but > none are known. > - In general, CPython is currently too slow for speculative execution > exploitation to be practical. > - Sandboxed, JIT'ed JS is not too slow for speculative execution > exploitation to be practical > - (Not otherwise discussed here: PyPy's sandboxed JIT may not be too slow > for speculative execution exploitation to be practical.) I'm no security researcher, and I barely remember much about Spectre/Meltdown, but I think the idea is that, if Python takes about 2 milliseconds to run your code, then a difference of +- 10 microseconds is indistinguishable from noise. Try to write software that can learn to distinguish two similar computers using the running time of certain functions. Javascript can be crafted to get close enough to some C programs. ASM.js and WebAssembly might help. PyPy's need for mitigation is independent of CPython's. > - Because there is no exploit provided (or currently thought possible with > just CPython), this security-related dialogue is regarded as a nuisance. More than that. Steve says that he looked into it and decided there wasn't really anything to worry about. He believes that any exploit of it will also imply an easier exploit is possible. He also says that this particular fix won't really help. Nathaniel is annoyed because Spectre is tricky to understand, and he assumes you don't understand it as well as you think because you haven't shown him that you have the expertise to understand it. > Here's a good write-up: > Safety_instructions_for_Meltdown_and_Spectre But how does that apply to CPython? What specifically about CPython makes the interpreter vulnerable to the attack? Under what conditions would CPython be vulnerable to this attack, but not an easier attack of at least the same severity? The article I linked at the top of this email does not give advice for interpreter writers at all. It only says what end users and chip manufacturers ought to do. It is not relevant. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
