spectre | simple UI for browsing and inspecting diffs | Image Editing library
kandi X-RAY | spectre Summary
kandi X-RAY | spectre Summary
Spectre is a web application to diff screenshots. It's heavily influenced by VisualReview, BackstopJS and Wraith. Read more about how we use it at Friday in our blog post: How we do visual regression testing.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of spectre
spectre Key Features
spectre Examples and Code Snippets
Community Discussions
Trending Discussions on spectre
QUESTION
Some weird stuff here. I'm trying to build a KMDF sample driver with VS2019 16.11.5 and WDK 10.0.19041.685 (also called version 2004 Dec 2020 update).
First, I got compilation error saying that I need to download Spectre-mitigated MSVC library.
Well, I try it, but got a new problem. The VS2019(16.11.5) installer does not show MSVC Spectre-mitigated MSVC library version for exact 16.11. Looks like the latest one it provides is 16.10 (🙁).
Download the 16.10 one and resume trying, still compilation error.
I peek into my D:\VSIDE\VS2019\VC\Tools\MSVC
folder, and see two versions of MSVC libs listed, 14.29.30133 and 14.29.30037 . The later is the one with spectre libs(so it's 600MB+ larger).
However, the KMDF build tool insists to find MSVC libs in the newer 14.29.30133 folder, so Spectre-mitigated libs still CANNOT be found.
I know I can manually copy the required files from 14.29.30037 to 14.29.30133 to make things go on. BUT is it the decent way to do so, or is it a Microsoft toolset bug?
I'd like to ask how other kernel driver developers solve this issue. Thank you.
...ANSWER
Answered 2022-Feb-11 at 14:55Well, several days later, I find out two workarounds for this issue.
First, as Hans Passant stated, disable the Spectre lib in .vcxproj. This can be configured from UI.
Second, explicitly select a MSVC library version for current project. This can also be configured in project settings UI.
==== 2022.02.11 UPDATE ====Finally got it,the Spectre-lib with version number 14.29.30133 is called "(Latest)", so it is listed above the oldest version, and this defeats the novice. Use this and problem solved.
Sure, it is stupid enough to mark it as merely "(Lastest)". He should have named it MSVC v142 - VS2019 C++ x64/x86 Spectre-mitigated libs (v14.29-16.11)(Latest)" .
QUESTION
I am trying to understand the reasoning behind this particular suggestion in Visual Studio 2022, as it doesn't seem to make sense to me. Here's the simple code:
...ANSWER
Answered 2022-Feb-07 at 05:08In this case, it is a false positive, as you suspected. This is a rule that sometimes gets used in stricter code bases. (This particular warning is an error in MISRA, for example.)
A lot of warnings are like this... the compiler writers are trying to detect a situation where the behavior of the program is unexpected or unintentional, but the warnings are not always correct. For example,
QUESTION
I've started working with Puppeteer and for some reason I cannot get it to work on my box. This error seems to be a common problem (SO1, SO2) but all of the solutions do not solve this error for me. I have tested it with a clean node package (see reproduction) and I have taken the example from the official Puppeteer 'Getting started' webpage.
How can I resolve this error?
Versions and hardware ...ANSWER
Answered 2021-Nov-24 at 18:42There's too much for me to put this in a comment, so I will summarize here. Maybe it will help you, or someone else. I should also mention this is for RHEL EC2 instances behind a corporate proxy (not Arch Linux), but I still feel like it may help. I had to do the following to get puppeteer working. This is straight from my docs, but I had to hand-jam the contents because my docs are on an intranet.
I had to install all of these libraries manually. I also don't know what the Arch Linux equivalents are. Some are duplicates from your question, but I don't think they all are:
pango
libXcomposite
libXcursor
libXdamage
libXext
libXi
libXtst
cups-libs
libXScrnSaver
libXrandr
GConf2
alsa-lib
atk
gtk3
ipa-gothic-fonts
xorg-x11-fonts-100dpi
xorg-x11-fonts-75dpi
xorg-x11-utils
xorg-x11-fonts-cyrillic
xorg-x11-fonts-Type1
xorg-x11-fonts-misc
liberation-mono-fonts
liberation-narrow-fonts
liberation-narrow-fonts
liberation-sans-fonts
liberation-serif-fonts
glib2
If Arch Linux uses SELinux, you may also have to run this:
setsebool -P unconfirmed_chrome_sandbox_transition 0
It is also worth adding dumpio: true
to your options to debug. Should give you a more detailed output from puppeteer, instead of the generic error. As I mentioned in my comment. I have this option ignoreDefaultArgs: ['--disable-extensions']
. I can't tell you why because I don't remember. I think it is related to this issue, but also could be related to my corporate proxy.
QUESTION
I'm unable to access my server to enable COOP and COEP headers, but I was able to add them via service worker by using the following script https://github.com/gzuidhof/coi-serviceworker, which registers a service worker that has the headers active.
I need COOP and COEP to enable SharedArrayBuffer
, which is restricted to avoid vulnerability to Spectre and Meltdown.
My question is whether adding the https headers via service worker poses a security risk, because the headers are not set at the server level.
At the bottom of this article, it argues that this is not a risk, https://dev.to/stefnotch/enabling-coop-coep-without-touching-the-server-2d3n
But I'd appreciate an explanation to better understand whether the service-worker approach is equivalently secure, or leaves open vulnerabilities.
Thanks!
...ANSWER
Answered 2021-Oct-19 at 16:34Adding those headers via a service worker is equivalent from a security perspective, and it will enable equivalent functionality. There are a few things to keep in mind, though:
A service worker can't control a client page during the first time a user navigates to a site, or following a shift-reload. Setting these headers via the actual web server is the only way to guarantee that they will apply to those scenarios. Generally speaking, you should be careful to degrade gracefully if there are any features in your main web app that depend on the presence of a service worker.
There's a slight overhead involved with having a service worker controlling a page. If you were responding to requests by going straight to a local cache instead of the network, that would normally outweigh the overhead. Since it does not look like you plan on doing any caching in your service worker, you should feature-detect for navigation preloads and enable it if it's supported. This will mitigate the potential performance impact.
The headers only need to be set on responses that can create a client, like responses for documents or workers. I'd recommend checking in your service worker whether or not the request's destination is for one of those things before calling
event.respondWith()
. This will help yourfetch
handler play nicely with any otherfetch
handlers that might also be registered and which, e.g. respond to subresource requests using a caching strategy. Something like the following should work:
QUESTION
I'm doing some code atm which currently does a request and then goes to another channel, and edits a schedule that adds what the person requested, I am currently working to make it so you can set it up in a discord server instead of my current system (referencing specific discord channels for testing) atm the Mondaymsg string etc. aren't being found by the Monday area on my code, and I don't know what to change to get it to reference, I am an on-the-go learner coder so my code may look bad but I hope I can get some help so I can improve.
...ANSWER
Answered 2021-Oct-11 at 00:51It looks like you're asking why variables defined in the first IF body aren't accessible in other IF bodies:
QUESTION
A couple of years ago, I wrote and updated our MASM codebase with this macro below to combat Spectre V2.
...ANSWER
Answered 2021-Oct-08 at 07:19Those compiler options work by generating special asm, whether it's retpolines or lfence
or whatever. When you're writing asm by hand, obviously it's still up to you whether to manually include special asm or not.
Changes to OSes are the relevant thing for you. The OS, on a CPU with updated microcode, can defend you from other threads by telling the CPU not to allow branch history from past code to influence future code. (The ability to ask it to do this was added in microcode updates, and usually works by just flushing the branch prediction caches).
Another software thread executing on the other logical core of the same physical core can "attack" your code on most CPUs, because branch predictors are shared. At least in theory; ASLR might make that implausible if both tasks would need to be using the same virtual addresses for their branch targets to prime the predictors.
So in user-space, I think you only need to defend yourself from Spectre if you're worried about code running in the same thread (e.g. a JIT engine running untrusted code inside a browser or JVM has to defend itself) or on the same physical core.
QUESTION
I'd like to use Spectre.Console
in an F# console app. I'm trying to convert the Introduction example from C# to F#. Below is my attempt:
ANSWER
Answered 2021-Sep-28 at 14:33Here's how I solved that issue:
- Explicitly add
interface ICommandLimiter
to theCommand
subclasses that use inheritance in the settings fromAddSettings
. - Change the
AddBranch
call to infer the generic argument by only annotating theIConfigurator
's type:config.AddBranch("add", fun (add: IConfigurator) -> ...
.
QUESTION
I want to select paths of a deeply nested map to keep.
For example:
...ANSWER
Answered 2021-Sep-03 at 17:18There is no simple way to accomplish your goal. The automatic processing implied for the sequence under [:b :c]
is also problematic.
You can get partway there using the Tupelo Forest library. See the Lightning Talk video from Clojure/Conj 2017.
I did some additional work in data destructuring that you may find useful building the tupelo.core/destruct
macro (see examples here). You could follow a similar outline to build a recursive solution to your specific problem.
A related project is Meander. I have worked on my own version which is like a generalized version of tupelo.core/destruct
. Given data like this
QUESTION
I have one Dataframe ( or I could make it two datafarmes if necessary)
...ANSWER
Answered 2021-Aug-30 at 20:22Building on an answer given here, You can do the following:
QUESTION
memfd_secret()
was merged in the kernel, but I do not see the real security benefit of it. I mean, this has the idea of avoiding sideline attacks, but this is like when the car keys are locked and nobody knows where they are.
AFAIK, the page given to the application simply is not mapped when in kernel mode, but this cant be used to isolate a virus, or whatever of the kernel itself.
How is it supposed to be safer to isolate a range of memory of the kernel?
Could someone provide a code example showing how this protects of spectre or like that?
Update
...ANSWER
Answered 2021-Aug-21 at 23:27memfd_secret()
allows a user-space process to have a "secret" memory area. In this context, "secret" means that other processes cannot have access to that memory area (not even the kernel itself, or at least not by accident).
This syscall allows a process to store confidential information (like a password or a private key) in a more secure way, because it's harder for a malware to access that secret memory area. This syscall should also protect from vulnerabilities like Spectre, because the secret memory area is uncached; and should also protect (albeit not completely, but at least partially) from kernel bugs, since the kernel has no access to that memory area.
In order to use this syscall (that will be available in Linux 5.14), you first make a call to memfd_secret()
in order to obtain a file descriptor; then you make a call to ftruncate()
in order to choose the size of the secret memory region; and finally you use mmap()
in order to map the secret memory, so you can access it via pointers as usual.
Other details are available here.
EDIT: unfortunately, the "uncached" feature that made memfd_secret()
less vulnerable to attacks like Spectre has been removed because there was a concern for perfomance.
EDIT 2: additional details about why secret memory areas obtained with memfd_secret()
makes programs safer (source, slightly modified by me for clearness):
Enhanced protection (in conjunction with all the other in-kernel attack prevention systems) against ROP attacks. Secret memory makes "simple" ROP insufficient to perform exfiltration, which increases the required complexity of the attack. Along with other protections like the kernel stack size limit and address space layout randomization which make finding gadgets is really hard, absence of any in-kernel primitive for accessing secret memory means the one gadget ROP attack can't work. Since the only way to access secret memory is to reconstruct the missing mapping entry, the attacker has to recover the physical page and insert a PTE pointing to it in the kernel and then retrieve the contents. That takes at least three gadgets which is a level of difficulty beyond most standard attacks.
Prevent cross-process secret user-space memory exposures. Once the secret memory is allocated, the user can't accidentally pass it into the kernel to be transmitted somewhere. The secret memory pages cannot be accessed via the direct map and they are disallowed in GUP.
Harden against exploited kernel flaws. In order to access secret memory, a kernel-side attack would need to either walk the page tables and create new ones, or spawn a new privileged user-space process to perform secrets exfiltration using ptrace.
EDIT 3: just a note that I think may be relevant: secret memory areas can be accessed by child processes created using fork()
, so one must be cautious. At least, using flag O_CLOEXEC
(passed to memfd_secret()
), the process will not make the secret memory available to processes created with execve()
.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install spectre
On a UNIX-like operating system, using your system’s package manager is easiest. However, the packaged Ruby version may not be the newest one. There is also an installer for Windows. Managers help you to switch between multiple Ruby versions on your system. Installers can be used to install a specific or multiple Ruby versions. Please refer ruby-lang.org for more information.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page