[Cryptography] ROP gadgets => OOO gadgets == larger attack surface

[Nico Williams]

On Thu, Jan 04, 2018 at 12:30:22PM -0800, Henry Baker wrote:
> It's not clear what a proper mitigation might be; even going to the
> trouble of returning all caches to their previous state won't work --
> in fact, it would seem to make the secret information even more
> obvious in power and timing side channels.
> 
> We're now facing the *padding* and *compression* problems in
> encryption protocols, but not just for programs doing crypto
> arithmetic, but *any*/*all* programs working with plaintext data.

It's almost like we now have to make everything constant-time.  Our
world just got much more hostile.

> ---
> Perhaps it's time to go back to "shared-nothing" architectures?

And/or slow things way down.  Sharing less is probably the better
answer, except that it's not very practical, especially for consumer
hardware!

Perhaps we can move all computation into a cloud and have slow and dumb
devices as thin clients.  That would be ironic here given that cloud
services are particularly impacted by these vulnerabilities.  But in any
case, I don't think we'll end up there.

Nico
--