undefined | Better HN

0 pointstitzer2y ago0 comments

I almost gave you up an upvote until your third paragraph, but I have to now give a hard disagree. We're running more untrusted code than ever, and we absolutely should trust it less than ever and have hardware and software designed with security in mind. Security should be priority #1 from here on out. We are absolutely awash in performance and memory capacity but keep getting surprised by bad security outcomes because it's been second fiddle for too long.

Software is now critical infrastructure in modern society, akin to the power grid and telephone lines. It's a strategic vulnerability to neglect security, and it must happen at all levels of the software and hardware stack. Meaning, trying to crash an enemy's entire society by bricking all of its computers and send them back to the dark ages in milliseconds. I fundamentally don't understand the mindset of people who want to take that kind of risk for a 10% boost in their games' FPS[1].

Part of that is paying back the debt that decades of cutting corners has yielded us.

In reality, the vast majority of the 1000x increase in performance and memory capacity over the past four decades has come from shrinking transistors and increasing clockspeeds and memory density--the 1 or 5 or 10% gains from turning off bounds checks or prefetching aren't the lion's share. And for the record, turning off bounds checks is monumentally stupid, and people should be jailed for it.

[1] I'm exaggerating to make a point here. What we trade for a little desktop or server performance is an enormous, pervasive risk. Not just melting down in a cyberwar, but the constant barrage of intrusion and leaks that costs the economy billions upon billions of dollars per year. We're paying for security, just at the wrong end.

0 comments

10 comments · 3 top-level

bee_rider2y ago· 5 in thread

> I fundamentally don't understand the mindset of people who want to take that kind of risk for a 10% boost in their games' FPS[1]

Me either. But, lots of engineers are out there just writing single threaded matlab and python codes with lots of data-dependencies and just hoping the system manages to do a good job (for those operations that can’t be offloaded to BLAS). So I'm glad gamer dollars subsidize the development of fast single threaded chips that handle branchy codes well.

> In reality, the vast majority of the 1000x increase in performance and memory capacity over the past four decades has come from shrinking transistors and increasing clockspeeds and memory density

I disagree, modern designs include deep pipelines, lots of speculation, and complex caches because that’s the only way to spend that higher transistor budget for higher clocks and compensate for the fact that memory latencies haven’t kept up.

> Part of that is paying back the debt that decades of cutting corners has yielded us.

It will be tough, but yeah, server and mainframe users need to roll back the decision to repurpose consumer focus chips like the x86 and arm families. RISC-V is looking good though and seems open enough that maybe they can pick-and-choose which features they take.

> I almost gave you up an upvote until your third paragraph, but I have to now give a hard disagree.

I’m not too worried about votes on this post; this site has lots of web devs and cloud users, pointing out that the ecosystem they rely on is impossible to secure is destined to get lots of downvotes-to-disagree.

saagarjha2y ago

How is RISC-V going to solve anything here?

bee_rider2y ago

It isn’t a sure thing. Just, since it is a more open ecosystem, maybe the designers of chips that need to be able to safely run untrusted code can still borrow some features from the general population.

I think it is basically impossible to run untrusted code safely or to build sand-proof sandboxes, but I thought the rest of my post was too pessimistic.

snvzz2y ago

It is significantly less complex yet without compromising anything. This means a larger portion of a chip's design effort can be put elsewhere such as into preventing side channel attacks.

saagarjha2y ago

I don't really see how the design of RISC-V avoids the need to have a DMP

1 more reply

epcoa2y ago

Anything specific?

saagarjha2y ago· 2 in thread

Turning off bounds checks is like a 5% performance penalty. Turning off prefetching is like using a computer from twenty years ago.

crest2y ago

Turning off prefetching while running crypto code would be a performance gain before you can implement the algorithms safely without even more expensive and fragile software mitigations. Just give me the option of configuring parts of the caches (at least data + instructions + TLBs) as scratchpad and and a "run without timing side-channels pretty please" bit with a clearly defined API contract and accessible (by default) to unprivileged userspace code. Lots of cryptographic algorithms have such small working sets that they would profit from a constant-time accessible scratchpad in the L1d cache if they get to use data dependent addresses into it again.

olliej2y ago

Happily there are mechanisms to do just that, specifically for the purpose of implementing cryptography (I commented at the top level and don't want to just spamming the url).

aseipp2y ago

I agree that hardware/software codesign are critical to solving things like this, but features like prefetching, speculation, and prediction are absolutely critical to modern pipelines and broadly speaking are what enable what we think of as "modern computer performance." This has been true for over 20 years now. In terms of "overhead" it's not in the same ballpark -- or even the same sport, frankly -- as something like bounds checking or even garbage collection. Hell, if the difference was within even one order magnitude, they'd have done it already.

j / k navigate · click thread line to collapse

0 comments

10 comments · 3 top-level

bee_rider2y ago· 5 in thread

> I fundamentally don't understand the mindset of people who want to take that kind of risk for a 10% boost in their games' FPS[1]

> In reality, the vast majority of the 1000x increase in performance and memory capacity over the past four decades has come from shrinking transistors and increasing clockspeeds and memory density

> Part of that is paying back the debt that decades of cutting corners has yielded us.

> I almost gave you up an upvote until your third paragraph, but I have to now give a hard disagree.

saagarjha2y ago

How is RISC-V going to solve anything here?

bee_rider2y ago

I think it is basically impossible to run untrusted code safely or to build sand-proof sandboxes, but I thought the rest of my post was too pessimistic.

snvzz2y ago

It is significantly less complex yet without compromising anything. This means a larger portion of a chip's design effort can be put elsewhere such as into preventing side channel attacks.

saagarjha2y ago

I don't really see how the design of RISC-V avoids the need to have a DMP

1 more reply

epcoa2y ago

Anything specific?

saagarjha2y ago· 2 in thread

Turning off bounds checks is like a 5% performance penalty. Turning off prefetching is like using a computer from twenty years ago.

crest2y ago

olliej2y ago

Happily there are mechanisms to do just that, specifically for the purpose of implementing cryptography (I commented at the top level and don't want to just spamming the url).

aseipp2y ago

j / k navigate · click thread line to collapse