On Mon, May 7, 2018 at 7:15 AM Mick <michaelkintz...@gmail.com> wrote:
> Rich was right when he mentioned more related vulnerabilities are bound to > show up soon: I haven't dug up the details on that report, but again Spectre should be seen as a class of vulnerabilities and not one particular bug. I'm not sure whether we'll see buffer overflow attacks eradicated before or after Spectre. I guess the one thing Spectre has going for it is that it isn't a "feature" in common programming languages. You could probably kill off a lot of future buffer overflow attacks if you just removed strcpy from the C standard library (good luck with that), because it more-or-less makes buffer overflows a feature of the language. Then again some of the Spectre vulnerabilities are due to lower-level languages like C forcing the programmer to do their own bounds checking and using pointers, which I'm sure will make it harder to protect these activities in the compiler. Higher-level languages will probably become nearly immune to Spectre just as most are nearly immune to buffer overflows. As variants are discovered their compilers can be fixed to avoid them, and then the benefits apply to any program that is built. However, in the short term I'm sure we'll see issues there as new variants are discovered. -- Rich