So was Site Isolation in Chrome. Site Isolation has obvious benefits as a way to mitigate memory safety vulnerabilities between untrusted domains. Its use as a Spectre solution is much less clear to me.
-
-
To be clear: if we wanted to fix Spectre in Firefox, we could use hacks to scramble the branch predictor and BTB before executing JS in a different domain than the last one we executed. This would be more effective than Fission/Site Isolation, AFAICT.
1 reply 0 retweets 1 like -
I don't see how it would work. Wouldn't that be racy when multiple processes are involved? Imagine context switches between your "scramble" step and the "execute the JS" step.
2 replies 0 retweets 2 likes -
Yeah, you’re right, it doesn’t work.
1 reply 0 retweets 1 like -
Replying to @pcwalton @BRIAN_____ and
Though if you had IBPB, then you could implement that operation by switching over to a new Gecko thread/process that shares all the memory and can’t ptrace. Yeah, it’s a hack, but it’d be a lot less work than Site Isolation.
0 replies 0 retweets 0 likes -
True, and unfortunate. I’m still sad that Spectre is treated as an “all hands on deck” emergency—one that played a not-insignificant role in killing a browser engine, in fact. It’s very hard to exploit and process isolation doesn’t even fully help today.
2 replies 0 retweets 2 likes -
Replying to @pcwalton @BRIAN_____ and
Specifically: The lack of e10s + sandboxing was exploited hundreds of times. Clearly implementing both was a huge priority. Spectre: a vuln never exploited in the wild that could conceivably be helped—once OS and HW fixes land—by a project that’s ~3x as much work as e10s. :\
0 replies 0 retweets 0 likes -
Of course we can never be sure. But finite resources and prioritization requires that we go with the best evidence we have. I think that memory safety work should take priority over Site Isolation, for example.
1 reply 0 retweets 0 likes
Because when attackers attack browsers, in practice they go after memory safety issues (leading to sandbox escapes, often times). Not Spectre.
-
-
Replying to @pcwalton @BRIAN_____ and
(And to reiterate I think we *should* do Site Isolation…just that we should be clear about what the real-world benefits are going to be.)
0 replies 0 retweets 0 likes - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.