From owner-cvs-all@FreeBSD.ORG Mon May 16 17:42:12 2005 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id EB90316A4CE; Mon, 16 May 2005 17:42:11 +0000 (GMT) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.3/8.13.1) with ESMTP id j4GHgBsu007901; Mon, 16 May 2005 13:42:11 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.3/8.13.1/Submit) id j4GHg7Pi007900; Mon, 16 May 2005 13:42:07 -0400 (EDT) (envelope-from green) Date: Mon, 16 May 2005 13:42:06 -0400 From: Brian Fundakowski Feldman To: Nate Lawson Message-ID: <20050516174206.GC1201@green.homeunix.org> References: <97079.1116154766@critter.freebsd.dk> <4287AD84.6070600@root.org> <20050516080031.GD34537@server.vk2pj.dyndns.org> <20050516053818.E53620@mail.chesapeake.net> <4288D5EA.9020202@root.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4288D5EA.9020202@root.org> User-Agent: Mutt/1.5.6i cc: src-committers@FreeBSD.org cc: Jacques Vidrine cc: cvs-src@FreeBSD.org cc: cvs-all@FreeBSD.org cc: Poul-Henning Kamp cc: Colin Percival cc: Jeff Roberson Subject: Re: cvs commit: src/sys/amd64/amd64 mp_machdep.csrc/sys/amd64/include cpufunc.h src/sys/i386/i386 mp_machdep.c src/sys/i386/include cpufunc.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 17:42:12 -0000 On Mon, May 16, 2005 at 10:18:34AM -0700, Nate Lawson wrote: > Jeff Roberson wrote: > >On Mon, 16 May 2005, Peter Jeremy wrote: > >>On Sun, May 15, 2005 at 01:13:56PM -0700, Nate Lawson wrote: > >> > >>>My point was that FreeBSD (like most general-purpose OS) has many timing > >>>channels that are comparably as effective for an attacker as HTT. > >> > >>If you take the bandwidth of the timing channel into account, I don't > >>believe there are any other timing channels that come anywhere near the > >>HTT attack. Maybe Colin has a better idea of what other timing channels > >>exist and how they compare to HTT. > > See my previous email. Even with a 1 bit per second channel, a 1024 bit > secret would be revealed in 17 minutes. In nearly every common use > case, there is no difference from a security standpoint between a > compromise taking 1 second or 17 minutes. > > In light of this threat model, disabling HTT to fix timing attacks is > similar to removing strcpy in hopes of eliminating buffer overflows. > Sure it may be the most commonly misused function, but the attacker > still has memcpy, strcat, sprintf, integer overflows, etc. What other side-channel attacks are going to occur against user-land code? Note that this explicitly excludes timing-based side-channel attacks that are dependent on I/O, and in any case crypto operations shouldn't be causing any I/O to happen in general because that leaves opportunity for the interesting data to be paged out to swap. > >>>Disabling HTT does not significantly reduce an attacker's likelihood of > >>>success since they can just use another timing channel. However, it > >>>does disable a useful feature. Are we going to disable SMP next? > >> > >Long term for HTT, if intel keeps it implemented the way it is now, I was > >intending to only schedule threads from the same process on the second > >core. I believe this would leave it as an optimization which will only > >effect the few cases that it is likely to help. > > > >Anyway, I am not going to throw in my .02 on whether or not it should be > >disabled, but I will say that both schedulers have some awareness of htt. > > I think making the scheduler do this is a great solution. It's already solved, isn't it? -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\