Spectre mitigations in Perl interpreter?

Hi,=0A=0AI was looking up everywhere and could not find any mitigations for=
 Spectre attack by the Perl interpreter! I don't know if my question is cor=
rect or how feasible it is, but do you know if there are any mitigations fo=
r different kinds of Spectre attacks Specter v1 (Spectre-PHT), v2 (Spectre-=
BTB), v4 (Spectre-STL) and v5 (Spectre-RSB) at the interpreter level for Pe=
rl?=0ALooking forward to hearing from you guys :)=0A=0AWarm regards,=0AAmir
0
S
11/14/2020 6:09:32 PM
perl.perl5.porters 48254 articles. 1 followers. Follow

2 Replies
5 Views

Similar Articles

[PageSpeed] 5

--00000000000098bbc305b443b97e
Content-Type: text/plain; charset="UTF-8"

On Mon, Nov 16, 2020 at 8:34 PM Amir Naseredini <S.Naseredini@sussex.ac.uk>
wrote:

> Hi,
>
> I was looking up everywhere and could not find any mitigations for Spectre
> attack by the Perl interpreter! I don't know if my question is correct or
> how feasible it is, but do you know if there are any mitigations for
> different kinds of Spectre attacks Specter v1 (Spectre-PHT), v2
> (Spectre-BTB), v4 (Spectre-STL) and v5 (Spectre-RSB) at the interpreter
> level for Perl?
> Looking forward to hearing from you guys :)
>

Hello,

Spectre is a branch prediction vulnerability in the microprocessor. I am
not sure if there is any mitigation that could or should be done at the
Perl level, but no specific work has been done in that area. There are no
current Spectre-related CVEs for Perl. Hope that helps,

-Dan

--00000000000098bbc305b443b97e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Mon, Nov 16, 2020 at 8:34 PM Amir Nase=
redini &lt;<a href=3D"mailto:S.Naseredini@sussex.ac.uk">S.Naseredini@sussex=
..ac.uk</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">Hi,<br>
<br>
I was looking up everywhere and could not find any mitigations for Spectre =
attack by the Perl interpreter! I don&#39;t know if my question is correct =
or how feasible it is, but do you know if there are any mitigations for dif=
ferent kinds of Spectre attacks Specter v1 (Spectre-PHT), v2 (Spectre-BTB),=
 v4 (Spectre-STL) and v5 (Spectre-RSB) at the interpreter level for Perl?<b=
r>
Looking forward to hearing from you guys :)<br></blockquote><div><br></div>=
<div>Hello,</div><div><br></div><div>Spectre is a branch prediction vulnera=
bility in the microprocessor. I am not sure if there is any mitigation that=
 could or should be done at the Perl level, but no specific work has been d=
one in that area. There are no current Spectre-related CVEs for Perl. Hope =
that helps,</div><div><br></div><div>-Dan=C2=A0</div></div></div>

--00000000000098bbc305b443b97e--
0
grinnz
11/17/2020 1:50:42 AM
--00000000000071e9f005b44e5dde
Content-Type: text/plain; charset="UTF-8"

On Tue, Nov 17, 2020 at 1:51 AM Dan Book <grinnz@gmail.com> wrote:

> On Mon, Nov 16, 2020 at 8:34 PM Amir Naseredini <S.Naseredini@sussex.ac.uk>
> wrote:
>
>> I was looking up everywhere and could not find any mitigations for
>> Spectre attack by the Perl interpreter! I don't know if my question is
>> correct or how feasible it is, but do you know if there are any mitigations
>> for different kinds of Spectre attacks Specter v1 (Spectre-PHT), v2
>> (Spectre-BTB), v4 (Spectre-STL) and v5 (Spectre-RSB) at the interpreter
>> level for Perl?
>> Looking forward to hearing from you guys :)
>>
>
> Spectre is a branch prediction vulnerability in the microprocessor. I am
> not sure if there is any mitigation that could or should be done at the
> Perl level, but no specific work has been done in that area. There are no
> current Spectre-related CVEs for Perl. Hope that helps,
>


C/C++ compiler mitigations could be used when building the perl
interpreter, e.g.

   - /Qspectre, /Qspectre-load, /Qspectre-load-cf for MSVC
   - -mretpoline for Clang
   - -mindirect-branch, -mfunction-return, -mindirect-branch-register for
   GCC

Most people probably don't build perl with these, as they are not usually
enabled by default. clang on OpenBSD being an exception:
https://man.openbsd.org/clang-local.1

(If anyone has built/does build perl with mitigations, I'd be curious to
know if that breaks anything, and what kind of run-time slowdown is
introduced.)

Beyond that, I'm also unsure whether there is any mitigation that could
feasibly be done at the interpreter level.

Amir - It might also be relevant to you to consider that perl's security
model is different to that of e.g. a JavaScript JIT in a sandboxed browser.
As I understand it, defending against malicious Perl code generally isn't
something that the interpreter tries to do; running untrusted code isn't a
normal use case and it's anticipated that if you feed malicious Perl code
to the interpreter, bad things will happen. That's obviously different to a
browser that is expected to run arbitrary JS code from arbitrary websites
without in a secure manner.

Regards,
Richard

--00000000000071e9f005b44e5dde
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Nov 17, 2020 at 1:51 AM Dan Book =
&lt;<a href=3D"mailto:grinnz@gmail.com">grinnz@gmail.com</a>&gt; wrote:<br>=
</div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Mon, Nov 16, 2020 at 8:34 PM A=
mir Naseredini &lt;<a href=3D"mailto:S.Naseredini@sussex.ac.uk" target=3D"_=
blank">S.Naseredini@sussex.ac.uk</a>&gt; wrote:<br></div><div class=3D"gmai=
l_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex">I was looking up=
 everywhere and could not find any mitigations for Spectre attack by the Pe=
rl interpreter! I don&#39;t know if my question is correct or how feasible =
it is, but do you know if there are any mitigations for different kinds of =
Spectre attacks Specter v1 (Spectre-PHT), v2 (Spectre-BTB), v4 (Spectre-STL=
) and v5 (Spectre-RSB) at the interpreter level for Perl?<br>
Looking forward to hearing from you guys :)<br></blockquote><div><br></div>=
<div>Spectre is a branch prediction vulnerability in the microprocessor. I =
am not sure if there is any mitigation that could or should be done at the =
Perl level, but no specific work has been done in that area. There are no c=
urrent Spectre-related CVEs for Perl. Hope that helps,</div></div></div></b=
lockquote><div><br></div><div><br></div><div>C/C++ compiler mitigations cou=
ld be used when building the perl interpreter,=C2=A0e.g.=C2=A0</div><div><u=
l><li>/Qspectre,=C2=A0/Qspectre-load, /Qspectre-load-cf for MSVC</li><li>-m=
retpoline for Clang<br></li><li>-mindirect-branch,=C2=A0-mfunction-return,=
=C2=A0-mindirect-branch-register for GCC<br></li></ul><div>Most people prob=
ably don&#39;t build perl with these, as they are not usually enabled by de=
fault. clang on OpenBSD being an exception:=C2=A0<a href=3D"https://man.ope=
nbsd.org/clang-local.1">https://man.openbsd.org/clang-local.1</a>=C2=A0</di=
v><div><br></div><div>(If anyone has built/does build perl with mitigations=
, I&#39;d be curious to know if that breaks anything, and what kind of run-=
time slowdown is introduced.)</div><div><br></div><div>Beyond that, I&#39;m=
 also unsure whether there is any mitigation that could feasibly be done at=
 the interpreter level.</div><div><br></div><div>Amir - It might also be re=
levant to you to consider that perl&#39;s security model is different to th=
at of e.g. a JavaScript JIT in a sandboxed browser. As I understand it, def=
ending against malicious Perl code generally isn&#39;t something that the i=
nterpreter tries to do; running untrusted code isn&#39;t a normal use case =
and it&#39;s anticipated that if you feed malicious Perl code to the interp=
reter, bad things will happen. That&#39;s obviously different to a browser =
that is expected to run arbitrary JS code from arbitrary websites without i=
n a secure manner.</div><div>=C2=A0</div></div><div>Regards,</div><div>Rich=
ard</div></div></div>

--00000000000071e9f005b44e5dde--
0
rich
11/17/2020 2:32:21 PM
Reply: