Stream: git-wasmtime

Topic: wasmtime / Issue #2125 wasi-common: high resolution timer...


view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2020 at 19:12):

pchickey opened Issue #2125:

As we know, in the browser space there are various concerns around speculative execution attacks (Spectre etc) that are mitigated in part by reducing the precision of timers available to untrusted code.

Presently, wasi-common's timer APIs provide resolution as high as the underlying OS provides.

I propose implementing a configurable timing-precision-reduced mode to the wasi-common crate. The precision available will configured as part of the WasiCtxBuilder. Full resolution will still be available to users who want it, but one open question is whether the default should be full resolution or some reduced value. Different browsers have set different default precision levels - FF and Edge 20us, Chrome 100us, Safari 1ms according to https://github.com/w3c/hr-time/issues/56.

The following well-commented implementation in Firefox looks like a good reference on how clamping and jitter should work: https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/nsRFPService.cpp#446

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2020 at 19:12):

pchickey labeled Issue #2125:

As we know, in the browser space there are various concerns around speculative execution attacks (Spectre etc) that are mitigated in part by reducing the precision of timers available to untrusted code.

Presently, wasi-common's timer APIs provide resolution as high as the underlying OS provides.

I propose implementing a configurable timing-precision-reduced mode to the wasi-common crate. The precision available will configured as part of the WasiCtxBuilder. Full resolution will still be available to users who want it, but one open question is whether the default should be full resolution or some reduced value. Different browsers have set different default precision levels - FF and Edge 20us, Chrome 100us, Safari 1ms according to https://github.com/w3c/hr-time/issues/56.

The following well-commented implementation in Firefox looks like a good reference on how clamping and jitter should work: https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/nsRFPService.cpp#446


Last updated: Dec 23 2024 at 13:07 UTC