Kind of feels like apps should opt in to (or out of) mitigations individually. Obviously a web browser needs it, but does Clang? VSCode? Zoom? Probably not.
1) we can’t trust people to categorise their own apps because the incentive for performance over security is a trade off we’ve all made time and time again.
2) efforts to address mandatory access controls have a coloured history here: selinux and apparmor both have very low adoption rates no matter your personal anecdotes.
3) These mitigation’s are so thorough that it would be more expensive on performance to even _check_ per application than it would be just to enable it everywhere.
Yeah that should be really fast, still. Programs could also opt to just tell the OS "hey don't check this system call from me", on each system call, avoiding any lookup.
The impact of TLB flushing, not just the cost of the flush, is really significant - it's going to take a lot of work to be as expensive within the syscall path.
Nothing, but that only makes reading the malware's memory possible with these exploits. That malware won't be able to access memory of some other process, if that other process is using those flags itself.
Edit: For that to work that flag would have to work on the context switch level. So every time you switch away from a sensitive process, flush all buffers and whatever else, then switch.
This also requires the kernel itself to enable mitigations as necessary when it touches encryption keys before switching back to user space.
