>The presence of EMTE leaves Spectre V1 as one of the last avenues available to attackers to help guide their attacks, so we designed a completely novel mitigation that limits the effective reach of Spectre V1 leaks — at virtually zero CPU cost — and forces attackers to contend with type segregation. This mitigation makes it impractical for attackers to use Spectre V1, as they would typically need 25 or more V1 sequences to reach more than 95 percent exploitability rate — unless one of these sequences is related to the bug being exploited, following similar reasoning as our kalloc_type analysis.
Nope. I don't know why just checking the tags during speculation wouldn't stop Spectre V1, at least for cross-type accesses? I mean, it's not that simple because your program won't crash if speculation has mismatched tags. Which means you can try as many times as you want until you get lucky. But that's certainly not a "completely novel mitigation", so I'm sure I'm missing something obvious.
Perhaps the real problem is that you can use speculation to scan large amounts of memory for matching tags, some of which would be different types, so you need something to handle that?
You’re on the right track, I think. The mastodon link posted in a sibling comment within a minute of yours provides more details:
It sounds like the kernel’s allocations may only use one tag(?). So if you get in there, jackpot right? No tags to deal with.
So they’re using special compiler flags to limit all offsets to less than 4 GB. Then they placed different parts of the kernel far apart in address space with a 4 GB unmapped zone.
So if you can put your own pointer somewhere that’s exploitable in allocated kernel memory, there is no way for it to point to any other “part” of kernel memory. Only within that one “area”.
Presumably this would mean that exploiting a problem in the graphics drivers would not make it possible to provide a pointer pointing to the Secure Enclave interface code. Or something like that.
I’m not 100% on if I’m understanding it correctly.
Kind of, but they don't just use one tag, they use all the tags just as userspace would. You throw all the allocations with the same type into a <4GB region and tag it, then make sure that pointer arithmetic stays within that region.
> It sounds like the kernel’s allocations may only use one tag
What about the blogpost suggested this?
" ... always-on memory safety protection for our key attack surfaces including the kernel ..."
" ... always-on memory-safety protection covering key attack surfaces — including the kernel and over 70 userland processes — built on the Enhanced Memory Tagging Extension (EMTE) and supported by secure typed allocators and tag confidentiality protections ... "
Suggests to me that the kernel allocator uses a similar tagging policy as the userspace allocators do.
That post[^1] linked by saagarjha above is talking about the case where the typed allocator (plus the layout of kernel memory, and whatever constraints on pointer arithmetic in the kernel) makes Spectre less useful. MTE itself isn't relevant to mitigating Spectre, but putting constraints on how the addresses of certain loads in the kernel are computed makes Spectre less useful.
Remember that Spectre V1 is about causing the kernel to [incorrectly and] speculatively perform a load, and then trying to leak the loaded value by measuring the state of the cache. You might reasonably want to try this since MTE tags are stored in kernel memory.
But if the set of all possible target addresses for relevant loads on a path subject to influence by userspace can be constrained to a particular memory region, you [presumably] cannot trivially use Spectre V1 to leak values from a different region.
Also, see this[^2] paper referenced in the article.
Am I misreading this or is that "How close is Spanish from Different Countries" graphic kind of jank? There's intersecting lines that are missing, like Puerto Rico and Dominican Republic.
The intersection between Puerto Rico and Dominican Republic is the 0.42 right above the "1" in the PR column (5th from the left).
If you imagine the full graph of all countries horizontally and vertically, there would be a lot of overlap (the PR column and DR row, and the DR column and PR row). So to save that redundancy, for all countries except Spain (very top) and Argentina (far right) you have to look around a bit to see where it crosses any other given country.
The dot after the TLD represents the root domain. From right to left, URLs read from least to most specific. Root -> TLD -> domain -> subdomain (eg www). The root domain is almost always left out, because it’s always the same and its presence is implied. But if you include it explicitly, it is a distinct URL.
So idk how bloomberg.com works under the hood so I can’t specifically explain this case, but rules that match URLs won’t necessarily see the two versions as identical. This is actually something worth testing your own sites against, to make sure including the root domain doesn’t do something dumb like bypass authentication or whatever.
Edit: also, forgive me if I’m explaining things you already know w/ regard to the root domain and stuff.
This is 50% of the reason, the other half is that all the tracking/ad requests hit an API endpoint on bloomberg.com (no dot at the end), which is now a separate origin as far as the same-origin policy is concerned. But the code is not expecting this to be the case, and doesn't set any CORS headers on the response, and the browser denies access to the response data.
This breaks the ads but also breaks any interactive charts, etc. that need data from the API.
New to me and I've been programming web for quite a while. I've only ever seen that final "." in DNS records, it never occured to me that it would affect logic within the site.
The trailing "." becomes practically important if you have a client that believes in DNS search suffixes (yuck!). I imagine it might have some effect in this particular case if the user-agent includes the dot in the "Host" HTTP request header and it thus evades some non-canonicalizing layer of Bloomberg's paywall thing, while still being a perfectly okay request to the rest of the chain.
You know what’s also missing if you go to bloomberg.com./? All of the ads, and the animated stock ticker. I’m on mobile so didn’t dig into it further, but I bet that all JS loaded on request from another domain (probably including the paywall) is absent or broken.
The site itself loads fine though, because DNS still works and whatever routing layer in their app probably doesn’t care about the domain, just the path that follows it.
I once got a verbal C&D from a Novell web dev because they answered to any domain and I pointed (as a joke) a domain to their IP. Google ended up indexing, and customers were asking what 'reallystrangedomain.com' was when they searched for Novell error messages.
They asked me to stop 'mirroring' their content, and didn't understand I was just pointing my domain to their servers. I stopped, but part of me didn't want to.
It shouldn't. It is the fault of hacky protocols like HTTPS that conflate routing with identity. If we had DNSSEC and IPSEC from the beginning, it wouldn't have been necessary to do it on application level.
I tried it and it only gives me a separate counter (i.e. 3 free articles on "bloomberg.com." in addition to the ones on "bloomberg.com".) This makes me suspect local storage or cookies.
"apps my mom could build" kind of describes Excel workbooks. People effectively use excel to build (highly constrained) GUIs for processing data using custom logic that they specify themselves. And excel's popularity speaks for itself, it's completely pervasive. So that's the answer; the audience isn't programmers, it's the officeworkers all over the world currently using Excel to automate office tasks and want a better delivery mechanism than a shared Excel file on the office LAN. That's such a big pie that even capturing a small slice of it might be a reasonably profitable endeavor.
You are spot on. I know a ton of people who fit your description. I wish this were higher up the comment stack. So many people are missing this simple viewpoint.
The .NET standard library docs are a thing of beauty because they intermingle autogenerated javadoc-style documentation with generally well-written freeform "remarks" sections that include more general explanations, context, and code samples.
>Don't all great projects start young and gain interested folks to make it widely used?
The counterpoint to this is that making a robust cross-platform GUI library is a massive endeavor and there is a veritable mountain of cross-platform gui projects out there and overwhelmingly they end up as never-finished abandoned projects. The exceptions like Qt and electron that actually succeeded tend to have large organizations behind them.
sort/index the db table by string length, start your search with the closest length strings (bigger and smaller) and then stop if you find a levenshtein distance that's smaller than that the length difference between the key and the next closest length string? In many(most?) cases you'd still end up searching the whole table but at least in some cases you could end the search early.
Spotify vs Google Play Music is the perfect showcase for this. They both get the job done but Spotify is better in so many small ways. Meanwhile, instead of being improved, GPM is in the process of being abandoned for the new shiny thing, Youtube Music.
> Spotify vs Google Play Music is the perfect showcase for this. They both get the job done but Spotify is better in so many small ways. Meanwhile, instead of being improved, GPM is in the process of being abandoned for the new shiny thing, Youtube Music.
What degredation have you noticed that makes you think it is being abandoned?
When they shut down the artist portal they said this:
> With the launch of YouTube Music last year, we eventually plan to replace Google Play Music with YouTube Music. In anticipation of this change, we are shutting down the Artist Hub.
I've been looking for an alternative to Google Play Music. I only use it to sync my albums from my pc to my phone and play them offline in the car. Does Spotify have a feature like that?
Edit: It looks like you have to pay for it and the music has to be in playlists. Not quite what I'd like.
what about local filesystem access, os integration, and all the other things that you expect a desktop app to be able to do (like in this case executing a separate binary) which violate the security models of browsers?
App becomes a local backend server that has privileged access to the machine (with control over what it accesses, maybe give it a specific user), and a web UI to access the app.
Someone in the tree of replies for your parent explained and was contemplating actually going through with it.
Did they ever explain what that mitigation does?