
Time protection: The missing OS abstraction - walterbell
https://ts.data61.csiro.au/publications/csiroabstracts/Ge_YCH_19.abstract.pml
======
niftich
Very accessible paper. They took the seL4 kernel, implemented a series of
mitigations against timing leaks, and showed that their performance impact is
tolerable and less than one might think.

While some of these mitigations have seen common use, their chief innovation
is the on-demand cloning of (the majority of) global kernel data and state,
which reduces resource sharing and allows the other partition and padded-flush
mitigations to work better.

While they acknowledge that doing the same in a larger and differently-
designed kernel would be a big undertaking, they also note that the hardware's
uneven support and seeming lack of a formal mental model about this topic is
unfortunate. Both software and hardware work would benefit from a focused
approach in this area.

------
nickpsecurity
Great they're getting on it. I'll note that the early security kernels
attempted to mitigate timing channels. GEMSOS used event counts and sequences
IIRC. It was also mandatory for high-assurance security under TCSEC
regulations to look for them and try to mitigate them. There was no reason to
think it would actually work over time at the rate bypasses were discovered.
They were trying, though.

More recently, under the MILS model for partitioning kernels, they've applied
stuff like ARINC time and space partitioning to separation kernels for both
safety- and security-critical applications. Big in aerospace for DO-178C
regulations. One example [1] describing some timing protections. That can
mitigate some timing channels. The one good thing about Meltdown/Spectre's
publicity is CompSci folks are coming up with all kinds of stuff on this
problem.

[1] [https://www.ghs.com/products/safety_critical/integrity-
do-17...](https://www.ghs.com/products/safety_critical/integrity-do-178b.html)

------
mjevans
Security, Performance, Power Savings.

Pick one, per cache domain.

I actually support additional, cache-isolated, //USER OWNED// TPM / enclave
like solutions for running the hardened parts of software (handling of actual
keys/etc). 99% of the other work is better off picking the speed or power
efficiency options.

(Edit to clarify User Owned: The end user should trust the computer, not
anyone else, therefore they should be the one with full control, not any
vendor or imaginary property creator.)

~~~
swiley
> //USER OWNED// TPM / enclave

HAHAHAHAHA

That would be kind of neat if it ever happened though.

~~~
als0
A TPM is user owned by design. It is opt-in, you can delete the contents and
create your own keys, password protect access etc.

~~~
swiley
They aren't on any of the computers that I own.

------
7373737373
I highly recommend looking into the KeyKOS operating system, which allows time
and space resource usage to be controlled via a common abstraction of
authority (keys/capabilities) - and that recursively.

The lectures of their Advanced Operating Systems course are great!
[https://www.cse.unsw.edu.au/~cs9242/18/lectures/](https://www.cse.unsw.edu.au/~cs9242/18/lectures/)

