Hacker News new | comments | ask | show | jobs | submit login
The Intel 80x86 Process Architecture: Pitfalls for Secure Systems (1995) [pdf] (semanticscholar.org)
60 points by ColinWright on Jan 8, 2018 | hide | past | web | favorite | 10 comments



This hit Twitter today because a short section towards the end mentions a prefetch bug. But that bug is from 1992, and concerned instruction prefetch. It predates not only out-of-order execution and speculative execution (introduced in the P6 microarchitecture) but superscalar x86 altogether (introduced in the P5).

There is an interesting history to covert channel analysis and modern side channels. It wasn't until the late 1990s (as far as I can tell) that anyone made the leap from covert channels --- which have cooperating agents on either end of the channel --- to side channels, in which the transmitter is unwitting.

It's possible that there's other interesting side channel stuff lurking in covert channel analyses. But I think the research link there is also pretty well known.

At any rate, what this analysis primarily concerns itself with is the suitability of x86 for multiuser multi-level security (MLS), in which you have differing levels of classification and absolute barriers to sharing information between those levels. In that setting, a covert channel is a serious problem (it allows you to bypass the MLS barrier). But in modern industry computing we've largely moved away from the concept. You can think of this paper as referring to a different concept of "security" than the one we think about.


But in modern industry computing we've largely moved away from the concept.

Except in cloud computing, where multiple and mutually untrusted users are sharing the same hardware... and that's where the side channels are the most concern. If Meltdown/Spectre were discovered 10 or 15 years ago, when cloud computing hadn't quite grown to what it is today, it would probably have received much less attention.


I'm not saying we've moved away from multiuser computing, just MLS.


Since quite early in the computing era, multiple and mutually untrusted users were sharing the same hardware by having login accounts on it.


> It wasn't until the late 1990s (as far as I can tell) that anyone made the leap from covert channels --- which have cooperating agents on either end of the channel --- to side channels, in which the transmitter is unwitting.

In the public domain, anyway. Presumably NSA folks had thought about this in the context of TEMPEST-style attacks?


Interestingly, SELinux implements MLS.


supports MLS, rather. The default policies for most distro's do not implement MLS. Maybe RHEL does have such a policy, not sure about that, but no other MLS policy is widely available.


That's to be expected, because apart from the general unpopularity of MLS, a one-size-fits-all policy doesn't make any sense with it. I would expect that anywhere actually using it in anger is using a policy developed specifically for that organisation.


From the PDF:

Unfortunately, this hardware cannot safely be dismissed as "simple" or not in need of in-depth analysis. A relatively simple interface can hide vast implementation complexities and the 80x86 interface is far from simple. For example, the Pentium contains approximately 3.1 million transistors. Its instruction processing and pipeline architecture are extremely complex.

Now we have billions of transistors in a single chip.


A lot of those new transistors are caches and memory/IO controllers that were previously off-chip.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: