Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless

Catalin Cimpanu, reporting for BleepingComputer: Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint. WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.

The technology is a compact binary language that a browser will convert into machine code and run it directly on the CPU. Browser makers created WebAssembly to improve the speed of delivery and performance of JavaScript code, but as a side effect, they also created a way for developers to port code from other high-level languages (such as C, C++, and others) into Wasm, and then run it inside a browser. All in all, the WebAssembly standard is viewed as a success in the web dev community, and there've been praises for it all around.

TLDR; using thread loops to measure time.

[complete+loony]

Since this detail was missing from the summary; Browsers have limited access to precise timers as a meltdown / spectre mitigation. Web assembly threads might give attackers a way to precisely measure time intervals by executing tight loops in another thread.

Not a big problem

[jonwil]

The WebAssembly guys are aware of this issue
https://github.com/WebAssembly...
and dont plan to actually support the new features until they have a solution.

Sigh...

[EmeraldBot]

1. WebAssembly is a compressed and simplified version of JavaScript. Anything you can do in WebAssembly, you can do in JavaScript. Seeing as Meltdown / Spectre take a lot of effort to exploit, if this attack is being deployed against you, it's reasonable to assume the attacker is perfectly willing to translate their code into JavaScript, which is already supported in your browser.
2. The devs are well aware of the issue and have said they're not going to reenable the feature that makes them vulnerable to timing attacks without making sure that the mitigations to Spectre / Meltdown are not going to be nullified by WebAssembly.

Re:Hmm ...

[fahrbot-bot]

So... anyway to disable WebAssembly in FF? (Asking for a friend)

Answering my own question -- with, perhaps, some overkill ... (feel free to correct me)

// Disable WebAssembly
user_pref("devtools.debugger.features.wasm", false);
user_pref("javascript.options.wasm", false);
user_pref("javascript.options.wasm_baselinejit", false);
user_pref("javascript.options.wasm_ionjit", false);

Re:Who actually wants this?

[phantomfive]

I'm sure the systemd developers had those thoughts too when they started out. :-)

No, they didn't. You can see the documentation and ideas that were floating when systemd started. The concept is all about features, lots of them, and security is mainly mentioned as something the kernel will do. Minimalism isn't on the menu.

Contrast that with WebAssembly which takes years to add features that clearly need to be there (like access to the DOM), because they know it's better to do it right than half-assed.

Re: The Browser is now the desktop

That is an incredibly warped and messed up slant on cpu history you have there

Speculative execution has been a mainstay of both RISC and CISC cpu designs since the 80â(TM)s. Intel were one of the last CPU producers to implement speculative execution. IBM power chips, sun sparc chips, Motorola 16k chips, they all had speculative execution 10-20 years before intel introduced it in the pentium pro.

The only producers who were slower and later than intel were AMD and Cyrix / VIA designs

Speculative execution and vector instructions were what kept the others ahead of intel for so many years

Re:Who thought this was a good idea

[LubosD]

You have no clue what wasm can and cannot do, right?

All wasm can do is to have a linear memory buffer for its memory allocations (kindly provided by JavaScript) and make some calls between wasm and JS. Wasm has absolutely no access to your system and any interaction with the outer world needs to be done via JS.

So quit whining.

Re:Who thought this was a good idea

[AmiMoJo]

WebAssembly makes sense when you think of the browser as the new OS. An OS that provides heavy sandboxing and a permission system.

Compiling to machine code may be a bit scary, but it's what all major browsers have been doing for a while now. JIT for Javascript was new a decade ago.

Running unverified code sounds crazy until you realize that that's what most people do most of the time. Even in the open source world few people bother to check the source or binaries they are getting from repos, and bad stuff has snuck in before. At least in the browser it's sandboxed.

I'm not saying I'll stop blocking JS or that this is necessarily all a good thing, but it's nothing like the bad old ActiveX days either.

Re: The Browser is now the desktop

[K.+S.+Kyosuke]

Speculative execution has been a mainstay of both RISC and CISC cpu designs since the 80â(TM)s. Intel were one of the last CPU producers to implement speculative execution. IBM power chips, sun sparc chips, Motorola 16k chips, they all had speculative execution 10-20 years before intel introduced it in the pentium pro.

Seriously? RISC was supposed to be simple originally. It used to be pipelined, but speculated? Pentium Pro came out in 1995. You're claiming that POWER, SPARC and 68k had this in 1985 at the latest? Well, let's check the facts: SPARC was first released in 1987, POWER1 came out in 1990, in 1985, Motorola had the 68020. Only the 88110 introduced speculation in 1991

Stop. Lying.