Date: Mon, 16 May 2005 13:42:06 -0400 From: Brian Fundakowski Feldman <green@FreeBSD.org> To: Nate Lawson <nate@root.org> Cc: Jeff Roberson <jroberson@chesapeake.net> Subject: Re: cvs commit: src/sys/amd64/amd64 mp_machdep.csrc/sys/amd64/include cpufunc.h src/sys/i386/i386 mp_machdep.c src/sys/i386/include cpufunc.h Message-ID: <20050516174206.GC1201@green.homeunix.org> In-Reply-To: <4288D5EA.9020202@root.org> References: <97079.1116154766@critter.freebsd.dk> <4287AD84.6070600@root.org> <20050516080031.GD34537@server.vk2pj.dyndns.org> <20050516053818.E53620@mail.chesapeake.net> <4288D5EA.9020202@root.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 16, 2005 at 10:18:34AM -0700, Nate Lawson wrote: > Jeff Roberson wrote: > >On Mon, 16 May 2005, Peter Jeremy wrote: > >>On Sun, May 15, 2005 at 01:13:56PM -0700, Nate Lawson wrote: > >> > >>>My point was that FreeBSD (like most general-purpose OS) has many timing > >>>channels that are comparably as effective for an attacker as HTT. > >> > >>If you take the bandwidth of the timing channel into account, I don't > >>believe there are any other timing channels that come anywhere near the > >>HTT attack. Maybe Colin has a better idea of what other timing channels > >>exist and how they compare to HTT. > > See my previous email. Even with a 1 bit per second channel, a 1024 bit > secret would be revealed in 17 minutes. In nearly every common use > case, there is no difference from a security standpoint between a > compromise taking 1 second or 17 minutes. > > In light of this threat model, disabling HTT to fix timing attacks is > similar to removing strcpy in hopes of eliminating buffer overflows. > Sure it may be the most commonly misused function, but the attacker > still has memcpy, strcat, sprintf, integer overflows, etc. What other side-channel attacks are going to occur against user-land code? Note that this explicitly excludes timing-based side-channel attacks that are dependent on I/O, and in any case crypto operations shouldn't be causing any I/O to happen in general because that leaves opportunity for the interesting data to be paged out to swap. > >>>Disabling HTT does not significantly reduce an attacker's likelihood of > >>>success since they can just use another timing channel. However, it > >>>does disable a useful feature. Are we going to disable SMP next? > >> > >Long term for HTT, if intel keeps it implemented the way it is now, I was > >intending to only schedule threads from the same process on the second > >core. I believe this would leave it as an optimization which will only > >effect the few cases that it is likely to help. > > > >Anyway, I am not going to throw in my .02 on whether or not it should be > >disabled, but I will say that both schedulers have some awareness of htt. > > I think making the scheduler do this is a great solution. It's already solved, isn't it? -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050516174206.GC1201>