[Cryptography] Speculation considered harmful?

Tom Mitchell mitch at niftyegg.com
Sat Jan 6 16:55:03 EST 2018


On Fri, Jan 5, 2018 at 9:49 PM, Howard Chu <hyc at symas.com> wrote:

> Henry Baker wrote:
>
> So-called "two phase commit protocols" attempt to gather all the
>> information and resources necessary to *complete* a transaction prior to
>> "committing" the transaction.  If the transaction can't be completed, than
>> it must need to be "rolled back" -- a process of *undoing* any actions that
>> were done during the gathering phase.
>>
>> There's only one slight problem: you can't unring a bell: you can't
>> "unlearn"/"forget" a bit that you learned during the gathering phase.  Or
>> more precisely, you can't force a party to the transaction to forget such
>> bits.
>>
>> I don't have a clean solution to this "forgetting" problem, and I doubt
>> that anyone else does, either.
>>
>
> Eh. In the context of Spectre, the CPU knows which cachelines it loaded in
> a speculative fetch. It should simply mark them invalid when unrolling the
> speculation.
>

It might help to edit the subject of this thread to also include pipelining
and cache.
Pipelines can be deep and look like speculation if a pipeline generated
value is tested
and a branch kills the pipeline (same thing different things to google
depending on the
schools and chronology of the hardware being discussed.

Cache can leak information via cache line associativity and aliasing.
https://sudiptac.bitbucket.io/papers/chalice.pdf
https://cyber.wtf/2016/06/16/cache-side-channel-attacks-cpu-design-as-a-security-problem/
https://arxiv.org/pdf/1606.01356.pdf

Understanding cache is critical for benchmarks if cache line aliasing
triggers cache timing changes.   Anytime benchmark values change
from mixed system loads it is obvious someone can see and open a side
channel.
Some system calls for mutex in I/O can invalidate cache .  Most devices are
not
cache coherent so they must trigger a flush behind the curtain.
See also page attribute table (PAT).



-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180106/f059038e/attachment.html>


More information about the cryptography mailing list