Chris Fallin (Jun 30 2020 at 15:30): Chris Fallin (Jun 30 2020 at 15:30):Hi all -- I'm implementing Spectre mitigations on the explicit heap bounds checks, motivated by the need for this in the SpiderMonkey/aarch64 embedding. There's a question of whether we also expend effort to build this out for the (legacy) x86 backend; it's a bit nontrivial (but do-able) to do so. The major reason not to is that by default, the x86 backend uses a 4GB guard region ("huge heap mode", I think it's called?) so no checks are needed at all; this only matters with non-default options. Is everyone OK with saying that the huge-heap mode is our Spectre-safe option on x86? We plan to also put the mitigations behind a flag that's on by default, and we could perhaps error out if this flag is not explicitly turned off with small-heap / explicit-check x86 variants.
Till Schneidereit (Jun 30 2020 at 18:01):It seems reasonable to me not to add the mitigations to the old x86 backend, yes
Benjamin Bouvier (Jul 01 2020 at 12:34):PSA: as https://github.com/bytecodealliance/wasmtime/pull/1930 may land soon, and Spectre mitigations will be enabled by default as part of this patch, embedders who are using explicit bounds checks for heaps should be aware that there's going to be a small performance cost implied by this, and that they might want to disable the spectre checks if their environment makes it safe to do so.
Benjamin Bouvier (Jul 01 2020 at 12:35):For what it's worth, wasmtime uses implicit bounds check (via the "huge memory" involving signal handlers tricks), so this is not going to affect Wasmtime, as far as i can tell.
Till Schneidereit (Jul 01 2020 at 12:48):@Benjamin Bouvier thank you for the PSA! Two questions: do we have any estimates of the slowdown, and how it might vary for different uses? And, do you know if it is possible to disable this in embeddings? I could imagine some use cases, such as YoWASP, being affected that might want to disable this
bjorn3 (Jul 01 2020 at 12:49):Maybe also post the PSA at https://github.com/bytecodealliance/wasmtime/issues/1096?
Benjamin Bouvier (Jul 01 2020 at 12:55):@Till Schneidereit It good question! We haven't collected numbers, but it shouldn't be "a lot" (generate imm 0 + cmov after each heap bounds check). It is entirely possible to disable it using the setting introduced in this commit, enable_heap_access_spectre_mitigation to false.
Benjamin Bouvier (Jul 01 2020 at 13:00):@bjorn3 thanks! mentioned it with the extra information in the evergreen thread too.
Till Schneidereit (Jul 01 2020 at 13:02):@Benjamin Bouvier ok, that makes sense. We might eventually want to have a higher-level "don't mitigate side-channel attackes" switch for embedders, but that's obviously out of scope for this change
Last updated: Nov 22 2024 at 17:03 UTC