News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Google’s JavaScript team: Spectre mitigation doomed to failure

    Home Forums AskWoody blog Google’s JavaScript team: Spectre mitigation doomed to failure

    Tagged: ,

    This topic contains 18 replies, has 11 voices, and was last updated by  anonymous 3 weeks, 4 days ago.

    • Author
      Posts
    • #846430 Reply

      woody
      Da Boss

      That isn’t exactly what they said, but it’s pretty close. Here’s what they do say: A year with Spectre… When it was shown that JavaScript could be u
      [See the full post at: Google’s JavaScript team: Spectre mitigation doomed to failure]

      6 users thanked author for this post.
    • #848238 Reply

      GoneToPlaid
      AskWoody Plus

      I have tried contacting several of the AV companies about my solution to detect any and all Meltdown and Spectre attacks, since such attacks require zero malware techniques**.

      ** Zero malware techniques in terms of implementation, yet not zero in terms of potential delivery methods to a target computer.

      None of them responded since I was not willing to disclose my detection methods. Does anyone here work for an AV company who might see the value of being able to detect any variant of Meltdown, Spectre, BranchScope and Side Channel attacks, no matter what, such that until an attack is detected then all OS and BIOS mitigations can remain disabled for maximum CPU performance, and without allowing any confidential data escape from a computer? Needless to say, Intel and motherboard manufacturers would not be happy if this could be done, since all want to sell newer hardware. It is what it is.

       

      • #848742 Reply

        jabeattyauditor
        AskWoody Lounger

        None of them responded since I was not willing to disclose my detection methods.

        In all fairness, that’s kind of like trying to sell a “guaranteed alchemy device” to a chain of jewelry stores without offering proof of functionality.

        Spin up a server on a cloud platform, deploy your technology on it, and invite those same folks to try to side-channel their way in. Send them logs of their detected attempts, then collect your rewards.

      • #883906 Reply

        warrenrumak
        AskWoody Plus

        AV companies hear that pitch many times a day.

        You might as well be trying a cheap pick-up line on a pretty girl…. she’s heard them all already and is bored.

    • #848323 Reply

      OscarCP
      AskWoody Plus

      So, according to the V8 experts, Spectrum it is one of those things that hang over our heads, but it is unclear what risk, if any, they present to us below and, as no one can do much in practice about them anyway, we are probably better off if we shrug them off and go on with our everyday lives. If they are right, then their advice is as good as it can be.

      2 users thanked author for this post.
      • #851807 Reply

        Bluetrix
        AskWoody MVP

        I get the sneeky-pete feeling if and when Meltdown or Spectre is exploited it will be from a Nation-State entity that has the resources to do such. They will not just exploit it, but hang the albatross around an innocent bystander’s neck, then slip back into the darkness. Then again some person sitting in Mom’s basement in a bathrobe might beat them to it and be caught because they left a trail even a weak link could follow.

        If they could dumb the language down enough it would make a so~so cyber-spy novel.
        Mission Impossible XII? Hackers IV? Who am I kidding, movie rights are probably being negotiated as I type this.

        Windows10 Home 1809 | Mint19 on VM

        3 users thanked author for this post.
    • #851295 Reply

      Alex5723
      AskWoody Plus

      Wonder if Intel has fixed all Specter and Meltdown mitigations in its new 9th-gen CPUs announced to day.

      • #851997 Reply

        Bluetrix
        AskWoody MVP

        Wonder if Intel has fixed all Specter and Meltdown mitigations in its new 9th-gen CPUs announced to day.

        From what I read here, Ice fails in that respect.
        https://www.digitaltrends.com/computing/intel-ice-lake-wont-rid-spectre/

        Windows10 Home 1809 | Mint19 on VM

        4 users thanked author for this post.
        • #854888 Reply

          OscarCP
          AskWoody Plus

          Bluetrix,

          I excerpt below a few paragraphs from the article you gave a link to, and that I think make the case that, as you think, this is more likely to be something to be exploited by national cyber military organizations against other nations’ critical infrastructures, rather than against users like us.

          There are already other ways to get to individual users and small businesses, known to be effective enough, so launching such a sophisticated attack against any such a user may not be worth the bother.

          This may change when there is an actual attack, most likely from one nation against another. Then chip makers and software developers will get motivated to put security above raw processing speed as a defining consideration. Until then, I suspect that being faster than the competition will get in the way of plugging this vulnerability in an effective way.

          The problem is that these fixes don’t go far enough. As far as Kocher [a security expert quoted in this article] sees it, Intel has no concrete plan for fixing Spectre variant one. The only proposed solution that he’s caught wind of pushes the problem onto software developers and asks them to input what’s known as an “LFENCE” command within an application every time there’s an “if” statement within its coding.”
          “Worse still, Kocher believes that there is little in the future of CPU chip design at a variety of companies which will ward of these kind of speculative bugs. His view of the future sees many manufacturers using lots of speculative optimizations to further enhance performance, which leaves them vulnerable to these sorts of attacks.”
          The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries. There are far easier ways for nefarious hackers to infiltrate systems. Malware and social engineering have been successful attack vectors for decades and that seems unlikely to change any time soon.

          Spectre and its contemporaries will likely remain a looming apparition over the CPU industry for years to come, and it’s something that bears remembering it exists. But if you want to improve your chances of avoiding being hacked, there are are certainly more things to worry about than any potential fixes Ice Lake might bring to the table.

          1 user thanked author for this post.
          • #857236 Reply

            Bluetrix
            AskWoody MVP

            “The only silver lining to all this is that for the average person, Spectre and its fellow branch misdirection exploits are the least of our security worries.

            Correct me if I am wrong, but didn’t the breach of passwords and financial information from large data bases affect the “average” person. It seems to me this is where the little person falls between the cracks. Just because it is a conglomerate that most likely will be a target doesn’t mean we the ants won’t be affected, and for more reasons than I care to type.
            I’m responding to your posted excerpt, not you personally. It doesn’t matter that my examples weren’t Spectre or Meltdown related, in the future it’s possible they may be responsible.

            Windows10 Home 1809 | Mint19 on VM

            3 users thanked author for this post.
            • #860270 Reply

              OscarCP
              AskWoody Plus

              Bluetrix,

              Sorry that I was not clear enough: I was referring as unlikely only to direct attacks against you, me and the guy next door and his small business. An attack on critical infrastructures, on the other hand, whether they belong to the government (military bases, water purification stations, traffic lights…) or are privately run (nuclear power stations, large telecoms, social networks, data vaults, …), that can badly affect the whole nation, or a good portion of it, can, of course, also affect us small-timers.

              We are not going to be immune to the effects of such attacks; just not likely to be targeted individually for them. Which is already something good enough to feel at least a little better about, I think.

              Recent events show that we might have reason to be concerned personally about, for example, personal data breaches in Facebook (even if we don’t have Facebook accounts, but other people that know us have put up our pictures, addresses, etc. in theirs).

              2 users thanked author for this post.
            • #860695 Reply

              Bluetrix
              AskWoody MVP

              I got your point Oscar, I was adding my spin to it. 🙂

              Windows10 Home 1809 | Mint19 on VM

              2 users thanked author for this post.
            • #892626 Reply

              Fred
              AskWoody Lounger

              To me it all underlines the kind of toolboxes that are (becoming) available for highlevel compromising computerized networks…. From Stuxnet invading nuclear plants in Iran to ordinary databasebreaches. The whistleblowers will be followed by many to come, I fear.

              1 user thanked author for this post.
    • #854463 Reply

      John
      AskWoody Lounger

      I felt like the solutions were cobbled together and rushed out and caused more issues then the Spectre/Meltdown threats that had yet materialized. So over hyped in so many ways that it was hard to tell the truth from the headline grabbers. Other then some flaky firmware releases I felt it was a non event.

    • #854520 Reply

      anonymous

      Do the new processes have this fixed in hardware now (without the performance hits and the need for a BIOS fix)?

      • #854769 Reply

        PKCano
        Da Boss

        The newer processors do not have Meltdown/Spectre mitigation built in yet.

    • #868992 Reply

      anonymous

      Maybe the Chrome/V8 team should have an easy to access JavaScript kill switch just in case Spectre and fiends become serious trouble.

    • #893025 Reply

      Fred
      AskWoody Lounger

      Maybe the Chrome/V8 team should have an easy to access JavaScript kill switch just in case Spectre and fiends become serious trouble.

      5G networks compromized by ? …

    • #911561 Reply

      anonymous

      I wouldn’t be surprised if, in future, we start to see new processors on the market with speculative execution disabled altogether. Although significantly slower, they could be advertised as “more secure”.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Google’s JavaScript team: Spectre mitigation doomed to failure

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: