Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: John Savard Newsgroups: comp.arch Subject: Re: Privilege Levels Below User Date: Sun, 09 Jun 2024 09:26:42 -0600 Organization: A noiseless patient Spider Lines: 40 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Injection-Date: Sun, 09 Jun 2024 17:26:45 +0200 (CEST) Injection-Info: dont-email.me; posting-host="f3b069b4ba52a43e376440ac19ed976b"; logging-data="3788408"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Zt3F1qYISueSATuxjZl51c3iUAFrX2tw=" Cancel-Lock: sha1:MUHPR+r7wnyCWHULq4tJtoP1+XA= X-Newsreader: Forte Free Agent 3.3/32.846 Bytes: 2515 On Fri, 07 Jun 2024 12:03:03 -0600, John Savard wrote: >The first reduced-privilege state would not allow any branch >instructions, particularly conditional branches. > >The second, in addition, would not allow any access to memory, only >allowing access to registers. Maybe I haven't made clear what this is _for_ as I thought it would be obvious. If no branches... then no need for retpolines and stuff. If no access to memory... no worries about rowhammer. Given that, a third mode - not reduced-privilege so much as reduced-efficiency - suggests itself. Cause some code to be executed... without any speculative execution; allow branches, but don't execute anything until where the branch goes is fully resolved. This deals with Spectre and friends. So the idea is to give an unprivileged user application, like a web browser, a capability, without going through the operating system, to run code that is sandboxed in appropriate ways to prevent it from causing trouble although it is untrusted. That browsers have to be able to run untrusted JavaScript (and, formerly, even Java and Flash, which have now been discarded) to support the flexibility desired for modern web sites... has been the basic reason why computers today are insecure. If the only code that ran on computers was trusted code, then the virus situation would be like it was back in the days of 8-bit computers; except for supply-chain attacks, just don't run pirated software, and you're pretty much safe. John Savard