[Cryptography] Speculation considered harmful?
Henry Baker
hbaker1 at pipeline.com
Fri Jan 5 11:46:55 EST 2018
At 04:07 PM 1/4/2018, John Gilmore wrote:
>> There's only one slight problem: you can't unring a bell: you can't
>> "unlearn"/"forget" a bit that you learned during the gathering
>> phase. Or more precisely, you can't force a party to the
>> transaction to forget such bits.
>
>Not true.
>
>The attack succeeds by doing a speculative load, which faults, but which actually picks up the addressed data anyway -- and then uses that data for a future operation (which leaves some visible trace).
>
>The obvious place to fix that is: When a load faults, don't pick up the addressed data.
>
>Every architecture that has memory-mapped I/O ports already has to deal with this; the permissions check has to happen BEFORE committing the transaction, else memory-mapped registers that change upon being read, will be touchable by unprivileged code.
Yes, but in order to check the permissions, you might have to first load something into the TLB cache. But then this TLB cache leaks information, albeit at a reduced resolution and hence bandwidth.
Oops!
More information about the cryptography
mailing list