This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author serhiy.storchaka
Recipients sahnaseredini, serhiy.storchaka, vstinner
Date 2020-11-11.13:55:13
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
AFAIK Spectre attacks rely on precise time measures. But Python is very far from bare hardware. Pure Python code is 10-100 times slower than compiled C or jitted JavaScript, and the variance is high, so it is hard to get stable results in benchmarks. Simple a=b+c can causes execution of hundreds or thousands of microprocessor instructions, numerous memory read and write operations, calling many subroutines, memory allocations and deallocations.

I have doubts that it is practical to use Spectre attacks on pure Python.

Of course, if you use high-performance extensions to work with sensitive data, they can be vulnerable to attack if the attacker code is in the other extension. You can counteract this by building that extensions with a C compiler which implements workarounds.
Date User Action Args
2020-11-11 13:55:13serhiy.storchakasetrecipients: + serhiy.storchaka, vstinner, sahnaseredini
2020-11-11 13:55:13serhiy.storchakasetmessageid: <>
2020-11-11 13:55:13serhiy.storchakalinkissue42322 messages
2020-11-11 13:55:13serhiy.storchakacreate