

A fast, Cross-VM attack on AES [pdf] - timo_h
http://eprint.iacr.org/2014/435.pdf

======
feld
Virtualization is not a security implementation. I've been saying this for
years and I'll continue to keep my tinfoil hat on.

As Theo DeRaadt said

    
    
      You are absolutely deluded, if not stupid, if you think that 
      a worldwide collection of software engineers who can't write 
      operating systems or applications without security holes, 
      can then turn around and suddenly write virtualization 
      layers without security holes.
    
    

I caught someone in a meeting last week trying to sell another employee on the
security benefits of virtualization and I nearly bit my tongue off.

~~~
jewel
Virtualization does offer additional security if it's used to isolate things
that otherwise would have been running on the same host. For example, at my
old job we used OpenVZ to isolate wordpress, twiki, and roundcube, whereas
historically we would have had them all installed on the same webserver.

I think this is the original source of the confusion, which has since
disseminated to those who don't understand the nuances and think that
virtualization adds security in every case.

The PCI DSS requires that each server just has one purpose. I was surprised
when in a later version they explicitly allowed virtualization as a way to
comply with that requirement.

~~~
SixSigma
same webserver would have had users and groups - you have bought complexity
instead of using the existing mechanisms

------
edwintorok
The paper only talks about T-table AES implementation, but it should probably
mention at countermeasures this paper "Faster and timing-attack resistant AES-
GCM" by Emilia Käsper and Peter Schwabe at CHES 2009, which I found when
looking at 'No data-dependent array indices' feature of NaCl:
[http://nacl.cr.yp.to/features.html](http://nacl.cr.yp.to/features.html)

~~~
0x0
I'm curious about NaCl, would it be possible to replace OpenSSL with something
based on this library? If not, why not?

The feature list certainly looks impressive!

~~~
sdevlin
It depends on your use case.

If you need something that speaks TLS, then no. NaCl is a different (simpler)
protocol that does not have TLS compatibility as a goal.

If you're building a new application then NaCl is probably a good choice.
There are some problems you may need to solve yourself, if your application
calls for them. For example, NaCl has no notion of a CA hierarchy.

~~~
feld
Lack of a CA hierarchy sounds like a problem has just been solved for you

~~~
sdevlin
Yeah, it's arguably a plus.

