From: Matt Mackall <mpm@selenic.com>
To: Andy Isaacson <adi@hexapodia.org>
Cc: Andi Kleen <ak@muc.de>, "Richard F. Rebel" <rrebel@whenu.com>,
Gabor MICSKO <gmicsko@szintezis.hu>,
linux-kernel@vger.kernel.org, tytso@mit.edu
Subject: Re: Hyper-Threading Vulnerability
Date: Fri, 13 May 2005 14:59:05 -0700 [thread overview]
Message-ID: <20050513215905.GY5914@waste.org> (raw)
In-Reply-To: <20050513212620.GA12522@hexapodia.org>
On Fri, May 13, 2005 at 02:26:20PM -0700, Andy Isaacson wrote:
> On Fri, May 13, 2005 at 09:05:49PM +0200, Andi Kleen wrote:
> > On Fri, May 13, 2005 at 02:38:03PM -0400, Richard F. Rebel wrote:
> > > Why? It's certainly reasonable to disable it for the time being and
> > > even prudent to do so.
> >
> > No, i strongly disagree on that. The reasonable thing to do is
> > to fix the crypto code which has this vulnerability, not break
> > a useful performance enhancement for everybody else.
>
> Pardon me for saying so, but that's bullshit. You're asking the crypto
> guys to give up a 5x performance gain (that's my wild guess) by giving
> up all their data-dependent algorithms and contorting their code wildly,
> to avoid a microarchitectural problem with Intel's HT implementation.
>
> There are three places to cut off the side channel, none of which is
> obviously the right one.
> 1. The HT implementation could do the cache tricks Colin suggested in
> his paper. Fairly large performance hit to address a fairly small
> problem.
> 2. The OS could do the scheduler tricks to avoid scheduling unfriendly
> threads on the same core. You're leaving a lot of the benefit of HT
> on the floor by doing so.
> 3. Every security-sensitive app can be rigorously audited and re-written
> to avoid *ever* referencing memory with the address determined by
> private data.
>
> (3) is a complete non-starter. It's just not feasible to rewrite all
> that code. Furthermore, there's no way to know what code needs to be
> rewritten! (Until someone publishes an advisory, that is...)
>
> Hmm, I can't think of any reason that this technique wouldn't work to
> extract information from kernel secrets, as well...
>
> If SHA has plaintext-dependent memory references, Colin's technique
> would enable an adversary to extract the contents of the /dev/random
> pools. I don't *think* SHA does, based on a quick reading of
> lib/sha1.c, but someone with an actual clue should probably take a look.
SHA1 should be fine, as are the pool mixing bits. Much more
problematic is the ability to do timing attacks against the entropy
gathering itself. If an attacker can guess the TSC value that gets
mixed into the pool, that's a problem.
It might not be much of a problem though. If he's a bit off per guess
(really impressive), he'll still be many bits off by the time there's
enough entropy in the primary pool to reseed the secondary pool so he
can check his guesswork.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2005-05-13 21:59 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-13 5:51 Hyper-Threading Vulnerability Gabor MICSKO
2005-05-13 12:47 ` Barry K. Nathan
2005-05-13 14:10 ` Jeff Garzik
2005-05-13 14:23 ` Daniel Jacobowitz
2005-05-13 14:32 ` Jeff Garzik
2005-05-13 17:13 ` Andy Isaacson
2005-05-13 18:30 ` Vadim Lobanov
2005-05-13 19:02 ` Andy Isaacson
2005-05-15 9:31 ` Adrian Bunk
2005-05-13 17:14 ` Gabor MICSKO
2005-05-13 20:23 ` Barry K. Nathan
2005-05-13 18:03 ` Andi Kleen
2005-05-13 18:34 ` Eric Rannaud
2005-05-13 18:35 ` Alan Cox
2005-05-13 18:49 ` Scott Robert Ladd
2005-05-13 19:08 ` Andi Kleen
2005-05-13 19:36 ` Grant Coady
2005-05-16 17:00 ` Linus Torvalds
2005-05-16 12:37 ` Tommy Reynolds
2005-05-18 19:07 ` Bill Davidsen
2005-05-13 18:38 ` Richard F. Rebel
2005-05-13 19:05 ` Andi Kleen
2005-05-13 21:26 ` Andy Isaacson
2005-05-13 21:59 ` Matt Mackall [this message]
2005-05-13 22:47 ` Alan Cox
2005-05-13 23:00 ` Lee Revell
2005-05-13 23:27 ` Dave Jones
2005-05-13 23:38 ` Lee Revell
2005-05-13 23:44 ` Dave Jones
2005-05-14 7:37 ` Lee Revell
2005-05-14 15:33 ` Andrea Arcangeli
2005-05-15 1:07 ` Christer Weinigel
2005-05-15 9:48 ` Andi Kleen
2005-05-14 15:23 ` Alan Cox
2005-05-14 15:45 ` andrea
2005-05-15 13:38 ` Mikulas Patocka
2005-05-16 7:06 ` andrea
2005-05-14 16:30 ` Lee Revell
2005-05-14 16:44 ` Arjan van de Ven
2005-05-14 17:56 ` Lee Revell
2005-05-14 18:01 ` Arjan van de Ven
2005-05-14 19:21 ` Lee Revell
2005-05-14 19:48 ` Arjan van de Ven
2005-05-14 23:40 ` Lee Revell
2005-05-15 7:30 ` Arjan van de Ven
2005-05-15 20:41 ` Alan Cox
2005-05-15 20:48 ` Arjan van de Ven
2005-05-15 21:10 ` Lee Revell
2005-05-15 22:55 ` Dave Jones
2005-05-15 23:10 ` Lee Revell
2005-05-16 7:25 ` Arjan van de Ven
2005-05-15 9:37 ` Andi Kleen
2005-05-15 3:19 ` dean gaudet
2005-05-15 10:01 ` Andi Kleen
2005-05-15 10:23 ` 2.6.4 timer and helper functions kernel
2005-05-19 0:38 ` George Anzinger
2005-05-15 9:33 ` Hyper-Threading Vulnerability Adrian Bunk
2005-05-14 17:04 ` Jindrich Makovicka
2005-05-14 18:27 ` Lee Revell
2005-05-15 9:58 ` Andi Kleen
2005-05-14 0:39 ` dean gaudet
2005-05-16 13:41 ` Andrea Arcangeli
2005-05-15 9:43 ` Andi Kleen
2005-05-15 18:42 ` David Schwartz
2005-05-15 18:56 ` Dr. David Alan Gilbert
2005-05-16 7:10 ` Eric W. Biederman
2005-05-16 11:04 ` Andi Kleen
2005-05-16 19:14 ` Eric W. Biederman
2005-05-16 20:05 ` Valdis.Kletnieks
2005-05-15 14:00 ` Mikulas Patocka
2005-05-15 14:26 ` Andi Kleen
2005-05-13 23:32 ` Paul Jakma
2005-05-14 16:29 ` Paul Jakma
2005-05-13 19:14 ` Jim Crilly
2005-05-13 20:18 ` Barry K. Nathan
2005-05-13 23:14 ` Jim Crilly
2005-05-13 19:16 ` Diego Calleja
2005-05-13 19:42 ` Frank Denis (Jedi/Sector One)
2005-05-15 9:54 ` Andi Kleen
2005-05-15 13:51 ` Mikulas Patocka
2005-05-15 14:12 ` Andi Kleen
2005-05-15 14:21 ` Mikulas Patocka
2005-05-15 14:52 ` Tomasz Torcz
2005-05-15 15:00 ` Disk write cache (Was: Hyper-Threading Vulnerability) Mikulas Patocka
2005-05-15 15:21 ` Gene Heskett
2005-05-15 15:29 ` Jeff Garzik
2005-05-15 16:27 ` Disk write cache Kenichi Okuyama
2005-05-15 16:43 ` Jeff Garzik
2005-05-15 16:50 ` Kyle Moffett
2005-05-15 16:56 ` Andi Kleen
2005-05-15 20:44 ` Andrew Morton
2005-05-15 23:31 ` Cache based insecurity/CPU cache/Disk Cache Tradeoffs Brian O'Mahoney
2005-05-15 16:58 ` Disk write cache Mikulas Patocka
2005-05-15 17:20 ` Kenichi Okuyama
2005-05-16 11:02 ` Linux does not care for data integrity (was: Disk write cache) Matthias Andree
2005-05-16 11:12 ` Arjan van de Ven
2005-05-16 11:29 ` Matthias Andree
2005-05-16 14:02 ` Arjan van de Ven
2005-05-16 14:48 ` Matthias Andree
2005-05-16 15:06 ` Alan Cox
2005-05-16 15:40 ` Matthias Andree
2005-05-16 18:04 ` Alan Cox
2005-05-16 19:11 ` Linux does not care for data integrity Florian Weimer
2005-05-29 21:02 ` Linux does not care for data integrity (was: Disk write cache) Greg Stark
2005-05-29 21:16 ` Matthias Andree
2005-05-30 6:04 ` Greg Stark
2005-05-30 8:21 ` Matthias Andree
2005-06-01 19:02 ` Linux does not care for data integrity Bill Davidsen
2005-06-01 22:02 ` Matthias Andree
2005-06-02 0:12 ` Bill Davidsen
2005-06-02 0:36 ` Jeff Garzik
2005-06-02 1:37 ` Bill Davidsen
2005-06-02 1:54 ` Jeff Garzik
2005-06-02 8:53 ` Helge Hafting
2005-06-02 12:00 ` Bill Davidsen
2005-06-02 13:33 ` Lennart Sorensen
2005-06-04 13:37 ` Bill Davidsen
2005-06-04 15:31 ` Bernd Eckenfels
2005-05-16 14:57 ` Linux does not care for data integrity (was: Disk write cache) Alan Cox
2005-05-16 13:48 ` Linux does not care for data integrity Mark Lord
2005-05-16 14:59 ` Matthias Andree
2005-05-16 1:56 ` Disk write cache (Was: Hyper-Threading Vulnerability) Gene Heskett
2005-05-16 2:11 ` Jeff Garzik
2005-05-16 2:24 ` Mikulas Patocka
2005-05-16 3:05 ` Gene Heskett
2005-05-16 2:32 ` Mark Lord
2005-05-16 3:08 ` Gene Heskett
2005-05-16 13:44 ` Mark Lord
2005-05-18 4:03 ` Eric D. Mudama
2005-05-15 16:24 ` Mikulas Patocka
2005-05-16 11:18 ` Matthias Andree
2005-05-16 14:33 ` Jeff Garzik
2005-05-16 15:26 ` Richard B. Johnson
2005-05-16 16:00 ` [OT] drive behavior on power-off (was: Disk write cache) Matthias Andree
2005-05-16 18:11 ` Disk write cache (Was: Hyper-Threading Vulnerability) Valdis.Kletnieks
2005-05-16 14:54 ` Alan Cox
2005-05-17 13:15 ` Bill Davidsen
2005-05-17 21:41 ` Kyle Moffett
2005-05-18 4:06 ` Eric D. Mudama
2005-05-15 21:38 ` Tomasz Torcz
2005-05-16 14:50 ` Alan Cox
2005-05-15 15:00 ` Hyper-Threading Vulnerability Arjan van de Ven
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 22:51 linux
2005-05-14 8:03 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050513215905.GY5914@waste.org \
--to=mpm@selenic.com \
--cc=adi@hexapodia.org \
--cc=ak@muc.de \
--cc=gmicsko@szintezis.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=rrebel@whenu.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox