CPU vulnerabilities and web JavaScript

From: Kernel User
Date: Sun Dec 08 2019 - 14:51:24 EST

Next message: Al Viro: "Re: [PATCH] fs: fix use-after-free in __fput() when a chardev is removed but a file is still open"
Previous message: Al Viro: "Re: [PATCH] fs: fix use-after-free in __fput() when a chardev is removed but a file is still open"
Next in thread: Kernel User: "Re: CPU vulnerabilities and web JavaScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello kernel developers!

I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.

As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.

So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.

So what I do:

To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":

1. Close all open programs

2. Clean clipboard contents

3. Lock any open keyrings

4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)

5. Do what I need on the site as quickly as possible.

6. Close the browser

Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.

So my questions to the experts here are:

(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)

(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?

*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.

Sorry for the long message.
I really hope you could shed some light on the subject!

Next message: Al Viro: "Re: [PATCH] fs: fix use-after-free in __fput() when a chardev is removed but a file is still open"
Previous message: Al Viro: "Re: [PATCH] fs: fix use-after-free in __fput() when a chardev is removed but a file is still open"
Next in thread: Kernel User: "Re: CPU vulnerabilities and web JavaScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]