RE: Hyper-Threading Vulnerability

From: David Schwartz
Date: Sun May 15 2005 - 13:44:38 EST

Next message: Dr. David Alan Gilbert: "Re: Hyper-Threading Vulnerability"
Previous message: Dave Hansen: "Re: [-mm patch] arch/i386/Kconfig: SELECT_MEMORY_MODEL ->ARCH_SELECT_MEMORY_MODEL"
In reply to: Andi Kleen: "Re: Hyper-Threading Vulnerability"
Next in thread: Dr. David Alan Gilbert: "Re: Hyper-Threading Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andi Kleen wrote:

> And what you're doing is to ask all the non crypto guys to give
> up an useful optimization just to fix a problem in the crypto guy's
> code. The cache line information leak is just a information leak
> bug in the crypto code, not a general problem.

Portable code shouldn't even have to know that there is such a thing as a
cache line. It should be able to rely on the operating system not to let
other tasks with a different security context spy on the details of its
operation.

> There is much more non crypto code than crypto code around - you
> are proposing to screw the majority of codes to solve a relatively
> obscure problem of only a few functions, which seems like the totally
> wrong approach to me.

That I do agree with.

> BTW the crypto guys are always free to check for hyperthreading
> themselves and use different functions. However there is a catch
> there - the modern dual core processors which actually have
> separated L1 and L2 caches set these too to stay compatible
> with old code and license managers.

This is just a recipe for making it impossible to write correct code. If
you don't believe the operating system or the hardware is at all at fault
for this problem, then it would follow that they could repeat this same
problem with some new mechanism and still not be at fault. So even if the
program checked for hyper-threading, it would still not be correct. It would
have to check for every possible future way this same type of problem could
arise and hide every type of trace that they could create, even if that
trace is in optimization mechanisms and potential channels over which the
programmer has no knowledge because they don't exist yet.

Let's try a rudctio ad absurdum. Surely you would agree that something
other than than the crypto software is at fault if the operating system or
hardware allowed another process with a different security context to see
every instruction the code executed. The crypto authors shouldn't be
expected to make the instruction flows look identical. How different is
monitoring the memory accesses?

Portable, POSIX-compliant C software shouldn't even have to know that there
is such a thing as a cache line.

I'm not going to be unreasonable though. Hyper-threading is here, and now
that we know the potential problems, it's not unreasonable to ask developers
of crypto code to work around it. But it's not a bug in their code that they
need to fix. In fact, they can't even fix it yet because there is no
portable way to determine if you're on a machine that has hyper-threading or
not.

DS

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dr. David Alan Gilbert: "Re: Hyper-Threading Vulnerability"
Previous message: Dave Hansen: "Re: [-mm patch] arch/i386/Kconfig: SELECT_MEMORY_MODEL ->ARCH_SELECT_MEMORY_MODEL"
In reply to: Andi Kleen: "Re: Hyper-Threading Vulnerability"
Next in thread: Dr. David Alan Gilbert: "Re: Hyper-Threading Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]