1. 10
  1. 7

    [This has been panning out as I predicted in a comment on prior thread for past week (sighs)…]

    I already countered him on microarchitectural covert channels. Goes back further to VAX Security Kernel (1992) being designed to certify to A1-class which mandated covert-channel analysis that regular, “secure coders” didn’t do. INFOSEC pioneers had already found them in software and hardware like disks. A person on that project reported them for cache timing as well. I pointed it out plus some follow up commentary here.

    I didn’t respond to the later nonsense dismissals on HN and elsewhere about the Intel CPU Security submission since I had surgery shortly after that on an impacted tooth. Didn’t want to be online all drugged up talking about these things. ;) Suffice it to say, high-assurance security had already found piles of risk areas for both penetration and side channels in Intel CPU’s with some attempts at mitigation (including avoid Intel CPU’s) by the mid-1990’s. They encouraged Intel, purchasers, and security community to deal with it as part of routine work in improving security.

    As usual, the mainstream security community just ignored everything they said when they bumped into each other. Then, a bright researcher independently discovered the side channels in caches later. They started reacting to that claim. They found some similar issues in other stuff looking narrowly. Now, we have another clever attack that started with a shared resource as would’ve been identified in the 1992 methodology that got stretched in really creative ways. It was still same root cause they ignored or justified for things like lowest price/performance versus alternatives doing it securely. Or just physical separation of different security domains which highest-security setups stuck with grudgingly.

    My prediction in one of the Lobsters comments was that piles of comments would happen about this that didn’t involve actually solving it (social gratification), more people would similarly write articles boasting their understanding to generate extra rep since talking problems is rewarded more than devising solutions (double true if catchy name!), a few mitigations would show up that were tactical focusing narrowly on just this new kind of problem (like happened with caches), they’d still ignore prior work in high-assurance like Kemmerer or Wray’s analyses that found similar problems with focus on analyzing whole system, they’d mostly ignore new work on information-flow analysis, and we’d at best get some time until the next problem that could’ve been prevented by 1990’s or recent methods since that’s how mainstream security industry and culture works.

    They’re right on track since that’s about all I saw while in recovery. Endless articles using the buzzwords to their advantage plus people who don’t know we could’ve beaten this in the 1990’s because security professionals suppress that stuff for some reason. That needs to stop. At least they’re rediscovering 60’s-90’s knowledge at an accelerated rate now.