On Tue, Sep 18, 2018 at 2:40 AM INADA Naoki <songofaca...@gmail.com> wrote: > > On Tue, Sep 18, 2018 at 7:08 AM Wes Turner <wes.tur...@gmail.com> wrote: > > > > To summarize: > > > > - CPython may be vulnerable to speculative execution vulnerabilities, but > > none are known. > > - In general, CPython is currently too slow for speculative execution > > exploitation to be practical. > > - Sandboxed, JIT'ed JS is not too slow for speculative execution > > exploitation to be practical > > - (Not otherwise discussed here: PyPy's sandboxed JIT may not be too > > slow for speculative execution exploitation to be practical.) > > > > As far as I know, execution speed is important for attacker, not victim. > In case of JavaScript, browser may load attacking code and run it while > user watching websites. > Browsers provides sandbox for JS, but attacker code may be able to > bypass the sandbox by Spectre or Meltdown. So browsers disabled > high precision timer until OSes are updated. > > This topic is totally unrelated to compiler options: these compiler options > doesn't prohibit running attacking code, it just guard branches from > branch target injection. > > Does my understanding collect? Why should we discuss about execution speed?
According to this article, the malicious program needs to act in the amount of time it takes for the CPU to load a value from memory and invalidate a branch prediction: https://hackernoon.com/timing-is-everything-understanding-the-meltdown-and-spectre-attacks-5e1946e44f9f _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com