[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spectre/Meltdown bug affecting Python ?

On Sat, Jan 6, 2018, 4:45 PM Grant Edwards <grant.b.edwards at gmail.com>

> On 2018-01-06, Etienne Robillard <tkadm30 at yandex.com> wrote:
> >
> >
> > Le 2018-01-06 ? 15:49, J.O. Aho a ?crit :
> >> On 01/06/18 13:43, Etienne Robillard wrote:
> >>> My understanding of this vulnerability is that speculative indirect
> >>> calls in Linux kernel can be used to extract/filter memory content via
> >>> side-channels.
> >> Not just Linux, but all other OS:es, Microsoft and Apple been patching
> >> in secret as they have a closed source approach, but ms-windows needs at
> >> least one more patch before it can breath out, which will be released on
> >> Tuesday.
> >
> > It's unclear to me whether AMD CPUs are affected by theses design flaws.
> Everybody seems to agree that AMD CPUs are not affected by Meltdown.
> The consensus is that AMD CPUs are probably affected by 2 of the 3
> Spectre variants.
> > Furthermore, I'd like to know if Python can mitigate hardware-specific
> > timing attacks.
> For CPython, probably not.  Anything that Cpython tried to do could be
> trivially defeated by using something like ctypes to make calls to
> arbitrary machine code that was written to a file.

It sounds like you're talking about the case where the malicious code is
hosted by Python. I agree that's probably not realistic to do anything
about -- if you can run malicious code then you're probably not restricted
to Python (and without knowing a lot about the attacks, I'm doubtful that
it's possible to implement them in pure Python anyway).

I think the OP was talking about protecting the data of Python programs
from other malicious processes, however. The mitigation seems to be like it
could reasonably be accomplished (at least for core Python -- extension
code would be on its own).