* [ruby-core:101179] Spectre Mitigations
@ 2020-12-01 15:32 Amel
2020-12-01 15:44 ` [ruby-core:101180] " Chris Seaton
0 siblings, 1 reply; 5+ messages in thread
From: Amel @ 2020-12-01 15:32 UTC (permalink / raw
To: ruby-core
Hi there!
I've already asked this question in the ruby-talk mailing list and it
was hinted at that ruby-core could be the better place to ask, so here's
my question.
Are there any mitigations in Ruby for the Spectre security
vulnerability? Maybe in the interpreter itself or a function which is
similar to the lfence-instruction.
If there isn't, are there any mitigations planned?
Cheers,
Amel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:101180] Re: Spectre Mitigations
2020-12-01 15:32 [ruby-core:101179] Spectre Mitigations Amel
@ 2020-12-01 15:44 ` Chris Seaton
2020-12-01 16:05 ` [ruby-core:101181] " Amel
0 siblings, 1 reply; 5+ messages in thread
From: Chris Seaton @ 2020-12-01 15:44 UTC (permalink / raw
To: Ruby developers
I wouldn’t recommend using Ruby to run in-process untrusted code in the first place. Are people doing that?
Chris
> On 1 Dec 2020, at 15:32, Amel <amel.smajic@student.tugraz.at> wrote:
>
> Hi there!
>
> I've already asked this question in the ruby-talk mailing list and it was hinted at that ruby-core could be the better place to ask, so here's my question.
>
> Are there any mitigations in Ruby for the Spectre security vulnerability? Maybe in the interpreter itself or a function which is similar to the lfence-instruction.
> If there isn't, are there any mitigations planned?
>
> Cheers,
>
> Amel
>
>
> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:101181] Re: Spectre Mitigations
2020-12-01 15:44 ` [ruby-core:101180] " Chris Seaton
@ 2020-12-01 16:05 ` Amel
2020-12-01 17:23 ` [ruby-core:101182] " Chris Seaton
2020-12-01 17:44 ` [ruby-core:101185] " Lee Hambley
0 siblings, 2 replies; 5+ messages in thread
From: Amel @ 2020-12-01 16:05 UTC (permalink / raw
To: ruby-core
Trusted code can potentially be vulnerable to Spectre attacks, as branch
prediction on modern processors occurs in all code where there are
branches. The question is how can I stop security critical branches from
being executed out-of-order and thus protect my trusted code?
Amel
On 01.12.20 16:44, Chris Seaton wrote:
> I wouldn’t recommend using Ruby to run in-process untrusted code in the first place. Are people doing that?
>
> Chris
>
>> On 1 Dec 2020, at 15:32, Amel <amel.smajic@student.tugraz.at> wrote:
>>
>> Hi there!
>>
>> I've already asked this question in the ruby-talk mailing list and it was hinted at that ruby-core could be the better place to ask, so here's my question.
>>
>> Are there any mitigations in Ruby for the Spectre security vulnerability? Maybe in the interpreter itself or a function which is similar to the lfence-instruction.
>> If there isn't, are there any mitigations planned?
>>
>> Cheers,
>>
>> Amel
>>
>>
>> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
>> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>
> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:101182] Re: Spectre Mitigations
2020-12-01 16:05 ` [ruby-core:101181] " Amel
@ 2020-12-01 17:23 ` Chris Seaton
2020-12-01 17:44 ` [ruby-core:101185] " Lee Hambley
1 sibling, 0 replies; 5+ messages in thread
From: Chris Seaton @ 2020-12-01 17:23 UTC (permalink / raw
To: Ruby developers
If you really do want to add barriers to your code, a one-line C extension with a full barrier instruction in it would be easy to write and would be the only way at the moment.
Chris
> On 1 Dec 2020, at 16:05, Amel <amel.smajic@student.tugraz.at> wrote:
>
> Trusted code can potentially be vulnerable to Spectre attacks, as branch prediction on modern processors occurs in all code where there are branches. The question is how can I stop security critical branches from being executed out-of-order and thus protect my trusted code?
>
> Amel
>
> On 01.12.20 16:44, Chris Seaton wrote:
>> I wouldn’t recommend using Ruby to run in-process untrusted code in the first place. Are people doing that?
>>
>> Chris
>>
>>> On 1 Dec 2020, at 15:32, Amel <amel.smajic@student.tugraz.at> wrote:
>>>
>>> Hi there!
>>>
>>> I've already asked this question in the ruby-talk mailing list and it was hinted at that ruby-core could be the better place to ask, so here's my question.
>>>
>>> Are there any mitigations in Ruby for the Spectre security vulnerability? Maybe in the interpreter itself or a function which is similar to the lfence-instruction.
>>> If there isn't, are there any mitigations planned?
>>>
>>> Cheers,
>>>
>>> Amel
>>>
>>>
>>> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
>>> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>>
>> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
>> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>
> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:101185] Re: Spectre Mitigations
2020-12-01 16:05 ` [ruby-core:101181] " Amel
2020-12-01 17:23 ` [ruby-core:101182] " Chris Seaton
@ 2020-12-01 17:44 ` Lee Hambley
1 sibling, 0 replies; 5+ messages in thread
From: Lee Hambley @ 2020-12-01 17:44 UTC (permalink / raw
To: Ruby developers
[-- Attachment #1.1: Type: text/plain, Size: 2262 bytes --]
The mitigations have been put into place at the OS level [0], it is quite
far "below" the level of scripting languages such as Ruby.
I don't recall which toolchain Ruby is built with, but it is possible to
add toolchain specific annotations to the sources to guard critical
sections on top of that. [1] [2] [3]
[0]: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
[1]:
https://www.phoronix.com/scan.php?page=news_item&px=GCC-8-Spectre-Mitigation-Lands
[2]: https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/
[3]: https://llvm.org/docs/SpeculativeLoadHardening.html
Lee Hambley
http://lee.hambley.name/
+49 (0) 170 298 5667
On Tue, 1 Dec 2020 at 17:05, Amel <amel.smajic@student.tugraz.at> wrote:
> Trusted code can potentially be vulnerable to Spectre attacks, as branch
> prediction on modern processors occurs in all code where there are
> branches. The question is how can I stop security critical branches from
> being executed out-of-order and thus protect my trusted code?
>
> Amel
>
> On 01.12.20 16:44, Chris Seaton wrote:
> > I wouldn’t recommend using Ruby to run in-process untrusted code in the
> first place. Are people doing that?
> >
> > Chris
> >
> >> On 1 Dec 2020, at 15:32, Amel <amel.smajic@student.tugraz.at> wrote:
> >>
> >> Hi there!
> >>
> >> I've already asked this question in the ruby-talk mailing list and it
> was hinted at that ruby-core could be the better place to ask, so here's my
> question.
> >>
> >> Are there any mitigations in Ruby for the Spectre security
> vulnerability? Maybe in the interpreter itself or a function which is
> similar to the lfence-instruction.
> >> If there isn't, are there any mitigations planned?
> >>
> >> Cheers,
> >>
> >> Amel
> >>
> >>
> >> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org
> ?subject=unsubscribe>
> >> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
> >
> > Unsubscribe: <mailto:ruby-core-request@ruby-lang.org
> ?subject=unsubscribe>
> > <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>
> Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
>
[-- Attachment #1.2: Type: text/html, Size: 4723 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-01 17:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-01 15:32 [ruby-core:101179] Spectre Mitigations Amel
2020-12-01 15:44 ` [ruby-core:101180] " Chris Seaton
2020-12-01 16:05 ` [ruby-core:101181] " Amel
2020-12-01 17:23 ` [ruby-core:101182] " Chris Seaton
2020-12-01 17:44 ` [ruby-core:101185] " Lee Hambley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).