I kind of wish I'd never read that. Every time something like this comes up I remember a quote from A Deepness in the Sky [0] and shudder at the thought that we will be stuck with crappy software forever.
[0] " There were programs here that had been written five thousand years ago, before Humankind ever left Earth. The wonder of it—the horror of it, Sura said—was that unlike the useless wrecks of Canberra’s past, these programs still worked! And via a million million circuitous threads of inheritance, many of the oldest programs still ran in the bowels of the Qeng Ho system. Take the Traders’ method of timekeeping. The frame corrections were incredibly complex—and down at the very bottom of it was a little program that ran a counter. Second by second, the Qeng Ho counted from the instant that a human had first set foot on Old Earth’s moon. But if you looked at it still more closely. . .the starting instant was actually some hundred million seconds later, the 0-second of one of Humankind’s first computer operating systems.
"
One of the things I love about that book is how he attacks below their layer of abstraction. This is a pattern you see over and over again in real life, people build a secure system at one layer, but don't consider all of the implications of the layers below. Indeed there is so much complexity hidden in those abstractions that it takes experts years to learn enough about them to understand the attacks. The people who do work in those layers aren't interested in security, they're just trying to get the things to work in the first place.
Spectre/Meltdown are a good example of what happens when (after a couple of decades) the security guys finally understand what the architecture looks like at that level and start looking for vulnerabilities.
This is also why you should be wary of devices and especially device drivers. This is why binary blobs in drivers are such a butt clencher. And then you're talking about drivers that are stupendously large and are more or less attached directly to your web browser.
Kind of. One of the problems with being attacked from the lower layers is that it can be outright impossible to defend against in some cases. In other cases the defense involves significant tradeoffs, usually in performance.
Not realistically unless I have a lot of experience with driver programming. After all, I can technically hand-edit the machine code of a binary blob too.
I think of this every time I watch a package manager compile the dependencies of dependencies of dependencies of dependencies [...] of the thing I am actually using.
[0] " There were programs here that had been written five thousand years ago, before Humankind ever left Earth. The wonder of it—the horror of it, Sura said—was that unlike the useless wrecks of Canberra’s past, these programs still worked! And via a million million circuitous threads of inheritance, many of the oldest programs still ran in the bowels of the Qeng Ho system. Take the Traders’ method of timekeeping. The frame corrections were incredibly complex—and down at the very bottom of it was a little program that ran a counter. Second by second, the Qeng Ho counted from the instant that a human had first set foot on Old Earth’s moon. But if you looked at it still more closely. . .the starting instant was actually some hundred million seconds later, the 0-second of one of Humankind’s first computer operating systems. "