Hacker News new | past | comments | ask | show | jobs | submit login

> Part of their defense against cpu side channel attacks was the narrow execution limits;

Some people have claimed narrow execution limits provide a defense, but we on the Workers team don't believe that's true and I don't think we've made that claim. Specifically, it's easy for an attacker to store state between requests and so continue an attack across many requests. In our current implementation, you can store that state in global variables, but even if we wiped the worker's state after every request, it would still be easy for an attacker to store their state remotely.

We'll be posting more about Spectre later this week.

> That was also how they prevented v8 from allocating tons of memory.

No, we explicitly limit V8 memory usage independent of CPU time.




> No, we explicitly limit V8 memory usage independent of CPU time.

Ok! I hadn't just gotten that from one your talks on Workers: you had said v8 doesn't really offer a useful hook to limit memory usage as it aborted the process rather than just stopping the isolate, and that the CPU resource limit was thereby an important part of the memory limitation (as with the exception of typed arrays, using memory in JavaScript requires code to actively set memory). If you did change this, it makes me all the more interested in the changes you are making in v8 ;P (though it is also possible these changes were actually just part of upstream and I failed to notice).

https://www.infoq.com/presentations/cloudflare-v8/ (at 20m45s)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: