Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 May 2005 13:42:06 -0400
From:      Brian Fundakowski Feldman <green@FreeBSD.org>
To:        Nate Lawson <nate@root.org>
Cc:        Jeff Roberson <jroberson@chesapeake.net>
Subject:   Re: cvs commit: src/sys/amd64/amd64 mp_machdep.csrc/sys/amd64/include cpufunc.h src/sys/i386/i386 mp_machdep.c src/sys/i386/include cpufunc.h
Message-ID:  <20050516174206.GC1201@green.homeunix.org>
In-Reply-To: <4288D5EA.9020202@root.org>
References:  <97079.1116154766@critter.freebsd.dk> <4287AD84.6070600@root.org> <20050516080031.GD34537@server.vk2pj.dyndns.org> <20050516053818.E53620@mail.chesapeake.net> <4288D5EA.9020202@root.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 16, 2005 at 10:18:34AM -0700, Nate Lawson wrote:
> Jeff Roberson wrote:
> >On Mon, 16 May 2005, Peter Jeremy wrote:
> >>On Sun, May 15, 2005 at 01:13:56PM -0700, Nate Lawson wrote:
> >>
> >>>My point was that FreeBSD (like most general-purpose OS) has many timing
> >>>channels that are comparably as effective for an attacker as HTT.
> >>
> >>If you take the bandwidth of the timing channel into account, I don't
> >>believe there are any other timing channels that come anywhere near the
> >>HTT attack.  Maybe Colin has a better idea of what other timing channels
> >>exist and how they compare to HTT.
> 
> See my previous email.  Even with a 1 bit per second channel, a 1024 bit 
> secret would be revealed in 17 minutes.  In nearly every common use 
> case, there is no difference from a security standpoint between a 
> compromise taking 1 second or 17 minutes.
> 
> In light of this threat model, disabling HTT to fix timing attacks is 
> similar to removing strcpy in hopes of eliminating buffer overflows. 
> Sure it may be the most commonly misused function, but the attacker 
> still has memcpy, strcat, sprintf, integer overflows, etc.

What other side-channel attacks are going to occur against user-land
code?  Note that this explicitly excludes timing-based side-channel
attacks that are dependent on I/O, and in any case crypto operations
shouldn't be causing any I/O to happen in general because that leaves
opportunity for the interesting data to be paged out to swap.

> >>>Disabling HTT does not significantly reduce an attacker's likelihood of
> >>>success since they can just use another timing channel.  However, it
> >>>does disable a useful feature.  Are we going to disable SMP next?
> >>
> >Long term for HTT, if intel keeps it implemented the way it is now, I was
> >intending to only schedule threads from the same process on the second
> >core.  I believe this would leave it as an optimization which will only
> >effect the few cases that it is likely to help.
> >
> >Anyway, I am not going to throw in my .02 on whether or not it should be
> >disabled, but I will say that both schedulers have some awareness of htt.
> 
> I think making the scheduler do this is a great solution.

It's already solved, isn't it?

-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050516174206.GC1201>