jsnbuchanan/crowd-funder-for-time-pwa
1
0
Fork 1
forked from trent_larson/crowd-funder-for-time-pwa
Code Issues Pull Requests Projects Releases Wiki Activity
Files
d265a9f78c5f415e37b5a89ad8add52d43e94200
crowd-funder-for-time-pwa/doc/sharebufferarray_spectre_security.md
Matthew Raymer 2d17bfd3b4 docs: comprehensive documentation updates and modernization 
- Update BUILDING.md with current build system information
- Modernize various README files across the project
- Update CHANGELOG.md with recent changes
- Improve documentation consistency and formatting
- Update platform-specific documentation (iOS, Electron, Docker)
- Enhance test documentation and build guides
2025-08-20 13:02:01 +00:00

110 lines
4.0 KiB
Markdown
Raw Blame History

# SharedArrayBuffer, Spectre, and Cross-Origin Isolation Concerns
## 1. Introduction to SharedArrayBuffer
### Overview
- `SharedArrayBuffer` is a JavaScript object that enables **shared memory** access between the main thread and Web Workers.
- Unlike `ArrayBuffer`, the memory is **not copied** between threads—allowing **true parallelism**.
- Paired with `Atomics`, it allows low-level memory synchronization (e.g., locks, waits).
### Example Use
```js
const sab = new SharedArrayBuffer(1024);
const sharedArray = new Uint8Array(sab);
sharedArray[0] = 42;
```
## 2. Browser Security Requirements
### Security Headers Required to Use SharedArrayBuffer
Modern browsers **restrict access** to `SharedArrayBuffer` due to Spectre-class vulnerabilities.
The following **HTTP headers must be set** to enable it:
```
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
```
### HTTPS Requirement
- Must be served over **HTTPS** (except `localhost` for dev).
- These headers enforce **cross-origin isolation**.
### Role of CORS
- CORS **alone is not sufficient**.
- However, embedded resources (like scripts and iframes) must still include proper CORS headers if they are to be loaded in a cross-origin isolated context.
## 3. Spectre Vulnerability
### What is Spectre?
- A class of **side-channel attacks** exploiting **speculative execution** in CPUs.
- Allows an attacker to read arbitrary memory from the same address space.
### Affected Architectures
- Intel, AMD, ARM — essentially **all modern processors**.
### Why It's Still a Concern
- It's a **hardware flaw**, not just a software bug.
- Can't be fully fixed in software without performance penalties.
- New Spectre **variants** (e.g., v2, RSB, BranchScope) continue to emerge.
## 4. Mitigations and Current Limitations
### Browser Mitigations
- **Restricted precision** for `performance.now()`.
- **Disabled or gated** access to `SharedArrayBuffer`.
- **Reduced or removed** fine-grained timers.
### OS/Hardware Mitigations
- **Kernel Page Table Isolation (KPTI)**
- **Microcode updates**
- **Retpoline** compiler mitigations
### Developer Responsibilities
- Avoid sharing sensitive data across threads unless necessary.
- Use **constant-time cryptographic functions**.
- Assume timing attacks are **still possible**.
- Opt into **cross-origin isolation** only when absolutely required.
## 5. Practical Development Notes
### Using SharedArrayBuffer Safely
- Ensure the site is **cross-origin isolated**:
- Serve all resources with appropriate **CORS policies** (`Cross-Origin-Resource-Policy`, `Access-Control-Allow-Origin`)
- Set the required **COOP/COEP headers**
- Validate support using:
```js
if (window.crossOriginIsolated) {
// Safe to use SharedArrayBuffer
}
```
### Testing and Fallback
- Provide fallbacks to `ArrayBuffer` if isolation is not available.
- Document use cases clearly (e.g., high-performance WebAssembly applications or real-time audio/video processing).
## 6. Summary of Concerns and Advisements
| Topic | Concern / Consideration | Advisory |
|-------------------------------|------------------------------------------------------|--------------------------------------------------------|
| Shared Memory | Can expose sensitive data across threads | Use only in cross-origin isolated environments |
| Spectre Vulnerabilities | Still viable, evolving with new attack vectors | Do not assume complete mitigation; minimize attack surfaces |
| Cross-Origin Isolation | Required for `SharedArrayBuffer` | Must serve with COOP/COEP headers + HTTPS |
| CORS | Not sufficient alone | Must combine with full isolation policies |
| Developer Security Practices | Timing attacks and shared state remain risky | Favor safer primitives; avoid unnecessary complexity |
Reference in New Issue View Git Blame Copy Permalink