[Engineering] FYI: Browser mitigations for Meltdown & Spectre

Gilles Dubuc gilles at wikimedia.org
Tue Jan 9 09:56:32 UTC 2018 

>
>
>    - to 1ms in Safari, 20µs in Firefox, 20µs with 20µs jitter in Edge,
>    unspecified in Chrome
>
> For Chrome:

As part of our mitigations against Speculative Side Channel Attacks
> <https://www.chromium.org/Home/chromium-security/ssca>, Chrome 64 will
> reduce the resolution of DOMHighResTimeStamps to 100us. We are also
> introducing 100us of random jitter to the clock edges to prevent attempts
> to increase resolution via edge-thresholding.  The returned time will be
> within +/100us of real time, however there will be no guarantee as to
> duration (in real time) of clock pulses between these 100us intervals.
>


> We intend for this to be a temporary measure while other mitigation are
> introduced, however we do not have a timeline for restoring the previous
> precision.


On Tue, Jan 9, 2018 at 10:48 AM, Joaquin Oltra Hernandez <
jhernandez at wikimedia.org> wrote:

> tl;dr: performance.now accuracy decreased, SharedArrayBuffer disabled in
> all browsers
>
> There were recently two very serious security vulnerabilities disclosed (
> Spectre <https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)>
>  & Meltdown
> <https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)>) that
> affect pretty much anything that can run code on your machine.
>
> That includes browsers, so major vendors have started rolling out
> mitigations for such attacks so that the vulnerabilities can't be exploited
> from JavaScript. Here is some info in case you haven't followed:
>
> *Summary*
>
>    - performance.now is going to be rounded to avoid exposing the high
>    precision timer
>       - to 1ms in Safari, 20µs in Firefox, 20µs with 20µs jitter in Edge,
>       unspecified in Chrome
>    - SharedArrayBuffer is going to be disabled for now since it can be
>    used to create high precision timers from JS
>
> *Articles*
>
> Here are some articles from the different vendors. The Webkit one is more
> extensive and has approachable explanations, reasoning and links to commit,
> and is very interesting to read:
>
>    - https://webkit.org/blog/8048/what-spectre-and-meltdown-
>    mean-for-webkit/
>    - https://blog.mozilla.org/security/2018/01/03/
>    mitigations-landing-new-class-timing-attack/
>    <https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/>
>    - https://www.chromium.org/Home/chromium-security/ssca
>    - https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-
>    mitigations-microsoft-edge-internet-explorer/
>    <https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/>
>
> *Conclusion*
>
> This changes shouldn't impact us at all in our usual browser work, but it
> is good to know about the changes of behavior to not be surprised if they
> do.
>
> Hope this is useful, have a nice day!
>
> _______________________________________________
> Engineering mailing list
> Engineering at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/engineering
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20180109/ed3413b7/attachment.html>

More information about the Engineering mailing list