1. 24
  1. 5

    I’m a little disappointed that this “critical vulnerability” is just a local side channel attack that requires an attacker to have access to run arbitrary code on your system. Furthermore, the attack seems to require the victim process to use shared memory that the attacker can flush from cache..

    That said, js + wasm look worse and worse in light of local side channel attacks. Maybe one day someone will weaponize them to both detect interesting events (use of private keys?) and gather & leak info about them. And pledge & privileges will not help.

    1. 4

      Yes; it’s good work, but this article way over-hypes it.

      1. 2

        The article indicates keys can be leaked across VMs - plenty of people are running on shared hardware, and they’re vulnerable to a remote attack, no?

        1. 4

          I guess it depends on your definition of remote attack. Yes, if you run your code on some shared host with a hypervisor that snoops your memory, and an attacker can run his code on that same host, I guess you might consider that attack “remote.”

          But to me they are all on the same system, and this is why I’m just a little disgusted with VMs. They are all too cheap and convenient for people to even consider the risks of running their applications on the same system with other unknown users.

          Think about it – a headline like “this attack steals your keys across VMs!” is sure to grab your attention. But what are you actually doing with these private keys? Surely something that should be kept private or secret!

          Yet, unless all your application logic is designed to run in constant time with special attention to make every page unique, private information is at risk even if the keys are not compromised. Focusing on the keys and thinking the application is safe if they have carefully implemented crypto that isn’t suspectible to side channel attacks, people miss the forest for that single tree. Everything you do could be suspectible to information leakage via side channel attacks unless you’re careful about it. Keys are an obviously interesting target, but they are just the tip of the iceberg.

          It would be nice if all VPS providers disclosed whether they’re snooping you or not. Apart from that, there ought to be some mitigation available (e.g. randomized builds, random junk on allocated pages, in paddings, etc.). But if everyone used these, there’s not much point in snooping to begin with. Maybe people should just stop sharing memory across VPSen to begin with.

          Of course that would make it a little less cheap as memory requirements increase. It’s the price you pay…

          1. 2

            But to me they are all on the same system, and this is why I’m just a little disgusted with VMs

            I can’t agree more - these attacks will only become more sophisticated and pervasive as we move more into shared resources.

      2. [Comment removed by author]

        1. 1

          No hype, no points.