Dynamic Process Isolation: Research by Cloudflare and TU Graz

Cloudflare Workers has been designed with protection against side channel attacks in mind, including Spectre. The team at Graz University of Technology (TU Graz) partnered with Cloudflare to study the impact of Spectre on their environment and developed a new defense mechanism called Dynamic Process Isolation. This defense uses hardware performance counters to detect Workers whose performance characteristics could be indicative of an attack, moving them into separate operating system processes for additional protection. The research also demonstrated that even with this enhanced defense, there is still room for improvement in combating Spectre attacks.