[Cryptography] Various CPU cache side channels

Henry Baker hbaker1 at pipeline.com
Mon Mar 26 18:01:16 EDT 2018 

I've done a lot of reading re Spectre, and it would
appear that Spectre-like attacks could be made on
*any/every* cache found in every modern processor,
including:

* data cache attacks (already done)
* instruction cache attacks (already done, e.g.,
Spectre, inconsistent instruction and data caches)
* TLB attacks (somewhat done already)
* branch prediction cache attacks (already done,
Spectre)

This is particularly difficult because there's
no way for the hardware to know whether the data
it is processing is secret or not, and I've seen
no proposals to date for HW data tagging based
upon secrecy classifications.  For example, the
length of a constant-size message -- e.g., an
internet packet -- is presumably not secret, but
the *contents* of such packets -- including all
header bits -- should be secret.  Even the
connection status in routing data tables leak a
lot of information.

Thus, any SW package -- e.g., OpenSSL -- that
processes secret bits -- needs to be able to:

1.  Mask off all interrupts (& poll temperature
and voltage in order to clear secrets when
powering down).
2.  Clear I$, D$, TLB, branch prediction caches
upon entry and upon exit.
3.  Pause all other threads (SW or HW "harts")
4.  Lock CPU clock frequency while inside secret
calculations.

Since multi-core processors are becoming ubiquitous
(a recently designed RISC V multicore processor can
put 42(!) cores in one mm^2), the idea of isolating
secrets in certain cores is attractive; indeed,
Paul Kocher makes this point in his recent talk
about Spectre.

However, one man's secrets are another's business
(Facebook, Google, NSA), so it isn't clear anymore
what *isn't* secret.  In addition, secrecy
classifications don't form nice lattices, so
enforcing secrecy classifications inside of a
processor is very complex.

We're in the same boat (!) as a modern ultraquiet
submarine, where *everyone* on the sub has to
be ultraquiet -- not just the communications
officers.

So this means that *every* core within a multi-
core chip may end up processing secrets, so we're
back to square one.

More information about the cryptography mailing list