That doesn't mean Firefox is safe, to be clear. Just that this PoC doesn't work well for my combination of browser and CPU.
Looking at that paper's abstract and code samples, I think most if not all of the timing channels it describes rely entirely on tight loops, so one or more of them being attempted would explain the high CPU usage you noticed.
Does that mean I am missing some spectre mitigation stuff? I thought this was already fixed a few years ago? How do I stop this demo from working? (linux, intel i7, chrome 89)
Disclosure: I work at Google and am involved in deploying some of these features internally.
This was a huge WTF to me. I have been doing web dev for 10+ years and can barely get origin based security right. Now we're expected to understand process level security boundaries too???
That said, are there any resources explaining how the chromium process works? It has always been a black box to me. For example if a form is being autofilled, don't those personal info/passwords have to be loaded into memory? There's an infinite amount of things that I thought was inaccessible solely because there's no JS api to access the data that I now need to think about. Direct memory access is just a huge can of worms, no?
That's the equivalent of saying "just don't run bad JS code". It's not workable. Have they given up?
Of course this could be fixed at the CPU level, but realistically very few people want that since that would drastically slow down modern CPUs which rely on speculative execution.
Disclosure: I work at Google and am involved in deploying some of these cross-origin resource restrictions internally.
Which the (comparably) insecure likes of Firefox (unfortunately) does not have.
A little NoScript goes a long way. At least that way you can pick what you want to run.
HN should work without reading timers at all for example.
Netspectre was able to dump kernel memory just from untrusted received network packets, no jit required.
Wow! How come Apple, on this brand new processor, wasn’t able to mitigate against Spectre? (A quick google shows that many Apple fan sites hailed the M1 as being immune to what they called “intel bugs’)
If you want to be invulnerable to this you're basically stuck with a microcontroller.
Doesn't this mean it's essentially game over for running untrusted JS by-default? Doesn't default-deny functionality like NoScript have to become mandatory in browsers for security? If not, why not?
But no, this isn't game over for running untrusted JS. It just means that we need to assume that JS can access anything in the same process.