jsnbuchanan
/
crowd-funder-for-time-pwa
forked from trent_larson/crowd-funder-for-time-pwa
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
timesafari
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3573 Commits
57 Branches
0 Tags
51 MiB
 
 
 
Tree: 0a0a17ef9c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a0a17ef9c'
${ noResults }
crowd-funder-for-time-pwa/doc/sharebufferarray_spectre_se...

4.0 KiB
Raw Blame History

SharedArrayBuffer, Spectre, and Cross-Origin Isolation Concerns

1. Introduction to SharedArrayBuffer

Overview

  • SharedArrayBuffer is a JavaScript object that enables shared memory access between the main thread and Web Workers.
  • Unlike ArrayBuffer, the memory is not copied between threads—allowing true parallelism.
  • Paired with Atomics, it allows low-level memory synchronization (e.g., locks, waits).

Example Use

const sab = new SharedArrayBuffer(1024);
const sharedArray = new Uint8Array(sab);
sharedArray[0] = 42;

2. Browser Security Requirements

Security Headers Required to Use SharedArrayBuffer

Modern browsers restrict access to SharedArrayBuffer due to Spectre-class vulnerabilities.

The following HTTP headers must be set to enable it:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

HTTPS Requirement

  • Must be served over HTTPS (except localhost for dev).
  • These headers enforce cross-origin isolation.

Role of CORS

  • CORS alone is not sufficient.
  • However, embedded resources (like scripts and iframes) must still include proper CORS headers if they are to be loaded in a cross-origin isolated context.

3. Spectre Vulnerability

What is Spectre?

  • A class of side-channel attacks exploiting speculative execution in CPUs.
  • Allows an attacker to read arbitrary memory from the same address space.

Affected Architectures

  • Intel, AMD, ARM — essentially all modern processors.

Why It's Still a Concern

  • It's a hardware flaw, not just a software bug.
  • Can't be fully fixed in software without performance penalties.
  • New Spectre variants (e.g., v2, RSB, BranchScope) continue to emerge.

4. Mitigations and Current Limitations

Browser Mitigations

  • Restricted precision for performance.now().
  • Disabled or gated access to SharedArrayBuffer.
  • Reduced or removed fine-grained timers.

OS/Hardware Mitigations

  • Kernel Page Table Isolation (KPTI)
  • Microcode updates
  • Retpoline compiler mitigations

Developer Responsibilities

  • Avoid sharing sensitive data across threads unless necessary.
  • Use constant-time cryptographic functions.
  • Assume timing attacks are still possible.
  • Opt into cross-origin isolation only when absolutely required.

5. Practical Development Notes

Using SharedArrayBuffer Safely

  • Ensure the site is cross-origin isolated:
    • Serve all resources with appropriate CORS policies (Cross-Origin-Resource-Policy, Access-Control-Allow-Origin)
    • Set the required COOP/COEP headers
  • Validate support using:
if (window.crossOriginIsolated) {
    // Safe to use SharedArrayBuffer
}

Testing and Fallback

  • Provide fallbacks to ArrayBuffer if isolation is not available.
  • Document use cases clearly (e.g., high-performance WebAssembly applications or real-time audio/video processing).

6. Summary of Concerns and Advisements

Topic Concern / Consideration Advisory
Shared Memory Can expose sensitive data across threads Use only in cross-origin isolated environments
Spectre Vulnerabilities Still viable, evolving with new attack vectors Do not assume complete mitigation; minimize attack surfaces
Cross-Origin Isolation Required for SharedArrayBuffer Must serve with COOP/COEP headers + HTTPS
CORS Not sufficient alone Must combine with full isolation policies
Developer Security Practices Timing attacks and shared state remain risky Favor safer primitives; avoid unnecessary complexity