What can be said about how much Spectre affects object capability security relative to ACL security? I'm mostly thinking of capabilities at the language level, but interested to hear about other systems too. Has there been much/any research trying to evaluate the effect on capability systems?
In general, presumably the ability to read memory makes it easier to exploit other vulnerabilities, but fundamentally as far as capability languages go -- because language-level caps are not bit patterns -- the direct effect is similar for both caps and ACLs? If so, does that mean that the overall outcome is not to change the relative merits of the two approaches, or are there more subtle effects?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/77c81118-9982-46ef-88d9-274563bf123b%40www.fastmail.com.
What can be said about how much Spectre affects object capability security relative to ACL security? I'm mostly thinking of capabilities at the language level, but interested to hear about other systems too. Has there been much/any research trying to evaluate the effect on capability systems?
In general, presumably the ability to read memory makes it easier to exploit other vulnerabilities, but fundamentally as far as capability languages go -- because language-level caps are not bit patterns -- the direct effect is similar for both caps and ACLs? If so, does that mean that the overall outcome is not to change the relative merits of the two approaches, or are there more subtle effects?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/77c81118-9982-46ef-88d9-274563bf123b%40www.fastmail.com.
Another important point: in order to exploit timing side-channels, you
need a clock. OCap languages can deny this, simply by not providing one.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/161997951639.109556.13367004627856545994%40localhost.localdomain.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/161997951639.109556.13367004627856545994%40localhost.localdomain.
Is that simple? https://xsleaks.com/docs/attacks/timing-attacks/clocks/ suggests otherwise (at least in a browser). Also, I wouldn’t want to bet that timings are the only side-channels to worry about. That said, ocaps can also help in confining the ability of attacker code to exfiltrate any data it manages to access via Spectre.The Chrome team have moved to assuming that OS processes are the only reasonable security boundary [1] and their primary approach to Spectre is "Your data must not unexpectedly enter an attacker’s process.” [2]. They are adding more process-level isolation and yet more headers to say which other sites can embed your resources.I’ve been reading this material recently, and it’s easy to feel deeply pessimistic about this, so it’s good to hear something positive.
PS - On the topic of language-level security mechanisms, I notice that there’s now a proposal to remove Java’s notorious Security Manager sandbox [3].
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/2DB6ED99-5110-403D-B7EB-66844A700D92%40forgerock.com.
On Sun, May 2, 2021 at 12:33 PM Neil Madden <neil....@forgerock.com> wrote:Is that simple? https://xsleaks.com/docs/attacks/timing-attacks/clocks/ suggests otherwise (at least in a browser). Also, I wouldn’t want to bet that timings are the only side-channels to worry about.
Quoting Neil Madden (2021-05-02 15:33:48)
> Is that simple?
> https://xsleaks.com/docs/attacks/timing-attacks/clocks/ suggests
> otherwise (at least in a browser).
It's much easier if you don't have the burden of compatibility with an
API that already provides these things.
For browser APIs, separating pages at the language level is probably a
lost cause, and process isolation does seem like the best available
solution.
> Also, I wouldn't want to bet that timings are the only side-channels
> to worry about.
The language approach, where applicable, works for *most* kinds of
side-channel I know of, but rowhammer is a notable exception -- hard to
do much about faulty hardware.
> That said, ocaps can also help in confining the ability of attacker
> code to exfiltrate any data it manages to access via Spectre.
Indeed.
-Ian
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/161998743706.114661.4119947395067671387%40localhost.localdomain.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/0e0c572d-fd47-4127-aa8c-c7f0542655df%40www.fastmail.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/84f59908-70e4-4d0d-a4bb-cf0d54064a5b%40www.fastmail.com.
Reading this thread I've been wondering about GPUs which are becoming critical for high-performance neural networks. And neural nets are becoming parts of more and more apps, including web apps. I assume that WebGPU introduces many side channels.
Responding belatedly to the “you can just deny access to a clock” statement.There are many, many things that behave like clocks that are not de jure clocks, and especially so in multicore scenarios. Differences in comparative instruction timings are straightforward to detect, and this can’t be effectively prevented without imposing deterministic execution. Deterministic execution isn’t something people are going to impose in practice,
because this entails rolling the processor architecture world back about 70 years.
Caches, as an example, are not at all your friend when trying to defeat timing attacks.
Out of order execution even more so, and that sits at the foundation of modern processor performance.
On the whole, reinventing US manufacturing is a much easier problem to tackle in my dotage. :-)
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QNRLHjiy5LOhnAXd0F9F20PZ-wwtF-JvfTp%3DoM6%2BzMJuw%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162199883108.842.5451933486510866459%40localhost.localdomain.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162199883108.842.5451933486510866459%40localhost.localdomain.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z1BsydGWU6q%3DcRs_h1dFu_9VEgX96U0u_2%2BHM%2BiTUZvxA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYhWSb%3DSKK%3DBE0CXhXQrM6fuh19%3D74JMZASp4DqO%3D%3Dhm6Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2KLUfeMRifV1UXEHDUc_3ZR%3DnTccRVeDYobs-Xe89wDQ%40mail.gmail.com.
Anything besides thread scheduling / message order and external
communication you have in mind?
Caches, as an example, are not at all your friend when trying to defeat timing attacks.In the absence of any ways of measuring duration, caches are great. Deterministic computation + caches is still deterministic.Out of order execution even more so, and that sits at the foundation of modern processor performance.Again, only if you can somehow measure duration.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QOgpbw3z9z8Xq0Y3L-cPvDb7j_XKv_-DUS-vij8TUXdUw%40mail.gmail.com.
On Thu, 27 May 2021, 11:33 pm Jonathan S. Shapiro, <jonathan....@gmail.com> wrote:On Tue, May 25, 2021 at 6:01 PM Mark S. Miller <ma...@agoric.com> wrote:Caches, as an example, are not at all your friend when trying to defeat timing attacks.In the absence of any ways of measuring duration, caches are great. Deterministic computation + caches is still deterministic.Out of order execution even more so, and that sits at the foundation of modern processor performance.Again, only if you can somehow measure duration.Unfortunately, you *can* measure duration.Most of the instruction speculation methods are subject to small forms of side-detect that weren’t considered architecturally significant. Cache contention rules and policies are known, which means you can manually control eviction. Having done so, you can use the side detection to observe the latency difference between an in-cache load and an out-of-cache load.Voila. Instant fine grain timer.That's not a timer, that's a thing you want to time.But perhaps your timer is another doing an operation that takes a consistent amount of time to do something, and knowledge of how it is scheduled?
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAHgd1hGOe732cs1F8ZXtPLTDDMyREiB%3DG9LKz6EFE3_2weR76g%40mail.gmail.com.
.That's not a timer, that's a thing you want to time.
But perhaps your timer is another doing an operation that takes a consistent amount of time to do something, and knowledge of how it is scheduled?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QMP-gaU7Cqwn9G%3DAXHe3H%3DAYxHHTJPZNakFQ0GeVO9sdA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK-_AD6iKktvWyAFng9wJ1oBq9WMYzM29T%2B-NPvJheOCE6bfEA%40mail.gmail.com.
I don't get it. Please give an example of how you'd use any to measure duration in a single threaded supposedly deterministic computation in which all ways of escaping determinism were supposedly denied.
On Thu, May 27, 2021 at 7:18 AM Jonathan S. Shapiro <jonathan....@gmail.com> wrote:
As I said, many hardware-level speculation mechanisms are imperfectly isolated.
view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK-_AD6iKktvWyAFng9wJ1oBq9WMYzM29T%2B-NPvJheOCE6bfEA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162213662471.958.16070419000202432470%40localhost.localdomain.
Mark:I’m not talking about single threaded deterministic computation, which may be one source of our disconnect. There are still hardware-level side detection concerns here in some cases. Though I would think that use of byte code and JIT makes those a lot harder to access. Starting from a valid byte code program.
The assertion that all ways of escaping determinism are denied is, of course, a problem area where we seem regularly discover new challenges. Part of what I’m saying is that escaping determinism is a lot easier than it first seems (as you know). Perhaps also that it is not sufficient to eliminate architectural multithreading; we probably need to consider multithreading that may be introduced by the underlying implementation (intentionally or otherwise). Node comes to mind here.In the course of your work in this area, have you had occasion to try to quantify the performance impact of determinism? I’m not preparing an objection. I’m thinking others will, and it would be nice to have some sense of the current state of the art in this regard.
Jonathan--On Thu, May 27, 2021 at 7:25 AM Mark S. Miller <ma...@agoric.com> wrote:I don't get it. Please give an example of how you'd use any to measure duration in a single threaded supposedly deterministic computation in which all ways of escaping determinism were supposedly denied.On Thu, May 27, 2021 at 7:18 AM Jonathan S. Shapiro <jonathan....@gmail.com> wrote:As I said, many hardware-level speculation mechanisms are imperfectly isolated.On Thu, May 27, 2021 at 7:01 AM Mark S. Miller <ma...@agoric.com> wrote:Yes. Jonathan, you point out only operations that have a different duration, and so reveal side channels if you can measure that duration. But you would still need a means of measuring duration to read that side channel. That can be denied. In fact, https://ses-demo.netlify.app/demos/challenge/ denies it. The slide channel here is purposely loud. But you cannot read it.----
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QMP-gaU7Cqwn9G%3DAXHe3H%3DAYxHHTJPZNakFQ0GeVO9sdA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK-_AD6iKktvWyAFng9wJ1oBq9WMYzM29T%2B-NPvJheOCE6bfEA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QPbRJ%3D_Z4Xap10G2k9RFf5fr_qGp60OGvWJ7Yk4VjSpuw%40mail.gmail.com.
On Thu, 27 May 2021 at 17:03, Jonathan S. Shapiro <jonathan....@gmail.com> wrote:Mark:I’m not talking about single threaded deterministic computation, which may be one source of our disconnect. There are still hardware-level side detection concerns here in some cases. Though I would think that use of byte code and JIT makes those a lot harder to access. Starting from a valid byte code program.Nope. There are Spectre attacks that work in JS using V8.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CABrd9STrb9vzi3tpe5cADffZEgxOtbepDW50DFpPdTqOe%3Du-Kg%40mail.gmail.com.
On Thu, 27 May 2021 at 17:03, Jonathan S. Shapiro <jonathan....@gmail.com> wrote:Mark:I’m not talking about single threaded deterministic computation, which may be one source of our disconnect. There are still hardware-level side detection concerns here in some cases. Though I would think that use of byte code and JIT makes those a lot harder to access. Starting from a valid byte code program.Nope. There are Spectre attacks that work in JS using V8.The assertion that all ways of escaping determinism are denied is, of course, a problem area where we seem regularly discover new challenges. Part of what I’m saying is that escaping determinism is a lot easier than it first seems (as you know). Perhaps also that it is not sufficient to eliminate architectural multithreading; we probably need to consider multithreading that may be introduced by the underlying implementation (intentionally or otherwise). Node comes to mind here.In the course of your work in this area, have you had occasion to try to quantify the performance impact of determinism? I’m not preparing an objection. I’m thinking others will, and it would be nice to have some sense of the current state of the art in this regard.The cost of mitigating Spectre in current CPUs is around 50%, and it probably is not a complete mitigation - i.e. your stuff runs at half the speed as a result of mitigation.
--Jonathan--On Thu, May 27, 2021 at 7:25 AM Mark S. Miller <ma...@agoric.com> wrote:I don't get it. Please give an example of how you'd use any to measure duration in a single threaded supposedly deterministic computation in which all ways of escaping determinism were supposedly denied.On Thu, May 27, 2021 at 7:18 AM Jonathan S. Shapiro <jonathan....@gmail.com> wrote:As I said, many hardware-level speculation mechanisms are imperfectly isolated.On Thu, May 27, 2021 at 7:01 AM Mark S. Miller <ma...@agoric.com> wrote:Yes. Jonathan, you point out only operations that have a different duration, and so reveal side channels if you can measure that duration. But you would still need a means of measuring duration to read that side channel. That can be denied. In fact, https://ses-demo.netlify.app/demos/challenge/ denies it. The slide channel here is purposely loud. But you cannot read it.----
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QMP-gaU7Cqwn9G%3DAXHe3H%3DAYxHHTJPZNakFQ0GeVO9sdA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK-_AD6iKktvWyAFng9wJ1oBq9WMYzM29T%2B-NPvJheOCE6bfEA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QPbRJ%3D_Z4Xap10G2k9RFf5fr_qGp60OGvWJ7Yk4VjSpuw%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CABrd9STrb9vzi3tpe5cADffZEgxOtbepDW50DFpPdTqOe%3Du-Kg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CA%2BymXc29J-JG6DydD8GBtodYUcSzA_uxD7bS8JaUUJo%2BEHiRMg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z3W-19vvyRqUJkCy%3DiEPg%3Dd5OR3arDpJcfiVKY_4-xKbQ%40mail.gmail.com.
Link?
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK-_AD4g%3D9qu2URUfwx9Jg80zVm07D%2BsXzf6tcwHKo89obsdbg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z0O8vP34CcYQxG-uBfZpUsN68euR%2B4EWqLadpdy4cQKPQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162223406482.5791.6990143780434739790%40localhost.localdomain.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162223406482.5791.6990143780434739790%40localhost.localdomain.
How difficult is it to re-architect processors so that they don't leak?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CA%2BymXc29J-JG6DydD8GBtodYUcSzA_uxD7bS8JaUUJo%2BEHiRMg%40mail.gmail.com.
Note that there are models of parallel computation that don't require
non-determinism, so you don't *necessarily* need non-determinism to
exploit massively parallel hardware -- indeed, environments which
exploit the most parallelism do things like map/reduce, use GPUs etc.
which do not use multi-threading as their model.
On Thu, May 27, 2021 at 12:36 PM 'Ben Laurie' via cap-talk <cap-...@googlegroups.com> wrote:On Thu, 27 May 2021 at 17:03, Jonathan S. Shapiro <jonathan....@gmail.com> wrote:Mark:I’m not talking about single threaded deterministic computation, which may be one source of our disconnect. There are still hardware-level side detection concerns here in some cases. Though I would think that use of byte code and JIT makes those a lot harder to access. Starting from a valid byte code program.Nope. There are Spectre attacks that work in JS using V8.Please try them against https://ses-demo.netlify.app/demos/challenge/
Quoting 'Ben Laurie' via cap-talk (2021-06-03 15:48:49)
> I don't see how they could apply - as far as I can see while the
> target is running, the attacker is blocked. That's a very artificial
> setup that, of course, defends well against this kind of attack.
I think you could relax this such that guess() returns a promise, which
resolves when the work (done by another thread) is complete, and this
would still hold, provided that:
- The other thread services these requests in FIFO order.
- There is otherwise no way for the program to set up a race between the
resolution of two different events, such that this could be used as a
timer.
That said,
> I'm not talking about single threaded deterministic computation, which
> may be one source of our disconnect.
I think this is correct; I don't think anyone on this thread has
disputed that if you have access to:
- non-deterministic multithreading
- some shared resource that can be manipulated and observed at a
sufficiently high frequency (memory being the obvious one, but
conceivably also something higher level like an event queue)
...then you can exploit timing side channels.
This feels like we're arguing as much about what is the topic of our
conversation as we are anything substantive. But the substantive
questions I think may be here are:
1. How applicable is deterministic programming?
2. For problem domains that do not admit deterministic programming
(which I think we all agree exist), are we screwed?
The sense I'm getting is that you and Johnathan believe some version of:
1. Not very.
2. Yes.
...whereas both Mark and I believe some version of:
1. Much more than you might think.
2. Good question.
...though if I've mischaracterized anyone's views please correct me.
I think if you'd asked me a decade and change ago when I was a grad
student doing operating systems stuff, I would have agreed with Ben &
Johnathan. Since then I've spent a lot more time doing high-level
programming, and it's made me realize that a lot of the assumptions I
had from systems programming about how programming has to work just
don't apply elsewhere. As I said, I don't know what the Rust of timing
side channels could look like.
-Ian
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162275629304.17970.349295975846634346%40localhost.localdomain.
For future Intelligent Systems, my take is as follows:
- Small sub-computations will be deterministic in larger indeterminate computations
- Much can be done to mitigate side-channel attacks on current hardware.
- Future hardware can largely prevent significant damage from side-channel attacks.
1. How applicable is deterministic programming?
2. For problem domains that do not admit deterministic programming
(which I think we all agree exist), are we screwed?
The sense I'm getting is that you and Johnathan believe some version of:
1. Not very.
2. Yes.
...whereas both Mark and I believe some version of:
1. Much more than you might think.
2. Good question.
...though if I've mischaracterized anyone's views please correct me.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CA%2BymXc2Ge7z97TRvMaJDiw89JwkAmaoJqS-%3DV9tQwx-ipqescA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/162276856310.21409.1895796218313066621%40localhost.localdomain.