Vulnerable to Spectre + Meltdown about halite HOT 5 CLOSED

The whole system needs to be protected.

Exactly.

It looks like this was answered in the libsodium repository, so, I'm going to close this issue.

from halite.

On the surface it would see that the answer to this question is "probably no", however I wonder if the great effort that libsodium has go to, in order to protect memory space; that this library and other libsodium projects are immune or "not as vulnerable" to these types of attacks.

That would be a good answer for the libsodium repo but I think you're right that the answer is "probably no" since the problem exists much lower than a userspace library.

from halite.

"A tiny tiny tiny bit". libsodium, even in the stable branch, will try to use the retpoline trick if the compiler supports it (currently only clang, and if the flags to do so doesn't change), to provide some mitigation against CVE-2017-5715.

But this is clearly insufficient. The whole system needs to be protected.

from halite.

Good call @paragonie-scott, I just asked over in jedisct1/libsodium#659.

I expect all the information here is probably as complete as it can be with current information that's been made available on the internet, so I don't entirely expect any different of an answer.

I would love to see proof of concept code on these issues so we could actually do a real world test.

from halite.

Just a followup since I spent the weekend with people working on LLVM and Spectre mitigations.

What requires to be recompiled ia anything that allows untrusted users to execute arbitrary code, or rather, trigger speculative reads to arbitrary memory locations.

The kernel absolutely requires to be protected. Along with web browsers and anything embedding JITs and bytecode interpreters.

Everything else... not so much.

from halite.