|
|
Subscribe / Log in / New account

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 15, 2022 17:58 UTC (Tue) by deater (subscriber, #11746)
In reply to: Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs) by NYKevin
Parent article: Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

> because nobody realized that such side-channels existed in the first place

I can assure you people knew and were aware of the side-channel attacks. Especially people in government 3-letter agencies but also security researchers in general. The chip companies pushed ahead anyway because they thought the attacks were too difficult to exploit, but it turns out they were wrong.

to post comments

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 15, 2022 18:44 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (1 responses)

That's quite surprising to me. I mean, I imagine that the three-letter agencies knew about it, but I had no idea that "security researchers in general" were aware of it before the vulnerability was reported (circa 2017). Can you provide a citation that this was public knowledge before 2017?

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 8:28 UTC (Thu) by anton (subscriber, #25547) [Link]

deater is doing the usual trick of writing about a different thing than you do: He writes about side-channel attacks in general (which I was taught about as a student in the 1980s, and for which the way we deal with them is to write software that deals with secret keys in a special way), you talk about speculative side-channel attacks (which were discovered in 2017, and for which the mitigation mentioned above is insufficient).

My guess this lack of differentiation is also why the hardware manufacturers are not fixing Spectre: Software has been mitigating or lived with side channel attacks forever, so we (hardware manufacturers) don't need to fix Spectre. And yes, it's possible to fix Spectre at a tiny cost in performance and a modest cost in silicon; and yes, it's now over five years since Intel and AMD learned about Spectre, so they could have fixed it in their new cores in the meantime.

Concerning conformance statements, Intel etc. probably would not have signed a statement that claims freedom from side channel attacks, and if they explicitly mentioned that side channels exist, they would probably be legally in the clear wrt. Spectre. Now if the manufacturer of a device with an Intel CPU employed the classic mitigation techniques, and claimed that it does not reveal secret keys, but may reveal other data through side channels, the first claim would be false in the light of Spectre. I guess the statement would contain some language about "state of the art", which would indemnify them, though.

After Spectre was revealed to the public, such conformance claims would become more interesting, though.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 12:23 UTC (Thu) by davecb (subscriber, #1574) [Link]

Side channels were discussed in the Bell-LaPadula era, around 1985. This particular implementation was not.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds