undefined | Better HN

0 points_0w8t8y ago0 comments

This bug can be worked around. But the next one may not, making hardware-based virtualization as a secure way to run unprivileged code with max native performance unworkable. I.e. longer term if one wants to run untrusted code, it cannot be native one so any bug can be fixed without replacing hardware.

0 comments

walterbell8y ago

>if one wants to run untrusted code, it cannot be native one so any bug can be fixed without replacing hardware

It's a bit hard to parse that sentence, could you rephrase?

Are you saying that untrusted code should only be run on systems which do not use hardware virtualization, because there's a risk of hardware bugs that require hardware replacement? The problem is that there is no single-system equivalent, users would have to use multiple laptops/desktops and air gaps to achieve separation (e.g. between network drivers and userspace apps). May not be practical.

Yes there's a risk of a catastrophic hardware bug with no workaround, but that risk applies to every feature in the CPU, not only virtualization or page tables or speculative execution. Statistically it's only happened once with the single Intel CPU recall, which are better odds than other risks.

_0w8tOP8y ago

My point is that to run untrusted code it should be delivered in some form of bytecode, not the native code for CPU. This way one can always workaround CPU issues by changing the compiler or the interpreter even for catastrophic bugs in any part of CPU. Moreover, as hardware VM can execute much more instructions than unprivileged user processes, the probability that something unfixable will happen to them is higher then for ordinary processes.

As for statistics, there are strong indications that modern efforts for CPU verification do not keep up with increasing CPU complexity. So number and severity of bugs will grow.

JdeBP8y ago

I suggest reading this discussion about reinventing the AS/400: https://news.ycombinator.com/item?id=16053518

walterbell8y ago

Which bytecode do you recommend? Are you assuming the bytcode interpreter to be bug-free? There have been JVM escapes.

1 more reply

j / k navigate · click thread line to collapse

0 comments

walterbell8y ago

>if one wants to run untrusted code, it cannot be native one so any bug can be fixed without replacing hardware

It's a bit hard to parse that sentence, could you rephrase?

_0w8tOP8y ago

As for statistics, there are strong indications that modern efforts for CPU verification do not keep up with increasing CPU complexity. So number and severity of bugs will grow.

JdeBP8y ago

I suggest reading this discussion about reinventing the AS/400: https://news.ycombinator.com/item?id=16053518

walterbell8y ago

Which bytecode do you recommend? Are you assuming the bytcode interpreter to be bug-free? There have been JVM escapes.

1 more reply

j / k navigate · click thread line to collapse