undefined | Better HN

0 pointsomcnoe1y ago0 comments

It's not remote code execution, it's the same flavor of "out of bounds read through speculation" as previous vulnerabilities. It's terrifying because they have a working proof of concept from untrusted JS in Safari, but there have been speculative execution in browser JS engines before now also.

0 comments

ajross1y ago

The language seems to argue otherwise: SLAP "allows the adversary to jump the LAP to the target webpage's string and trick the CPU into operating on it" and FLOP "allows us to run a function with the wrong arguments". That's absolutely not mere data exfiltration.

Now, maybe this is because of a trampoline based on pre-existing Safari bugs and not the CPU misfeature itself. Again, the details are slim.

But "the same flavor of vulerability" seems to be a mischaracterization.

yencabulator1y ago

My read: the attack gets 600 cycles of CPU time to execute its code (JITted Javascript, in web context) on the speculated data, and to use some side channel to communicate results back out of the speculated parallel-world.

Some of the earlier speculation attacks didn't get to do arbitrary compute on the speculated data, they could only for example influence whether something was loaded into cache or not.

This makes an attack easier to write.

loeg1y ago

Only speculatively. The end result is the same as not executing that code, other than observable side effects.

saagarjha1y ago

No, they’re correct.

j / k navigate · click thread line to collapse