From: ebiederm@xmission.com (Eric W. Biederman)
To: Andi Kleen <ak@muc.de>
Cc: Andy Isaacson <adi@hexapodia.org>,
"Richard F. Rebel" <rrebel@whenu.com>,
Gabor MICSKO <gmicsko@szintezis.hu>,
linux-kernel@vger.kernel.org, mpm@selenic.com, tytso@mit.edu
Subject: Re: Hyper-Threading Vulnerability
Date: 16 May 2005 01:10:28 -0600 [thread overview]
Message-ID: <m1oebbwsrf.fsf@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <20050515094352.GB68736@muc.de>
Andi Kleen <ak@muc.de> writes:
> On Fri, May 13, 2005 at 02:26:20PM -0700, Andy Isaacson wrote:
> > On Fri, May 13, 2005 at 09:05:49PM +0200, Andi Kleen wrote:
> > > On Fri, May 13, 2005 at 02:38:03PM -0400, Richard F. Rebel wrote:
> > > > Why? It's certainly reasonable to disable it for the time being and
> > > > even prudent to do so.
> > >
> > > No, i strongly disagree on that. The reasonable thing to do is
> > > to fix the crypto code which has this vulnerability, not break
> > > a useful performance enhancement for everybody else.
> >
> > Pardon me for saying so, but that's bullshit. You're asking the crypto
> > guys to give up a 5x performance gain (that's my wild guess) by giving
> > up all their data-dependent algorithms and contorting their code wildly,
> > to avoid a microarchitectural problem with Intel's HT implementation.
>
> And what you're doing is to ask all the non crypto guys to give
> up an useful optimization just to fix a problem in the crypto guy's
> code. The cache line information leak is just a information leak
> bug in the crypto code, not a general problem.
It is not a problem in the crypto code, it is a mis-feature of
the hardware/kernel combination. As such you must know be intimate
about each and every flavor of the hardware to attempt to avoid
it in the software, and that way lies madness.
First this is a reminder that prefect security requires an audit
of the hardware as well as the software. As we are neither
auditing the hardware not locking it down we obviously will not
achieve perfection. The question then becomes what can be done
to decrease the likely hood that an application will inadvertently
and unavoidably leak information from timing attacks due to unknown
hardware optimizations? Attacks that do not result from hardware
micro-architecture are another problem and one an application can
anticipate and avoid.
Ideally a solution will be proposed that will allow this problem
to be avoided using the existing POSIX API or at least the current
linux kernel API. But that problem may not be the case.
The only solution I have seen proposed so far that seems to work
is to not schedule untrusted processes simultaneously with
the security code. With the current API that sounds like
a root process killing off, or at least stopping all non-root
processes until the critical process has finished.
Potentially the scheduler can be modified to do this at a finer
grain but I don't know if this would impact the scheduler fast
path. Given the rarity and uncertainty of this it should probably
be something that the process that is worried about security should
asks for instead of simply getting by default.
So it looks to me like the sanest way to handle this is to
allocate a pool of threads/processes one per cpu. Set the
affinity of each process to a particular cpu. And set priority
of the threads to run at the highest priority. And during the
critical time ensure none of the threads are sleeping.
Can someone see a better way to prevent an accidental information
leak to do to hardware architecture details?
I wish there was a better way to ensure all of the threads were
running simultaneously and other then giving them the highest priority
in the system but I don't currently see an alternative.
> There is much more non crypto code than crypto code around - you
> are proposing to screw the majority of codes to solve a relatively
> obscure problem of only a few functions, which seems like the totally
> wrong approach to me.
>
> BTW the crypto guys are always free to check for hyperthreading
> themselves and use different functions. However there is a catch
> there - the modern dual core processors which actually have
> separated L1 and L2 caches set these too to stay compatible
> with old code and license managers.
And those same processors will have the same problem if the share
significant cpu resources. Ideally the entire problem set
would fit in the cache and the cpu designers would allow cache
blocks to be locked but that is not currently the case. So a shared
L3 cache with dual core processors will have the same problem.
In addition a flavor of this attack may be made by repeatedly doing
multiplies or other activities that access functional units and seeing
how long they have to be waited for. So even hyperthreading without
sharing a L2 cache may see this problem.
Eric
next prev parent reply other threads:[~2005-05-16 7:43 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-13 5:51 Hyper-Threading Vulnerability Gabor MICSKO
2005-05-13 12:47 ` Barry K. Nathan
2005-05-13 14:10 ` Jeff Garzik
2005-05-13 14:23 ` Daniel Jacobowitz
2005-05-13 14:32 ` Jeff Garzik
2005-05-13 17:13 ` Andy Isaacson
2005-05-13 18:30 ` Vadim Lobanov
2005-05-13 19:02 ` Andy Isaacson
2005-05-15 9:31 ` Adrian Bunk
2005-05-13 17:14 ` Gabor MICSKO
2005-05-13 20:23 ` Barry K. Nathan
2005-05-13 18:03 ` Andi Kleen
2005-05-13 18:34 ` Eric Rannaud
2005-05-13 18:35 ` Alan Cox
2005-05-13 18:49 ` Scott Robert Ladd
2005-05-13 19:08 ` Andi Kleen
2005-05-13 19:36 ` Grant Coady
2005-05-16 17:00 ` Linus Torvalds
2005-05-16 12:37 ` Tommy Reynolds
2005-05-18 19:07 ` Bill Davidsen
2005-05-13 18:38 ` Richard F. Rebel
2005-05-13 19:05 ` Andi Kleen
2005-05-13 21:26 ` Andy Isaacson
2005-05-13 21:59 ` Matt Mackall
2005-05-13 22:47 ` Alan Cox
2005-05-13 23:00 ` Lee Revell
2005-05-13 23:27 ` Dave Jones
2005-05-13 23:38 ` Lee Revell
2005-05-13 23:44 ` Dave Jones
2005-05-14 7:37 ` Lee Revell
2005-05-14 15:33 ` Andrea Arcangeli
2005-05-15 1:07 ` Christer Weinigel
2005-05-15 9:48 ` Andi Kleen
2005-05-14 15:23 ` Alan Cox
2005-05-14 15:45 ` andrea
2005-05-15 13:38 ` Mikulas Patocka
2005-05-16 7:06 ` andrea
2005-05-14 16:30 ` Lee Revell
2005-05-14 16:44 ` Arjan van de Ven
2005-05-14 17:56 ` Lee Revell
2005-05-14 18:01 ` Arjan van de Ven
2005-05-14 19:21 ` Lee Revell
2005-05-14 19:48 ` Arjan van de Ven
2005-05-14 23:40 ` Lee Revell
2005-05-15 7:30 ` Arjan van de Ven
2005-05-15 20:41 ` Alan Cox
2005-05-15 20:48 ` Arjan van de Ven
2005-05-15 21:10 ` Lee Revell
2005-05-15 22:55 ` Dave Jones
2005-05-15 23:10 ` Lee Revell
2005-05-16 7:25 ` Arjan van de Ven
2005-05-15 9:37 ` Andi Kleen
2005-05-15 3:19 ` dean gaudet
2005-05-15 10:01 ` Andi Kleen
2005-05-15 10:23 ` 2.6.4 timer and helper functions kernel
2005-05-19 0:38 ` George Anzinger
2005-05-15 9:33 ` Hyper-Threading Vulnerability Adrian Bunk
2005-05-14 17:04 ` Jindrich Makovicka
2005-05-14 18:27 ` Lee Revell
2005-05-15 9:58 ` Andi Kleen
2005-05-14 0:39 ` dean gaudet
2005-05-16 13:41 ` Andrea Arcangeli
2005-05-15 9:43 ` Andi Kleen
2005-05-15 18:42 ` David Schwartz
2005-05-15 18:56 ` Dr. David Alan Gilbert
2005-05-16 7:10 ` Eric W. Biederman [this message]
2005-05-16 11:04 ` Andi Kleen
2005-05-16 19:14 ` Eric W. Biederman
2005-05-16 20:05 ` Valdis.Kletnieks
2005-05-15 14:00 ` Mikulas Patocka
2005-05-15 14:26 ` Andi Kleen
2005-05-13 23:32 ` Paul Jakma
2005-05-14 16:29 ` Paul Jakma
2005-05-13 19:14 ` Jim Crilly
2005-05-13 20:18 ` Barry K. Nathan
2005-05-13 23:14 ` Jim Crilly
2005-05-13 19:16 ` Diego Calleja
2005-05-13 19:42 ` Frank Denis (Jedi/Sector One)
2005-05-15 9:54 ` Andi Kleen
2005-05-15 13:51 ` Mikulas Patocka
2005-05-15 14:12 ` Andi Kleen
2005-05-15 14:21 ` Mikulas Patocka
2005-05-15 14:52 ` Tomasz Torcz
2005-05-15 15:00 ` Disk write cache (Was: Hyper-Threading Vulnerability) Mikulas Patocka
2005-05-15 15:21 ` Gene Heskett
2005-05-15 15:29 ` Jeff Garzik
2005-05-15 16:27 ` Disk write cache Kenichi Okuyama
2005-05-15 16:43 ` Jeff Garzik
2005-05-15 16:50 ` Kyle Moffett
2005-05-15 16:56 ` Andi Kleen
2005-05-15 20:44 ` Andrew Morton
2005-05-15 23:31 ` Cache based insecurity/CPU cache/Disk Cache Tradeoffs Brian O'Mahoney
2005-05-15 16:58 ` Disk write cache Mikulas Patocka
2005-05-15 17:20 ` Kenichi Okuyama
2005-05-16 11:02 ` Linux does not care for data integrity (was: Disk write cache) Matthias Andree
2005-05-16 11:12 ` Arjan van de Ven
2005-05-16 11:29 ` Matthias Andree
2005-05-16 14:02 ` Arjan van de Ven
2005-05-16 14:48 ` Matthias Andree
2005-05-16 15:06 ` Alan Cox
2005-05-16 15:40 ` Matthias Andree
2005-05-16 18:04 ` Alan Cox
2005-05-16 19:11 ` Linux does not care for data integrity Florian Weimer
2005-05-29 21:02 ` Linux does not care for data integrity (was: Disk write cache) Greg Stark
2005-05-29 21:16 ` Matthias Andree
2005-05-30 6:04 ` Greg Stark
2005-05-30 8:21 ` Matthias Andree
2005-06-01 19:02 ` Linux does not care for data integrity Bill Davidsen
2005-06-01 22:02 ` Matthias Andree
2005-06-02 0:12 ` Bill Davidsen
2005-06-02 0:36 ` Jeff Garzik
2005-06-02 1:37 ` Bill Davidsen
2005-06-02 1:54 ` Jeff Garzik
2005-06-02 8:53 ` Helge Hafting
2005-06-02 12:00 ` Bill Davidsen
2005-06-02 13:33 ` Lennart Sorensen
2005-06-04 13:37 ` Bill Davidsen
2005-06-04 15:31 ` Bernd Eckenfels
2005-05-16 14:57 ` Linux does not care for data integrity (was: Disk write cache) Alan Cox
2005-05-16 13:48 ` Linux does not care for data integrity Mark Lord
2005-05-16 14:59 ` Matthias Andree
2005-05-16 1:56 ` Disk write cache (Was: Hyper-Threading Vulnerability) Gene Heskett
2005-05-16 2:11 ` Jeff Garzik
2005-05-16 2:24 ` Mikulas Patocka
2005-05-16 3:05 ` Gene Heskett
2005-05-16 2:32 ` Mark Lord
2005-05-16 3:08 ` Gene Heskett
2005-05-16 13:44 ` Mark Lord
2005-05-18 4:03 ` Eric D. Mudama
2005-05-15 16:24 ` Mikulas Patocka
2005-05-16 11:18 ` Matthias Andree
2005-05-16 14:33 ` Jeff Garzik
2005-05-16 15:26 ` Richard B. Johnson
2005-05-16 16:00 ` [OT] drive behavior on power-off (was: Disk write cache) Matthias Andree
2005-05-16 18:11 ` Disk write cache (Was: Hyper-Threading Vulnerability) Valdis.Kletnieks
2005-05-16 14:54 ` Alan Cox
2005-05-17 13:15 ` Bill Davidsen
2005-05-17 21:41 ` Kyle Moffett
2005-05-18 4:06 ` Eric D. Mudama
2005-05-15 21:38 ` Tomasz Torcz
2005-05-16 14:50 ` Alan Cox
2005-05-15 15:00 ` Hyper-Threading Vulnerability Arjan van de Ven
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 22:51 linux
2005-05-14 8:03 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1oebbwsrf.fsf@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=adi@hexapodia.org \
--cc=ak@muc.de \
--cc=gmicsko@szintezis.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=rrebel@whenu.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox