191
Apple silicon is vulnerable to side-channel speculative execution attacks "FLOP" and "SLAP"
(www.tomshardware.com)
Disabling JavaScript is a bold ask.
this post was submitted on 30 Jan 2025
191 points (96.6% liked)
Technology
61456 readers
5981 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
I have a better proposal: let’s disable JavaScript in it’s entirety so it wouldn’t require 8 gb ram and a 2 gHz multicore cpu on my mobile device that runs on battery, to send a simple ‘hello’ to my friends.
Didn't use to be.
uMatrix makes this easy. Made by the creator of uBlock Origin.
uMatrix isn't maintained anymore, but you can actually do this directly in uBO now!
https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-scripting
Oh wow. Yeah, it hasn't been updated for 6 years. Damn, I didn't realize how long I've been using it.
Update: I've been using this feature in uBlock for a couple of days as a replacement, and it's really nowhere near the same as uMatrix. I might just keep using uMatrix until it stops working.
Another day, another speculative execution attack
Me: Reads headline.
Also me: I have no idea what this headline is supposed to be warning me of. Of COARSE you'd get slapped if you went up to someone and flopped out your apples.
When modern CPUs execute instructions, they try to make a best guess as to what the next instruction or data it needs will be while it's still executing the first, to speed things up so it doesn't have to wait until the entire instruction execution cycle is complete to start retrieving the next one from memory. These exploits force it to guess wrong, potentially pulling sensitive data out of memory and making it accessible to processes which usually can't access it.
a best guess as to what the next instruction or data it needs will be
More precisely it's speculating on the results of a yet to be executed (but already known) instruction, e.g. whether a branch will be taken or not, and begins to execute instructions in that branch before the final verdict of whether it will be taken is done. If it guessed right, it can just continue, if it guessed wrong, it has to cover its tracks, making sure that what it did is in no way observable. It's the latter part, "in no way observable", that all these security failures are about: If you can somehow observe that stuff, you might be able to observe stuff you're not supposed to see because the branch speculatively taken was "nope, you're not allowed to do this".
All that might be hard to grasp without an understanding how modern CPUs execute instructions, which very much is not "an instruction at a time", Computerphile has excellent videos about pipelining and branch prediction.
You will be slapped with a floppy
3.5 inch or 5.25 inch?
8 inch
*ba-dum. tisshh*
You know you can click that headline and read the article for more information. You don't have to live in ignorance.
i had to double check. yes. it is a SLAP with a silent d and a. what a great name.
From the article's own summary.
False Load Output Prediction and Speculative Load Address Prediction allow for data leaks without malware infection
But I guess "IA summary" did its best ¯\_(ツ)_/¯
Oh no! We can't live without overengineered pieces of silicon made via processes more complex than anything in history, with enormous computing power being used to display our porn and cat pics. We need more performance! And we need even more complex CPUs.
Everyone is different. I could live with things from year 2005. Except they were expensive and not everyone had them. I would want people to have necessities and simple, sturdy, cheap, weak tech to fulfill their needs and nothing more. Not lack some things and have far too powerful tools for other things.
I don't know if mac has something similar, but you can run a command on linux to list all the CPU vuln mitigations applied, and its hilarious to see on something old like a skylake or haswell with the amount of patches that have dropped since release.