Lowering JavaScript Timer Resolution Thwarts Meltdown and Spectre

The computer security vulnerabilities Meltdown and Spectre can infer protected information based on subtle differences in hardware behavior. It takes less time to access data that has been cached versus data that needs to be retrieved from memory, and precisely measuring time difference is a critical part of these attacks.

Our web browsers present a huge potential surface for attack as JavaScript is ubiquitous on the modern web. Executing JavaScript code will definitely involve the processor cache and a high-resolution timer is accessible via browser performance API.

Web browsers can’t change processor cache behavior, but they could take away malicious code’s ability to exploit them. Browser makers are intentionally degrading time measurement capability in the API to make attacks more difficult. These changes are being rolled out for Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. Apple has announced Safari updates in the near future that is likely to follow suit.

After these changes, the time stamp returned by performance.now will be less precise due to lower resolution. Some browsers are going a step further and degrade the accuracy by adding a random jitter. There will also be degradation or outright disabling of other features that can be used to infer data, such as SharedArrayBuffer.

These changes will have no impact for vast majority of users. The performance API are used by developers to debug sluggish code, the actual run speed is unaffected. Other features like SharedArrayBuffer are relatively new and their absence would go largely unnoticed. Unfortunately, web developers will have a harder time tracking down slow code under these changes.

Browser makers are calling this a temporary measure for now, but we won’t be surprised if they become permanent. It is a relatively simple change that blunts the immediate impact of Meltdown/Spectre and it would also mitigate yet-to-be-discovered timing attacks of the future. If browser makers offer a “debug mode” to restore high precision timers, developers could activate it just for their performance tuning work and everyone should be happy.

This is just one part of the shock wave Meltdown/Spectre has sent through the computer industry. We have broader coverage of the issue here.

The Worst CAD Package Ever is Still Handy

A lot of great schematics wind up on the back of bar napkins or diner place mats. When inspiration strikes, you have to capture it, after all. Today, you are as likely to draw schematics on a computer and there are plenty of options for that; if you can install software your options are almost limitless. And if you have a modern Web browser, there are lots of good options that don’t even require an install.

But what about those times when you need a quick schematic to pop into a presentation? You are on some ancient conference room computer where you can’t install anything and it’s still running a browser that understands the <BLINK> tag? Try out the Klunky Schematic Editor. Your browser will need Javascript, but that’s about all. No HTML 5 or anything fancy.

Continue reading “The Worst CAD Package Ever is Still Handy”

Learn 3D Modeling in Your Browser

If you have a 3D printer, it is a good bet you’ve at least seen or heard of Tinkercad. There’s pros and cons to doing your design in a Web browser, but Tinkercad is very easy to use and great for making simple objects. However, there are other 3D object designers you can use in your browser, too. Tinkercad is just the one that everyone seems to know about.

I won’t talk much about Tinkercad, but if you haven’t tried it, it is well worth a look. It has a simple system of drawing things and holes. When you merge holes with things you can make lots of shapes. The alignment tools are good, and since Autodesk acquired them (part of its 123d app suite), it isn’t likely they will go under any time soon (which, as you may remember, almost happened).

If you are designing some great new secret invention you may shy away from cloud-based design programs. But if you are printing out key chains with your coworker’s cat’s name on it, do you really care? Most of these cloud-based programs will work from any computer so you can quickly do a design in a coffee shop and then go home and print it.

Continue reading “Learn 3D Modeling in Your Browser”

Junkyard Jumbotron is begging to for an open source project clone

Idle developers of the world take inspiration from this project and unite to create your own version. It’s called the Junkyard Jumbotron because it takes many different displays and allows them to be used as one big interactive display. The image above shows a collection of smartphones displaying a test pattern. The pattern is unique for each device and is used to calibrate the display. Using a digital camera, a picture of these test patterns is snapped, then sent to the server. The server calculates the position of each of the screens, then sends the correct slice of a large image back to each phone.

It’s funny that they use the word Junkyard in the name of the software. Each display needs to be able to run a web browser so you can’t just use junk displays. But one nice side effect of the hardware requirements is that you can still do things like panning and zooming as seen in the video after the break. Here’s the real question: can you make this work as an open source project? How about something that can be easily set up to work with a LAMP server?

Continue reading “Junkyard Jumbotron is begging to for an open source project clone”

Lightweight Webkit based browsers

Lightweight Webkit based Browsers

With netbooks being slim and mostly utilitarian, it seems a bit contradictory to use a standard and somewhat bulky web browser with them. After all, we’re trimming down the operating system to perform faster on these little devices, so why not thin out the focal point of the netbook: the browser. Firefox, Chrome, or Safari may be well and great for a full powered desktop or laptop, so how about something a bit more trimmed? Enter the lightweight Webkit based browsers: Arora and Midori.

Continue reading “Lightweight Webkit based browsers”