Stream: cranelift

Topic: Spectre mitigations


view this post on Zulip Chris Fallin (Jun 30 2020 at 15:30):

Hi all -- I'm implementing Spectre mitigations on the explicit heap bounds checks, motivated by the need for this in the SpiderMonkey/aarch64 embedding. There's a question of whether we also expend effort to build this out for the (legacy) x86 backend; it's a bit nontrivial (but do-able) to do so. The major reason not to is that by default, the x86 backend uses a 4GB guard region ("huge heap mode", I think it's called?) so no checks are needed at all; this only matters with non-default options. Is everyone OK with saying that the huge-heap mode is our Spectre-safe option on x86? We plan to also put the mitigations behind a flag that's on by default, and we could perhaps error out if this flag is not explicitly turned off with small-heap / explicit-check x86 variants.

view this post on Zulip Till Schneidereit (Jun 30 2020 at 18:01):

It seems reasonable to me not to add the mitigations to the old x86 backend, yes

view this post on Zulip Benjamin Bouvier (Jul 01 2020 at 12:34):

PSA: as https://github.com/bytecodealliance/wasmtime/pull/1930 may land soon, and Spectre mitigations will be enabled by default as part of this patch, embedders who are using explicit bounds checks for heaps should be aware that there's going to be a small performance cost implied by this, and that they might want to disable the spectre checks if their environment makes it safe to do so.

This PR adds a conditional move following a heap bounds check through which the address to be accessed flows. This conditional move ensures that even if the branch is mispredicted (access is actual...

view this post on Zulip Benjamin Bouvier (Jul 01 2020 at 12:35):

For what it's worth, wasmtime uses implicit bounds check (via the "huge memory" involving signal handlers tricks), so this is not going to affect Wasmtime, as far as i can tell.

view this post on Zulip Till Schneidereit (Jul 01 2020 at 12:48):

@Benjamin Bouvier thank you for the PSA! Two questions: do we have any estimates of the slowdown, and how it might vary for different uses? And, do you know if it is possible to disable this in embeddings? I could imagine some use cases, such as YoWASP, being affected that might want to disable this

view this post on Zulip bjorn3 (Jul 01 2020 at 12:49):

Maybe also post the PSA at https://github.com/bytecodealliance/wasmtime/issues/1096?

This issue should serve as a central point of communication with Cranelift users / embedders, because we don't have one yet. For the record, we have two real-time chat systems being used at the...

view this post on Zulip Benjamin Bouvier (Jul 01 2020 at 12:55):

@Till Schneidereit It good question! We haven't collected numbers, but it shouldn't be "a lot" (generate imm 0 + cmov after each heap bounds check). It is entirely possible to disable it using the setting introduced in this commit, enable_heap_access_spectre_mitigation to false.

view this post on Zulip Benjamin Bouvier (Jul 01 2020 at 13:00):

@bjorn3 thanks! mentioned it with the extra information in the evergreen thread too.

view this post on Zulip Till Schneidereit (Jul 01 2020 at 13:02):

@Benjamin Bouvier ok, that makes sense. We might eventually want to have a higher-level "don't mitigate side-channel attackes" switch for embedders, but that's obviously out of scope for this change


Last updated: Dec 23 2024 at 13:07 UTC