On Tue, Sep 18, 2018 at 7:08 AM Wes Turner <wes.tur...@gmail.com> wrote: > > To summarize: > > - CPython may be vulnerable to speculative execution vulnerabilities, but > none are known. > - In general, CPython is currently too slow for speculative execution > exploitation to be practical. > - Sandboxed, JIT'ed JS is not too slow for speculative execution > exploitation to be practical > - (Not otherwise discussed here: PyPy's sandboxed JIT may not be too slow > for speculative execution exploitation to be practical.) >
As far as I know, execution speed is important for attacker, not victim. In case of JavaScript, browser may load attacking code and run it while user watching websites. Browsers provides sandbox for JS, but attacker code may be able to bypass the sandbox by Spectre or Meltdown. So browsers disabled high precision timer until OSes are updated. This topic is totally unrelated to compiler options: these compiler options doesn't prohibit running attacking code, it just guard branches from branch target injection. Does my understanding collect? Why should we discuss about execution speed? I think this topic should split to two topics: (1) Guard Python process from Spectre/Meltdown attack from other process, (2) Prohibit Python code attack other processes by using Spectre/Meltdown. Regards, -- INADA Naoki <songofaca...@gmail.com> _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
