Right, you have to trick the outside world to perform the speculation for you. In the case of a web browser, you're not going to plug all those holes.
But in some cases, you probably could make it absolutely bulletproof. The closer to data->data transforms you get, the better.
For example, if you wanted a router that could run WASM blobs that make routing decisions. You pass in a header byte array and receive back route information.
Designed correctly, it's not a given that there is any surface area for an attacker to read data from a neighbour's address space.
Well, your years of study are worth much more than my idle speculation, so after browsing your paper I'll happily accept that you're right.
But my intuition is that the instructions themselves executed under such a masking system are no more able to perform timing attacks on the rest of the process than arbitrary code from one process can perform timing attacks on another.
If there's something specific I'm missing there I'd love to know what it is so I can update my mental model.
But in some cases, you probably could make it absolutely bulletproof. The closer to data->data transforms you get, the better.
For example, if you wanted a router that could run WASM blobs that make routing decisions. You pass in a header byte array and receive back route information.
Designed correctly, it's not a given that there is any surface area for an attacker to read data from a neighbour's address space.