[Cryptography] Speculation re Intel HW cockup; reqs. OS rewrites & slow execution

Fri Jan 5 10:39:54 EST 2018

At 05:02 PM 1/4/2018, jamesd at echeque.com wrote:
>On 1/5/2018 8:23 AM, Henry Baker wrote:
>> At 01:32 PM 1/4/2018, jamesd at echeque.com wrote:
>>> The fix is not to abandon speculative execution, but to do it right, and chances are that doing it right is going to be faster and more efficient, not slower and less efficient.
>>
>> OK, I'll bite.
>>
>> How would you do speculative execution "right" ?
>
>All speculative effects would be copy on write.
>
>Same principle as is used in vm snapshotting.
>
>If the copy on write buffer overflows, we pause to backup to a lower caching level.

Several problems with your proposal:

"Copy On Write" ("COW") assumes that *all effects can be reversed by restoring various register values*.  As I pointed out, once a bit has leaked, it's gone, and no amount of register restoring will force Eve to forget it.

Also, we're not talking about a handful of instructions here; we're talking about >100 instructions.  So perhaps tens of cache lines have been touched before the processor comes back to its senses.

As I pointed out elsewhere, restoring all of these cache lines may cause even more trouble, providing an even clearer side-channel signal for Eve to listen to.

---
BTW, as I also pointed out, software is not immune for exactly the same reasons.

Common Lisp has "UNWIND-PROTECT":

(unwind-protect <protected-expression> <cleanup-expressions>)

unwind-protect evaluates "protected-expression" and guarantees that "cleanup-expressions" are executed before unwind-protect exits, whether by "normal" evaluation or not.

CL's "unwind-protect" is intended to enable a *transaction using optimistic concurrency*: the "protected-expression" is the optimistic/speculative execution, while the "cleanup-expressions" provide the programmer the *opportunity* to *attempt* to "clean up" if/when things go wrong during the "protected-expression".

UNWIND-PROTECT acknowledges the fact that cleaning up the mess from a terminated computation isn't a trivial task, and only an intelligent programmer can figure out how to do this -- in particular, there's no way a compiler could figure out how to do this on its own.

Note that *all bets are off* if the "protected expression" produces output -- e.g., PRINT's to the console.  There is simply no way to "recall" that output.  Are you planning to shoot the user as part of the "cleanup-expressions" ?