Paranoid jails/sandboxes inside a virtual machine may mitigate a lot
the risk for those untrusted binaries, right? Plus using a debugger
and maybe an antivirus (I don't trust them so much and prefer to
isolate them too)?
What about already built software? Can those be "fixed"? What about
GLibC? What about some kind of patching or conversion?
2018-01-04 23:04 GMT-05:00 Ian Lance Taylor via gcc :
> On Thu, Jan 4, 2018 at 7:14 PM, Zan Lynx wrote:
>>
>> On January 4, 2018 8:10:14 PM MST, Eric Gallager
>> wrote:
>>>Is there anything GCC could be doing at the compiler level to mitigate
>>>the recently-announced Meltdown and Spectre vulnerabilities? From
>>>reading about them, it seems like they involve speculative execution
>>>and indirect branch prediction, and those are the domain of things the
>>>compiler deals with, right? (For reference, Meltdown is CVE-2017-5754,
>>>and Spectre is CVE-2017-5753 and CVE-2017-5715)
>>>
>>>Just wondering,
>>>Eric
>>
>> If you're allowing people to run untrustworthy machine code on your hardware
>> there's nothing a compiler can do to help. You'd need to make them use your
>> compiler, and why would they?
>>
>> So anyone offering shell accounts or virtual machines is out of luck.
>
> For the Spectre attack, a compiler can help by using it to compile
> accessible programs in such a way that they are not vulnerable to the
> attack.
>
> Ian
