:wave: I'm trying to understand a bit more the status of Spectre mitigations and I was wondering if someone could help me clarify if this issue is still representative of the work that needs to be done in order to mitigate spectre variants. As far as I can tell, heap-bounds checking was implemented in https://github.com/bytecodealliance/wasmtime/pull/1930; but according to the linked issue, there are a couple of other areas (jump table + table call) that are still not implemented. Is my understanding correct?
@Saúl Cabrera that's correct, we have a cmov guard on the heap pointer so that heap bounds checks can't be circumvented in the speculative path, but we don't do the equivalent for jump tables or for Wasm table accesses. My (very fuzzy) recollection was that at the time of #1930, we had other answers for those issues in the context of a Firefox backend, and the heap bounds check was seen as the main hole to patch. But other environments would of course be different and it seems to me that for long-running Wasm instances, for example, we need to do the same for table accesses and br_table jumps (via jump tables). I'd be happy to review a PR for this if you're interested in doing one.
On a related note, Arm has been publishing whitepapers on the various speculative execution vulnerabilities, which include recommended instruction sequences to mitigate the issues. In particular, conditional moves are only a partial solution - a specific barrier instruction has been introduced as well, though it might be mostly to future-proof the recommendation (the barrier instruction executes as a no-op on processors that predate it).
I meant to get back to this earlier, sorry about that! Everything that you've pointed out makes sense to me, thank you both, that answers my questions for the near term. Chris, I might come back to this with questions around the implementation.
Saúl Cabrera has marked this topic as resolved.
@Saúl Cabrera I went ahead and implemented the table and br_table mitigations here: https://github.com/bytecodealliance/wasmtime/pull/4092
Thank you for doing this @Chris Fallin !
Last updated: Dec 23 2024 at 12:05 UTC