Stream: cranelift

Topic: ✔ Spectre Mitigation


view this post on Zulip Saúl Cabrera (Apr 11 2022 at 16:58):

:wave: I'm trying to understand a bit more the status of Spectre mitigations and I was wondering if someone could help me clarify if this issue is still representative of the work that needs to be done in order to mitigate spectre variants. As far as I can tell, heap-bounds checking was implemented in https://github.com/bytecodealliance/wasmtime/pull/1930; but according to the linked issue, there are a couple of other areas (jump table + table call) that are still not implemented. Is my understanding correct?

Hello, You are probably well aware, but some mainstream compilers are emitting retpolines to help mitigate Spectre variant 2 attacks. Do you have any plans to add a similar capability to the creton...
This PR adds a conditional move following a heap bounds check through which the address to be accessed flows. This conditional move ensures that even if the branch is mispredicted (access is actual...

view this post on Zulip Chris Fallin (Apr 11 2022 at 17:04):

@Saúl Cabrera that's correct, we have a cmov guard on the heap pointer so that heap bounds checks can't be circumvented in the speculative path, but we don't do the equivalent for jump tables or for Wasm table accesses. My (very fuzzy) recollection was that at the time of #1930, we had other answers for those issues in the context of a Firefox backend, and the heap bounds check was seen as the main hole to patch. But other environments would of course be different and it seems to me that for long-running Wasm instances, for example, we need to do the same for table accesses and br_table jumps (via jump tables). I'd be happy to review a PR for this if you're interested in doing one.

view this post on Zulip Anton Kirilov (Apr 11 2022 at 17:56):

On a related note, Arm has been publishing whitepapers on the various speculative execution vulnerabilities, which include recommended instruction sequences to mitigate the issues. In particular, conditional moves are only a partial solution - a specific barrier instruction has been introduced as well, though it might be mostly to future-proof the recommendation (the barrier instruction executes as a no-op on processors that predate it).

view this post on Zulip Saúl Cabrera (Apr 27 2022 at 11:49):

I meant to get back to this earlier, sorry about that! Everything that you've pointed out makes sense to me, thank you both, that answers my questions for the near term. Chris, I might come back to this with questions around the implementation.

view this post on Zulip Notification Bot (Apr 27 2022 at 11:49):

Saúl Cabrera has marked this topic as resolved.

view this post on Zulip Chris Fallin (Apr 30 2022 at 00:11):

@Saúl Cabrera I went ahead and implemented the table and br_table mitigations here: https://github.com/bytecodealliance/wasmtime/pull/4092

Currently, we have partial Spectre mitigation: we protect heap accesses with dynamic bounds checks. Specifically, we guard against errant accesses on the misspeculated path beyond the bounds-check ...

view this post on Zulip Saúl Cabrera (May 02 2022 at 14:57):

Thank you for doing this @Chris Fallin !


Last updated: Dec 23 2024 at 12:05 UTC