undefined | Better HN

0 pointsmikewarot5y ago0 comments

>The safe execution of any untrusted Turing complete code is a pipe dream.

The safe execution of any code requires an operating environment that never trusts the code with more than the least privilege required to complete a task. It has worked in mainframes that way for decades.

The IT zeitgeist these days makes me sad. Things can be better, but almost everyone is pushing in counterproductive directions, or has given up hope.

0 comments

7 comments · 3 top-level

baybal25y ago· 3 in thread

> The safe execution of any code requires an operating environment that never trusts the code with more than the least privilege required to complete a task. It has worked in mainframes that way for decades.

It has nothing to do with any OS level security features. We are talking about things happening below the level of what software can see.

You just cannot see any sign of such attack by looking at any register the OS can see.

mikewarotOP5y ago

These are timing attacks, if you can guarantee code runs deterministically, and deny access to timing information, you can defeat the attack.

addaon5y ago

Timing attacks are only a subset of side channel attacks, though. One can also imagine thermal attacks -- the amount of power you consume leaks information about what you're doing. And if I share a processor with you, there's various ways I can imagine estimating your power usage. On a processor that has dynamic clocking, the clock speed I'm running at is an indicator of the operations you're doing. Even without dynamic clocking, the probability of an ECC error, for example, is likely to change with temperature.

Eliminating timing vulnerabilities is necessary to allow potentially-hostile workloads to share hardware, but it is not sufficient.

1 more reply

baybal25y ago

You can't run code deterministically in a multi-tenant system.

2 more replies

tolbish5y ago· 1 in thread

Wouldn't the OS code doing the privilege checking be susceptible to vulnerabilities?

mikewarotOP5y ago

Yes, but it wouldn't include code that exploits those vulnerabilities, by design, and it wouldn't trust any other code, so in effect, it would shield the system from it.

samus5y ago

The people operating mainframes have a vastly diffrerent mindset and skills from the average computer/smartphone user. The former can and do dedicate 40h/week and more to studying documentation and tweaking the sandboxes of the stuff they run.

j / k navigate · click thread line to collapse

0 comments

7 comments · 3 top-level

baybal25y ago· 3 in thread

It has nothing to do with any OS level security features. We are talking about things happening below the level of what software can see.

You just cannot see any sign of such attack by looking at any register the OS can see.

mikewarotOP5y ago

These are timing attacks, if you can guarantee code runs deterministically, and deny access to timing information, you can defeat the attack.

addaon5y ago

Eliminating timing vulnerabilities is necessary to allow potentially-hostile workloads to share hardware, but it is not sufficient.

1 more reply

baybal25y ago

You can't run code deterministically in a multi-tenant system.

2 more replies

tolbish5y ago· 1 in thread

Wouldn't the OS code doing the privilege checking be susceptible to vulnerabilities?

mikewarotOP5y ago

Yes, but it wouldn't include code that exploits those vulnerabilities, by design, and it wouldn't trust any other code, so in effect, it would shield the system from it.

samus5y ago

j / k navigate · click thread line to collapse