[Cryptography] Buffer Overflows & Spectre

Henry Baker hbaker1 at pipeline.com
Mon Nov 19 09:50:30 EST 2018

Is it just me, or does anyone else feel a deep sense of betrayal and irony?

We in computer science have spent 50+ years advocating proper code hygiene in which every array reference is properly bounds-checked to avoid the dreaded *buffer overflow*.

We've beaten up on languages such as C & C++ for their bad hygiene, and attempted to steer students towards modern languages which are *safe by design*, because they obsessively and anally check every array reference.

What has it netted us?

We've been undone by our own hardware, which *ignores* our *explicit instructions* to check every array reference -- e.g., Spectre.

Isn't it time for a *class action lawsuit* against every CPU vendor?

This is not just *negligence*, but outright *fraud*, because the CPU violates its own advertising !

It is as if an automobile manufacturer put a Spectre-like bug in our automobile braking systems which occasionally ignored the brake pedal because it adversely affected gas mileage.  Who cares about a few "accidental" deaths here and there, if the manufacturer can claim a few percentage points additional gas mileage?

***What the CPU manufacturers have done is every bit as bad as the auto manufacturers did to *cheat the emissions testing*! ***

More information about the cryptography mailing list