[Cryptography] Speculation considered harmful?

John Levine johnl at iecc.com
Tue Jan 9 01:57:54 EST 2018


In article <E1eYm2s-0004Jy-9Q at elasmtp-kukur.atl.sa.earthlink.net> you write:
>>I know the guys who invented VLIW. ...
>>I have no idea whether its flavor of speculation can be used for the same kind of attacks.
>
>You knew the guys who invented music boxes ? ...

Gosh, it's fun to be snarky, but it'd help to learn something about the topic.

VLIW isn't just wide microcode.  It's a combination of wide
instructions with compilers that use aggessive techniques to keep the
hardware controlled by wide instructions busy.

>I knew the Multflow VLIW company, but I would say that there were a lot of sophisticated things going on that
>went far beyond the simple idea of "very long word instructions".

No kidding.  Trace scheduling was first described in John Ellis'
thesis at Yale.  His advisor Josh Fisher took a bunch of other
students to start Multiflow.  The Multiflow computer worked pretty
well, up to some limits.  One of the things that trace scheduling did
was deep loop unrolling, often with multiple iterations of the loop in
flight at the same time.  It sometimes found that it was running code
a few iterations past the actual end of the loop that had to be
nullified, i.e., speculation.

They tried to avoid using caches and hardware memory bank scheduling
and instead schedule in software to make the memory hardware simpler.
They tried hard to predict statically which references would go to
which memory bank.  That turned out not to work very well, memory
access was less regular than they hoped, which led to bottlenecks
where they had to be conservative about what references might
interfere even though they usually didn't.  After Multiflow ran out of
money, the software was shopped around and people went to multiple
places leading directly to VLIW work at HP and Intel.

Later VLIWs threw more hardware at memory scheduling to avoid
bottlenecks, so I suppose it depends on the details of each implementation
to figure out whether trace scheduled speculation could be used for
side channels.

R's,
John



More information about the cryptography mailing list