Skip to content

Commit

Permalink
DOC: Improve description of the new mitigate_spectre flag.
Browse files Browse the repository at this point in the history
In particular, note that the ability to run subsets of Prolog code,
let alone arbitrary Prolog code, is not a necessary condition for
Spectre attacks. It suffices that sensitive data is speculatively
accessed, and that this data can be leaked. Also trusted code may be
vulnerable to this if it contains branches that are dependent on
untrusted data.

Decreasing the resolution of timers does _not_ reliably prevent
Spectre attacks. Full mitigation may require compiler support to
disable speculative access to sensitive data.

See SWI-Prolog/roadmap#54 .
  • Loading branch information
triska authored and Jan Wielemaker committed Feb 16, 2018
1 parent a5123f5 commit b93c668
Showing 1 changed file with 15 additions and 8 deletions.
23 changes: 15 additions & 8 deletions man/overview.doc
Original file line number Diff line number Diff line change
Expand Up @@ -1603,16 +1603,23 @@ the
\href{https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)}{Spectre}
timing-based security vulnerability. Spectre based attacks can extract
information from memory owned by the process that should remain
invisible such password or the private certificate of a web server. To
do so, the attacker must be able to execute arbitrary code in the
process. A good example of a vulnerable application is
\href{https://swish.swi-prolog.org}{SWISH}. SWISH allows users to run
arbitrary Prolog code while the swish server must respect the privacy of
other users as well as its HTTPS certificate, cookies and passwords.

Currently enabling this flag reduces the resolution of get_time/1 and
invisible, such as passwords or the private key of a web server. The
attacks work by causing speculative access to sensitive data, and
leaking the data via side-channels such as differences in the duration
of successive instructions. An example of a potentially vulnerable
application is \href{https://swish.swi-prolog.org}{SWISH}. SWISH
allows users to run Prolog code while the swish server must protect
the privacy of other users as well as its HTTPS private keys, cookies
and passwords.

Currently, enabling this flag reduces the resolution of get_time/1 and
statistics/2 CPU time to $20\mu{}s$.

\textbf{WARNING}: Although a coarser timer makes a successful attack
of this type harder, it does not reliably prevent such attacks in
general. Full mitigation may require compiler support to disable
speculative access to sensitive data.

\prologflagitem{occurs_check}{atom}{rw}
This flag controls unification that creates an infinite tree (also
called \jargon{cyclic term}) and can have three values. Using
Expand Down

0 comments on commit b93c668

Please sign in to comment.