This page on VM side channel attack mitigations is scary: https://github.com/firecracker-microvm/firecracker/blob/master/docs/prod-host-setup.md
Using the Linux KVM API seems easy enough, but we have all this hidden danger now.
@kosinus Not really surprising to me. If Spectre/Meltdown communicates anything to us it's that software sandboxes don't really work. Not that we really have anything better in many circumstances.
Processors became increasingly complex in an attempt to extend Moore's law (and we know complex things aren't secure). This was necessary because we never learned to effectively use multiple processors/cores. Had we figured that out, making software faster would simply be a matter of adding cores.
Instead we have complex insecure processors.
You could design it so the only thing you can Time is the input (the Functional Reactive Paradigm). Or you can schedule the output.
As for caches I'm not really clear what would help or hurt. But I think keeping the young generation entirely in per-core caches would help.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!