[Python-Dev] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register

Steve Dower steve.dower at python.org
Mon Sep 17 12:44:03 EDT 2018 

I investigated this thoroughly some time ago (when the MSVC flags became 
available) and determined (with the help of some of the original 
Spectre/Meltdown investigation team) that there is no significant value 
in enabling these flags for Python.

It boiled down to:
* Python allows arbitrary code execution by design
* Pure Python code in CPython has very long per-instruction opcode 
sequences that cannot easily be abused or timed
* Injected pure Python code cannot be coerced into generating native 
code that is able to abuse Spectre/Meltdown but not able to abuse other 
attacks more easily
* Code injection itself is outside of this particular threat model

By comparison with JavaScript, most JS JITs can be easily coerced into 
generating specific native code that can break sandbox guarantees (e.g. 
browser tabs). Python offers none of these guarantees.

Distributors are of course free to enable these flags for their own 
builds, but I recommend against it for the official binaries, and would 
suggest that it's worth more PR than actual security and nobody else 
needs to enable it either.

(Extension authors with significant scriptable C code need to perform 
their own analysis. I'm only talking about CPython here.)

Cheers,
Steve

On 16Sep2018 0707, Wes Turner wrote:
> Should Python builds add `-mindirect-branch=thunk 
> -mindirect-branch-register` to CFLAGS?
> 
> Where would this be to be added in the build scripts with which 
> architectures?
> 
> /QSpectre is the MSVC build flag for Spectre Variant 1:
> 
>  > The /Qspectre option is available in Visual Studio 2017 version 15.7 
> and later.
> 
> https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017
> 
> security@ directed me to the issue tracker / lists,
> so I'm forwarding this to python-dev and python-ideas, as well.
> 
> # Forwarded message
> From: *Wes Turner* <wes.turner at gmail.com <mailto:wes.turner at gmail.com>>
> Date: Wednesday, September 12, 2018
> Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk 
> -mindirect-branch-register
> To: distutils-sig <distutils-sig at python.org 
> <mailto:distutils-sig at python.org>>
> 
> 
> Should C extensions that compile all add
> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the 
> risk of Spectre variant 2 (which does indeed affect user space 
> applications as well as kernels)?
> 
> [1] 
> https://github.com/speed47/spectre-meltdown-checker/issues/119#issuecomment-361432244 
> <https://github.com/speed47/spectre-meltdown-checker/issues/119#issuecomment-361432244>
> [2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) 
> <https://en.wikipedia.org/wiki/Spectre_%28security_vulnerability%29>
> [3] 
> https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Speculative_execution_exploit_variants 
> <https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Speculative_execution_exploit_variants>
> 
>     On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com
>     <mailto:wes.turner at gmail.com>> wrote:
> 
>         On Wednesday, September 12, 2018, Joni Orponen
>         <j.orponen at 4teamwork.ch <mailto:j.orponen at 4teamwork.ch>> wrote:
> 
>             On Wed, Sep 12, 2018 at 8:48 PM Wes Turner
>             <wes.turner at gmail.com <mailto:wes.turner at gmail.com>> wrote:
> 
>                 Should C extensions that compile all add
>                 `-mindirect-branch=thunk -mindirect-branch-register` [1]
>                 to mitigate the risk of Spectre variant 2 (which does
>                 indeed affect user space applications as well as kernels)?
> 
> 
>             Are those available on GCC <= 4.2.0 as per PEP 513?
> 
> 
>         AFAIU, only
>         GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support
>         enabled by the `-mindirect-branch=thunk
>         -mindirect-branch-register` CFLAGS.
> 
> 
>   On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com 
> <mailto:wes.turner at gmail.com>> wrote:
> 
>     "What is a retpoline and how does it work?"
>     https://stackoverflow.com/questions/48089426/what-is-a-retpoline-and-how-does-it-work
>     <https://stackoverflow.com/questions/48089426/what-is-a-retpoline-and-how-does-it-work>
> 
> 
> 
> 
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve.dower%40python.org
>

More information about the Python-Dev mailing list