On 2018-01-06, Ian Kelly <ian.g.ke...@gmail.com> wrote: > >> > Furthermore, I'd like to know if Python can mitigate hardware-specific >> > timing attacks. >> >> For CPython, probably not. Anything that Cpython tried to do could be >> trivially defeated by using something like ctypes to make calls to >> arbitrary machine code that was written to a file. >> > > It sounds like you're talking about the case where the malicious code is > hosted by Python. I agree that's probably not realistic to do anything > about -- if you can run malicious code then you're probably not restricted > to Python (and without knowing a lot about the attacks, I'm doubtful that > it's possible to implement them in pure Python anyway).
Yes, that's what I was talking about. > I think the OP was talking about protecting the data of Python programs > from other malicious processes, however. The mitigation seems to be like it > could reasonably be accomplished (at least for core Python -- extension > code would be on its own). Ah, yes. Eventually it seems that just compiling CPython with a compiler that uses something like Google's "retpoline" should help: https://support.google.com/faqs/answer/7625886 Though I think I understand what the retpoline _is_, I don't really understand enough about the Spectre vulnerability say much else. -- Grant Edwards grant.b.edwards Yow! I'm having an at emotional outburst!! gmail.com -- https://mail.python.org/mailman/listinfo/python-list
