Defending against page-cache attacks
Defending against page-cache attacks
Posted Jan 17, 2019 21:44 UTC (Thu) by kucharsk (subscriber, #115077)Parent article: Defending against page-cache attacks
You can extend the paradigm as far out into the computing arena as you like; if a system has both SSD and hard drives, data from SSD will probably be more important or of greater interest than that on the spinning media. If you have a storage solution that sends data off to secondary or tertiary storage, the time it takes to access said data reveals how old the data is.
Likewise on systems with NVRAM, information in NVRAM will generally be more important or interesting than data not kept in non-volatile storage.
This paradigm is of course true for all operating systems, not just Linux.
Timing is always an issue; during the Cold War, Soviet spies were able to wiretap IBM Selectric typewriters in embassies by detecting how long it took the type ball to rotate to each character, giving them a reasonable chance of determining each character being typed.
We obviously can't take the approach of "slow everything down to the time taken to access the slowest device," and there will always be a need to be able to pre-populate clusters, containers or other mechanisms to provide for fast startup times or to provide instant failover. Someone will need access to that information, and as soon as someone does, that's a potential leak.
It's more a matter of reducing exposure than eliminating it, and the question is where does that balance between security and the need for ever faster operation lie?
Posted Jan 18, 2019 1:32 UTC (Fri)
by Nahor (subscriber, #51583)
[Link] (9 responses)
Easy solution: just cache everything. Load the whole disk in RAM at boot. No slow access, no timing attack and the system becomes faster. Win-win! :)
Posted Jan 18, 2019 13:36 UTC (Fri)
by Sesse (subscriber, #53779)
[Link] (6 responses)
Posted Jan 19, 2019 1:45 UTC (Sat)
by naptastic (guest, #60139)
[Link] (5 responses)
Posted Jan 20, 2019 18:37 UTC (Sun)
by Sesse (subscriber, #53779)
[Link]
Posted Jan 20, 2019 20:00 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (3 responses)
Your i7-4790K has 32 KiB I$ and 32 KiB D$ - so about as much total L1 cache as your C64 had RAM, but not enough to cover the ROM as well.
My first Z80 machine would fit in L1 cache on your CPU, though - the ZX81 had 1 KiB RAM, 8 KiB ROM, and could be expanded commercially to 16 KiB RAM, 8 KiB ROM.
Posted Jan 28, 2019 7:55 UTC (Mon)
by paulj (subscriber, #341)
[Link] (2 responses)
Posted Jan 28, 2019 14:09 UTC (Mon)
by gevaerts (subscriber, #21521)
[Link]
Posted Jan 30, 2019 14:42 UTC (Wed)
by nix (subscriber, #2304)
[Link]
(Obviously I couldn't fix it. An eight year old with terrible coordination go messing in a power supply?! HELL NO.)
Posted Jan 18, 2019 19:23 UTC (Fri)
by quotemstr (subscriber, #45331)
[Link] (1 responses)
Posted Jan 24, 2019 5:15 UTC (Thu)
by marcH (subscriber, #57642)
[Link]
> The future of computing is straight-up partitioning, sharing nothing. It's a much simpler and more robust world.
To avoid a myriad of new CONFIG_SECURE_SIDE_CHANNEL_FOO options, how about a unique CONFIG_SHARED_SYSTEM setting controlling all these at once?
"Shared" can unfortunately apply to single-user systems too, think Android applications for instance :-(
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks
Defending against page-cache attacks