[Cryptography] ROP gadgets => OOO gadgets == larger attack surface
Henry Baker
hbaker1 at pipeline.com
Thu Jan 4 15:30:22 EST 2018
Wow!
These Intel/AMD/ARM issues are far worse than would first appear.
According to one measurement, an architecture can speculatively *execute up to 188 instructions* (!!!!) before finally being brought down to earth.
https://spectreattack.com/spectre.pdf
https://meltdownattack.com/meltdown.pdf
Thus, in addition to traditional Return-Oriented Programming (ROP) gadgets, we can now search for Out-Of-Order (OOO) gadgets in a victim's code, thus increasing the attack surface enormously. Unlike ROP gadgets, which terminate in a "return" instruction, OOO gadgets don't have to terminate cleanly at all; by the time the processor realizes it has gone down the garden path, the damage has already been done.
---
It's not clear what a proper mitigation might be; even going to the trouble of returning all caches to their previous state won't work -- in fact, it would seem to make the secret information even more obvious in power and timing side channels.
We're now facing the *padding* and *compression* problems in encryption protocols, but not just for programs doing crypto arithmetic, but *any*/*all* programs working with plaintext data.
---
Perhaps it's time to go back to "shared-nothing" architectures?
More information about the cryptography
mailing list