 Good afternoon everyone I'd like to welcome to the stage David who's traveled all the way from Oregon in the States to talk to us today About speculative execution side channels. Thank you very much. Thank you It's wonderful to be here at Fosdame. I've heard about this conference for many years This is my first time being here though, so I'm a little bit I'm a little bit excited and very a little bit Intended by all of you, but this is a great room so that all the introverts can sit as far apart from each other as possible Awesome. It's my kind of room different from the security track yesterday where everyone was really packed in I really want to acknowledge by the way before we start this content was created by Somebody in my group Antonio Gomez Iglesias who did a phenomenal job doing the research and putting the slides together He would be here, but he was given to talk the same weekend in Washington, DC For a bunch of security hackers, so Unfortunately, it couldn't be here, but I'm delighted to make use of his great material So anyway wanted to shout out to him and in the print and in the spirit of Fosdame I'm gonna be talking a lot about how Collaborative effort goes into a lot of what we're talking about in this subject And so it's very much a part of how we can cooperate together and we're we're really interested in Working with folks on this Intel corporation pays my paycheck, so it's important that I put this slide up However, I want to say up front that I'm not a spokesperson for Intel in no way shape or form also This is the first time I've actually presented this material publicly, so please Hold back on the trolling a little bit. I know one of my friends said you might be here just to troll me But I don't see her so maybe I'm good So the other thing I wanted to say because I'm not here speaking specifically as an Intel Spokesperson or something like that when I say we in the talk and when I'm talking about we it's not Intel what I'm talking when I refer to we it's the group that I work in it's a group that works specifically on these areas of side channel speculative execution side channels other sort of very Severe security issues or functional issues that we're trying to resolve so when I talk about we that's what I'm referring to Alright, well, let's start when we talk about speculative execution side channel We need to talk about let's start with this barista. This barista is a very good coffee maker. He really wants to Do a great job for his customers He knows as you come into the coffee shop at 6 29 a.m. Every morning on the dock now I don't know about you but I'm not sure I'd be there at 6 29 every morning But every morning you're in there at the coffee shop and order kind of an unusual drink a four-shot half calf Cinnamon latte with almond milk or something like that right kind of unusual, but 6 29 every day and then So he prepares the drink in advance has it on the the bar right at 6 29 And this goes swimmingly for a while and then one day you grow up you go to work I maybe had too much beer the night before and don't make it at 6 29 By the way, I've heard that they're supposed to be beer at Fosdham I haven't heard any proof of the scene any proof of that so, you know anyway, so The drink goes to waste so he simply pours the the drink down the drain throws the cup in the trash But if someone's able to look in the trash and see the cup in there with the drink Someone might be able to intuit something about you Based on the information on the cup right was thrown away But they might be able to intuit something then about the data because of the metadata All right, so by that same sort of analogy when we're talking about side channels It there site the whole idea of side channels at a broad level have been around for quite a long time and They're really an intent to try to collect information from some other unauthorized way in the computer And that it really does target all levels of hardware and software these when we talk about The use of power, you know the amount of power that a computer uses varies on the instructions that are being run Right if you're running more complex instructions, the computer tends to take more power And it's been shown you can actually intuit what the computer is running based on the amount of power that's consumed now Sound this the sound of someone typing on a keyboard has been shown to actually be clues to help discover what passwords are You know the caches are various Micro-architectural features within the CPUs that allow someone to to be able to perhaps Just to determine what might be in memory and then time is how long things take if things take a short time or a long time You can determine things about what's running on the computer now I was thinking about this this morning in terms of power You know if you can figure out what's going on on the computer based on how much power is consumed Maybe you know when we try and mitigate that I would I would think the answer would be no because we want to try and save power as much as possible right for Social responsibility reasons if nothing else we want to make sure that we limit the amount of power The computers use for the sake of using less power and issues of climate change in the light, but you know all of the All of these side channels have similar characteristics that is that they require a set of deep system knowledge There has to be an understanding How the hardware software is implemented it usually targets a particular implementation So if you are Typing on one kind of keyboard and you have the acoustics from that situation you move to a different keyboard You may be unlikely to determine the same amount of information and Typically for all of these the system is working as it was designed to work It's not like it's something that's that's an unusual Kind of behavior if someone has just been able to take advantage of some of these things now when we talk about timing attacks It's a particular class of side channels where you can say well if something takes a longer period of time versus a shorter period of time Can we determine something about what the computer is doing? Can we get a secret out of the computer based on that this? this particular paper in 1996 by Coker was a pretty seminal work in this he demonstrated you could actually determine You know Diffie-Hellman RSA DSS And other crypto keys based on timing so that was in 1996 several years ago Since then this area of timing has become a very rich area of research even up to last year people are Using the amount of time that that software takes to run to determine things about that what the computer is running So it's important to understand that yeah if timing attacks are not a a new issue and But but there's a lot of Research in a number of different areas Because of this area of sight of Timing attacks So what's new? January 3rd of 2018 was when we first got an indication of Timing attacks that we're taking advantage of speculative execution What's new about these is that it's really a very innovative kind of approach to Trying to you to create side channels in this area It really addresses the hardware software interface and so that was an area of attack that was new and again Targeting speculative execution Now as we think about this whole area Notice I'm talking about PSEs or proofs of concept these proofs of concept Really are a subject of research paper typically if a researcher finds that there may be something to be used as a side channel There's usually a piece of code and it's usually a proof of concept as opposed to an actual exploit in fact in many cases a lot of these Things that have become popular. There's a logo created for them a cute name And then sometimes even a theme song there was one that came out in December that had a theme song They sang as part of a conference. It was kind of entertaining and so the you know, but but relative to The actual exploit there are not necessarily a practical exploits that come out of these things But in every case all these are local methods. What that means is They're typically not methods that can reach across the internet or any kind of networking. They don't usually involve privilege escalation It's not like somebody with an Unprivileged user can get rude access or something. I like that through these attacks and then typically they're only read-only access In other words an attacker can't change data write data to get only read data. So these are things in common Now when we talk about speculative execution actually Took a walk with my sister in 2018 was on a 500 mile walk through Spain And she's a non-technical person and she I was trying to describe this whole area to her and and a non-technical person She was she thought that the she had the thought the term speculative execution was so funny And I said well, what's funny about that and said well, I suppose if you don't know what execution speculative Yeah, okay, so it's kind of funny. I guess anyway. She thought it was hilarious So when there are a variety of classes of Parallelism that are involved in the hardware. So instruction level parallelism is one of the oldest levels Dating back. I think to the 60s where you know, typically we talk about a five-stage pipeline for the processor you Fetch and decode instructions in the front end and the back end your Your fetching operands doing execution and updating architectural states. So the fastest Processing you could do is when all those pipeline stages are running simultaneously So you're fetching instructions while you're and decoding instructions while you're updating architectural state and all the rest of it So you can actually get multiple instructions per clock. That's that's sort of the goal of of of ILP Out of order execution on by contrast is where there is some sort of execution that's going on that requires some sort of operand That's not available perhaps in a register. So It the processor takes advantage of this and tries to execute some other instructions that are you know after the instructions that it's waiting for Understanding that architectural state doesn't get updated until the end when all the the instructions are tied and then speculative execution is that class of Parallelism where perhaps there's a branch that you have you've taken regularly or jump you've taken regularly And so the processor will attempt to again do speculate will attempt to execute those instructions But won't arc update the actual architectural state of the machine But what's true of all of these things is there's a period of time in which the micro architectural state will have been updated It's sort of a side effect of the speculative execution And so micro architectural means typically this is very specific to a particular processor Right and it's going to be different for every generation of the processor That's what makes it micro architectural When it becomes something that is standard that's when it becomes architectural that's sort of the difference So this micro architectural state is something that someone might be able to take advantage of as a result of some other activity That's going on in parallel So let's get specific on this and talk about last May of last year There was an issue that was made public called micro architecture Data sampling got to get the name like micro architecture data sampling or MDS So this is an issue where there are certain micro architect certain processors that have certain Buffers within them. There's the store buffer the fill buffer and the load port the store buffer is just a piece of Memory within the processor that's that's used as a staging area for stores out of registers into memory The fill buffer is used as a staging area in in reading data into it registers And then the load port is used for memory and IO and so what we're What we're doing here is is What this issue is about is sometimes as operations go on on these processors There may be some stale data that's left in these buffers after before after one of these operations And so it might be possible for a malicious actor to redirect this data to some sort of disclosure gadget So you can see here that there's a there's some you know data sampling going on with these little micro architectural instructions now in addition to this there was a Another issue that was made public after May what was called TAA or TSX asynchronous abort. So this is a case where You know, there's a there's a technology called TSX. It's about multi-threaded applications There's a technology in the CPU that allows you if you have software that as Multi-threaded software often you need some sort of locking right you'll need a not locking primitive So if you have a critical section you lock it so that nobody can change the data during that critical section So this technology was created in order to speed up software that typically doesn't have contended locks, right? So this is This is a technology was made available some software makes use of it and This was a case where an attacker could make use of this technology where the attacker could use TSX and actually could figure out How to exploit again this same MDS issue, right? So You know typically again, it's it's it's not used by all software But it's something that's sort of available that was was taken advantage of again These are these are issues that are very specific to certain processors But let me show you how the the threat model works on this one So not not my intention by the way is not to help you create You know an exploit but help you understand a little bit how it works So let's take a cloud scenario, right? So we're running in a maybe infrastructure as a service something of that sort You have some code that's trying to leak information out and it's running on this system This is a four-core server in the cloud each core has two hyper threads. So what it's doing is running on one of the cores so The victim has to actually be on the other thread of the same core, okay? Now in a cloud scenario, of course Typically those people running in the cloud don't have an idea exactly Where their thread is running versus any other thread in the system. That's a whole idea behind cloud computing, right? In addition, they may not even know what the architecture of the underlying processor is most cloud service writers try to You know don't necessarily like to reveal that information So if they schedule you on a processor that's seven years old versus one that was bought yesterday Then they can you know charge the same amount of money for it I think that's a great business model But it doesn't mean that you can you can never know exactly which processor you happen to be sitting on in a cloud Then what has to happen is that the oh by the way The the attacker has no control over the victim that can the attacker can't actually Control what the victim is doing the victim is just doing what it's what it's doing As part of its program and that victim has to bring data in repeatedly It has to happen, you know more than more than just one access and has to have repeated access Then what's required is that you know, there's an actual small window of time to extract data So it's not something that can be happened instantaneously It really has to take place over a period of time but there's a an actual small window to extract the data because again these are Buffers that are you know being constantly overwritten as loads and stores happen And then these two threads by the way have to share the same core for a period of time extended period of time so that the data sampling could take place and Then finally after all of these requirements the attacker has to post process the data to see if you It's seen enough accesses of something and says hmm. Maybe that's interesting Right because again, this is a data sampling attack This is not like the attacker can control where the data is it's just what happens to show up in these buffers so after all of this it might seem kind of a weak attack For somebody to kind of worry too much about this in a cloud scenario and in fact I think in a lot of circumstances It is difficult to exploit and why I think we have we've never actually seen any of these issues show up In the wild so to speak as an exploit Now I told you I worked in a group that works on this sort of software area particularly open source But also working with the you know a variety of open source community So we actually I did a panel discussion in in Leon at the What do they call open source summit Europe I think is is what what they're calling it and one of the things I did Is I brought on the panel various of the organizations and communities we work with so we actually work with both the You know communities like lint the lengths community open BSD Free BSD etc. We're also collaborating with a lot of the non open source proprietary software folks that are doing system software and VMMs and things like that so Basically one of the ways to address this issue is through The through microcode so since the 90s Folks have been not you know designing the CPU So they don't literally actually execute x86 instructions the circuit doesn't execute You know an ad instruction or what have you instead what it does is it translates that x86 instruction into a sequence of micro operations And it's the microcode it's actually in some sort of you know some sort of space that's as the CPU is Manufactured, but it there's also an ability to update that microcode So in fact it's possible to update the way the CPU actually Executes these instructions by changing the microcode and this is a powerful capability because what it allows us to do is In the field allow us to update the the very way that the processor is interacting with a lot of these these areas Now in addition to The micro oh by the way along those same lines that is if you have a CPU The microcode is different from firmware from BIOS anything like that so what you want to try and do is is Keep your you know BIOS refresh also Linux and various other operating systems have the ability to you know update microcode Live so it's really a good idea to keep your microcode up to date But one of the ways we're able to address this problem is through this area of microcode and You know we have a large instruction set architecture or ISA and it's got some legacy instructions in it So one of the things You know one of the ways to address this was to take a legacy instruction VRW and that instruction if you're Curious what it does is a test to see whether a memory segment is writable. So We in the microcode in it actually enhances the VRW instruction to flush these buffers the load buffer the store Buffer it's a fill buffer and load buffer, etc. So What the VRW instruction now does with the new microcode will be to flesh those buffers? We also by the way define some software sequences if you if you for whatever reason can't update the microcode And all the software sequence does is do a bunch of loads and stores and that that effectively clears those buffers as well So then what's necessary? You need to be able to somehow. Oh one of the thing in the microcode was a an addition of a Model specific register or MSR and these MSRs are there to give you data about the specific processor You're running on and in this case we gave the capability. There's a vector called the i32 arc Capabilities and it's a vector that sets bits based on is this issue present or not in the in the CPU And do you have the capability of addressing it right so with the VRW enhanced Capability and this vector of bits you're able to put together an OS that can deal with this issue So what we then did was in working with the the Linux community collaborating with them and various other folks We're actually able to use this VRW instruction every time you do a return from client to you sorry every time you do a return for Kernel to user space so that currently user transition plus context which is what this allows us to do is to say well Every time user code you know and basically this happens anytime you to a system call you call it a kernel every return from kernel We'll then call this VRW instruction if the CPU is Affected by this issue and will flush the buffer so there's no possibility that some user level attacker can somehow observe data that's going on in the kernel Ring transitions yeah, that's what that basically is By the way the other thing we engineered was The ability to disable the mitigations right because there are some conditions where you might say well I don't really need to have this you know VRW calling thing. I don't really need to you know slow down the Ring transition so I can just disable it if I've analyzed the situation in fact I think this is really a good idea is to say What's the situation? I'm running in and do I even need to really run these mitigations or not? And so we engineered in the ability to you know, I have a boot time parameters that let you turn these things off in Linux Finally the other thing we engineered in was a this Interface basically user level to again detect whether the CPU is is vulnerable or not and then whether the Mitigations are turned on or off To make it is simple. There's an open-source project called speed 47 called sorry Speed 47 if you look in github you find the project. It's called specter meltdown checker. And so Melt see a specter meltdown checker dot sh and and it's a script that we've been working collaborating with to enhance it to You know with all new issues as they come out so you can call that and see whether your system is vulnerable or not so after all of that we can also engineer in the things with TAA this is similarly again. I talked about TSX being a technology. We actually Worked with the guys working on the microcode to say if you want to even disable TSX Some systems will actually disable TSX by default But there's also a control there that allows you to turn it on off as well And if you want to have TSX turned on you can also use this VRW mitigation to basically Handle it that way as well. So as I said, the work is collaborative. We work very hard with the Linux community and various Folks so that before the issue becomes public before this issue became public in in May We worked very hard on the patches to make sure that On the day it became public Linus could pull in the patches basically into Linux We have back ports ready for the LTS versions of Linux and the other operating systems that are whether they're open source Operating systems or hypervisors bare metal hypervisors or proprietary Everybody had something ready on the day the thing became public All the software was ready to fix this in the microcode updated So that gives you a little insight as to what we're you know kind of engineering with some of these things Now one of the things I think I don't think our work is over when when this happens There's additional work that we're trying to do to try and optimize These these mitigation so for example if you if you look at That's not that threat model, but I talked about in terms of you know things running on different threads Well, what if you wanted to actually try to You know make you know fix that issue. There's something you could do with the for example Defining trust domains within the CPU so a trust domain in this case would be maybe I define it a trust domain is Each of my cloud clients if I got different tenants running at the same time in a system make each tenant its own trust domain So each tenant would trust itself, but not necessarily any other tenant or maybe I would define some other model for using these trust domain so You know one of the things we worked out We're working on in this in the Linux world is what we refer to us as a core scheduler And in fact, we're doing this development in open in the open source You can go to LKML and read about this. We're partnering with digital ocean They're a cloud service provider and various others that are working on with us on this idea You know and what the basic idea about this is if you have you know different You know processes they'll typically by the Linux schedule. They'll get scheduled on threads You know without really caring what the topology of the system is it will just look at at logical processors and and schedule Processes on those processors, but the idea of the core scheduler is if you can define trust domains You can actually it will say well if I've got two different trust domains. I'll make sure that two Processes from different trust domains don't ever run on the same core Right and one of the things that we're doing in this as part of our collaboration with the links community on this is that We're trying to do a lot of performance analysis as well and say, you know if you're if you're doing this You know you're using this core scheduler What we found the data that we found is that there's there's barely any, you know ripple in the in the In the overall performance of the system based on a bunch of the workloads that were running But that's under both low content in low contingent situations. What about in high contingent situations? Well, you may have a situation in a high-contention Situation and we're we're running extremely high You know systems here where you know highly loaded systems. Here's a p6 that you can kind of see Under normal under the regular linear scheduler You might have it so that really anything could be scheduled anywhere But under a core scheduler under high-contention you kind of see well We weren't able to schedule p6 because we weren't we didn't find a processor that was You know that didn't have somebody from another trust domain running on the on that core So yeah, in some cases for high-contention you may have some you know idle threads And so it's possible you might actually take longer under those situations to run So we're doing a lot of except we're publishing all this information by the way an L came out So I suggest go to the Linux kernel mailing list you know look at the performance information that's been posted one of the engineers in the group named Agata gruza is posting this data and you know Interact with it comment on it. We're trying to continue to post the information. I think this Patch has a lot of a product a lot of promise and I think it's going to be Really helpful for folks particularly in the cloud space or other spaces that really care about you know fixing this issue But by the way, it's interesting that the other factor about the core scheduler is that it can be used actually for quality of service This is something that I think is an interesting side effect of the fact that we're adding this capability to segregate You know processors based on certain characteristics, right? It may not necessarily be trust domains one of the things one of the features in the skylake is this Feature called abx 512. This is the ability to have large Registers that are 512 bit registers right and large vector operations that go on those vectors Well because the operations tend to take up a lot of the the chip typically the amount of power that could be utilized tends to be higher so the the CPU tries to limit the total amount of Frequency that's used on those cores that are running these instructions So you can kind of see under under normal scheduling you could actually slow down because some of this abx 512 is running on the as At the same time as a process that doesn't use those instructions It brings down the the top turbo rate So we have something called turbo that's used for frequency adjustment It will bring down the top turbo rate if you if it sees something with abx 512 running on it, right? so in fact by using the core scheduler what you're able to do is if you can Determine that the process uses abx 512 you can segregate it to its own cores and actually the runtime runs faster in this Circumstance because the things that don't use abx 512 can turbo higher can actually complete sooner. There's another Threat over here by the way says bw that's intended to be a high bandwidth consuming Process again same kind of thing. It may not necessarily be abx 512 babies using high bandwidth so you can use this mechanism to to control some of those things and and the interface Basically it uses c-groups and this is the way you know c-groups if you're not familiar to Linux capability to That's underlying containers Someone who is going to be trolling me here said if she heard anything about containers she was going to scream I don't she must not be here because I don't hear any screaming. Anyway, it's one of the base technologies under containers and You know by defining the c-groups the core scheduler will actually separate these threads into onto different cores So that's the way that works So that's one optimization that we're working on another one is I was going to talk about the rendezvous case But in this case I'm I'm going to skip this I think and talk about this idea of selective vw based on the time I've got So I said about this vw instruction just to remind you the new Microcode what it does is every time you call that instruction and it clears the buffers, right? But in fact doing it every time you go from a ring ring transition I another was going from colonel user space Maybe you don't need that right if you're talking about different trust domains like we did with a core scheduler Maybe it's unnecessary to clear the buffers every time you're running in the same trust domain so we're actually working on something that's a You know an enhancement to to this vw capability So instead of you know in this case vw gets called on every you know context switch Instead if you're within the same trust domain eliminate the vw call And we think this is an optimization that will really help accelerate Systems that are that choose to you know to do this mds mitigation, right? This is a patch. I think we have not posted this yet, but we're doing some performance investigation on it's linked to the ideas in the core scheduler And I think one of the things we're trying to develop is a good trust model around it So we can you know publicly vet exactly what we think is going on here and what this is going to address Okay Okay, a last part of the talk I really wanted to refer to what you can do as a programmer to Actually do something about speculative Execution side channels and side channels in general, you know, there's a lot of Common best practices by the way. I'm not a security. I'm not one of those people who've been spending You know 20 or 30 years in security I'm not one of those people coming and scaring you right away about security because I I Something I've kind of grown into over period of time. I've actually been involved in open source Majority of my career, which is kind of unusual for somebody my age But anyway, I'll say open source one sort of another But there's some some well Understood practices. I keep hearing about various of these as these issues come out And I think it's really important as you're writing software to take very conscious thought about these things Probably the first and obvious ones is use well maintained libraries We've I've heard a lot of at POS them this year about open SSL and open SSL is a great library when Heart bleed came out the community was very quick about fixing that particular issue in open SSL But if somebody had an SSL implementation that was not as well maintained They might be subject to various other Issues relative to SSL. So you identifying library and then most programmers want to use libraries, right? We don't want to have to reinvent the wheel every time using Well maintained libraries is a key to making sure that issues as they come up get addressed, right? I say automate Actually, it's Antonio slide. He says automate, but I really agree in this case What we're talking about is if you have something that is fixed, you know is an issue and you're aware of You want to automate the tests that are going into making sure they remain fixed, right? One of the worst nightmares I think you could have in an open source environment particular is you fix some sort of Security issue and some other contributor accidentally unfixes it, right? And so being able to automatically test these things against your upstream and against whatever development is going on Extremely important. In fact, you could probably Break something as well at inadvertently, right? Only providing necessary information if I log into a site and it's with a username password combination and it says invalid username It's suddenly given an attacker. Oh, that's interesting additional information if it says invalid password. Oh, the username is correct I'll just keep working on the password, right? So actually that you don't need to provide so much information So only providing necessary information so an attacker doesn't have the ability to you know attack you further and then including an update Mechanism, this is incredibly important. I worked a number of years in the IT space This is something I find incredible is a lot of IOT products go out without ever being updated and so Malicious, you know and by the way every piece of software yours included mine Every piece of software the day it gets shipped has security issues in it. I I nearly guarantee it It's it's just been waiting to be found and so this zero-day issues What you know people typically refer to that means that it stands to reason that there will be an attack in the future So having an update mechanism now, that's a great engineering statement In fact, you need the policy to actually do the updates and actually, you know invest in the in the In the validation to make sure that your updated software doesn't corrupt something else Right or brick the system or you know fixes the issue. So having an update mechanism is incredibly important So then ensuring data can't be easily guessed there's a variety of these I'm going to actually focus on each of these in the next couple of slides So the first of these is constant timing often we're found that You know what's wrong with this this piece of code in terms of this is doing a string compare and doing something with the result Any problem with this? The more characters match the longer it takes exactly right So thank you. I wish I had a candy bar or something to throw at you, but I'm off of sugar right now We'll throw a virtual candy bar It's all the fault of the New York Times So the the So yeah, exactly right the stir comp a library function is optimized so that when The strings don't match it returns immediately right so this is a case where You can intuit whether the you know things about whether how much of the password matches based on how long the operation takes So every time we hear about these issues we we hear use constant time Programming constant time programming to avoid side channels now. It's a bit of a challenge because You know if you write your own function So maybe you don't trust stir comp and stir in comp to be constant time if you write your own function though Be careful of your compiler Here's an example of some code that It's you know does it's supposed to do constant time programming right what it does is It accumulates an M The you know the the X or of every character right so at some point it will be set to one and Then but the code is scanning through the entire string So that it takes the same amount of time whether the character whether the strings match or not Okay, so this looks you know pretty good and You know the unfortunate thing is that compiler optimizations what they'll do is they'll say oh Once M is one it will never be zero Right so a lot of times compiler optimizations will drop you out of the routine immediately But as soon as M turns to one By the way, how can you figure out whether this is happening or not? I suggest it might be good become the friend of your friendly neighborhood disassembler I mean disassembling a little routine and see what the assembler is actually done assembly language is not too scary No, but it's a it's a good way to see how this works By the way, there's there's one fix that some it will work for some compilers was declaring in this case int to be vol M to be volatile and that's usually a clue to the compiler that oh something else I'm counting on some other external behavior from M. So don't optimize away all these loops Okay, so that's one technique volatile isn't always available in every C compiler What about Python? I like Python If you're a pipe any Python programmers here off you oh good So if you're looking at Python, this is a similar kind of function that's designed to be constant time String comparison and Python the only problem is again depending on the you know, of course We all know that Python as a language has various different Implementation see Python is is just the default ones. There are plenty of others iron Python Pi Pi a variety of them, right? In general though, this is again not constant time. So What can you do about that? It turns out since Python 3.3. There is a constant time Comparator That's on the screen here And if you needed an excuse to update the Python 3 well, I just gave you a great one, right? So just yeah update if you haven't already anyone's still on Python 2. Oh Nobody awesome. Okay good. So yeah Okay, so So yeah What else can you do? relative to this whole deal of trying to you know, take care of side channels one of the things you could do is if you have a Secret a good thing to do is actually eliminate the secret from memory right now. What's a secret I? Had this question post to me actually I posted myself a Little while ago. I was like well it could be a password, but it could be you know my birth date Or my income it could be your you know your your annual income or your spouse's annual income or your girlfriend's annual income or whatever Right, so the idea behind this is to say Let's clear these out of memory Now one of the things that you can use is then memset library routine to zero at the memory Again at you know dash capo zero no optimization the compiler will call memset But even at just the first level of optimization dash capo one The call to memset disappears and why that is again It's operating on something that the compiler says well this thing isn't going to be used with the local variable So I'll just eliminate the call So you know there's a few other options memset underscore s, you know can't be optimized out It's part of the c11 standard not every compiler has it unfortunately There's also an explicit underscore beads error that can't be optimized out again Some of these options are useful to know about and test whether these functions are available in the compiler in your source code I think that's a good a good procedure one other technique I think is very helpful is to Clear the cache, you know if you have a secret again Whatever the secret is is dependent on the software you're you're writing but clearing the the cat the secret out of the Cache may be a useful thing. How do you do that? x86 has a couple of useful instructions One of them is cl flush and the other one is cl flush opt And most compilers have a way to call these instructions directly And so this is this is a way to you know again get the get the system to work for you to clear some of those secrets out Okay Right Okay, so if I've if you remember anything from today's talk I want you to think about this. I want you to think about does your system need to use You know these mitigations do you need to even have the mitigations, you know turned on your system at all What's the kind of load running on your system if you know all the software that's already running on it? You can't have a malicious actor running on the system. I think it's a good candidate for turning those mitigations off I think the other thing to think about is if you're involved in in Linux and open source You know operating system development join with us to collaborate. We're very open for ideas I love to you know get some collaboration additional collaboration on some of these things to help them help the entire Write the entire community on these things and if you're a programmer I highly recommend you look at some of these techniques and implement these techniques to make your your code less sensitive to decide channels So thank you very much Shouldn't have done that. Are you happy to take questions? Sure. We've got to say we're five minutes Thank you very good to talk you talked about the MDS mitigation where you flush the data When going to use land right is that the exact part where this performance loss comes from or is there more going on? No, that's it's really about in in so I think that yeah If there's any performance difference it'd be that the ERW instruction now clears these buffers Right and so that takes additional time for the circuit to clear the buffers and so if there's additional time Yeah, that's where it comes from. Yeah, and so that's why as we're talking about optimizing, you know having oh I should repeat the question. That's a good. That's a good problem. The question was for MDS Yes, it's this enhanced VRW instruction that is is is takes additional time. Yeah Thanks for the reminder. Yes Yeah, so lately there's been a lot of sentiment in the security community that Hyperthreading is a was a very bad idea. Do you agree? Hyperthreading again from the standpoint of MDS. Oh the question is oh Golly, can I think about what they did? There've been people who say? Oh, you know hyperthreading is is Well, you know, I don't want to quote quote what they're saying because I don't agree with them So they've been suggesting hyperthreading is somehow dangerous But as one of the things I went through is with this threat model is help explain exactly what the issue is with height with Hyperthreading all of the steps that I went through on that And even you know if you decide well, gee, I just can't tolerate, you know issues that come up with hyperthreading You know, I just don't want to take the chance then we're doing work with the core scheduler that that's going to help You know eliminate even those so all the performance studies. We've done is that You know the core scheduler is actually much better than turning off hyperthreading from our performance standpoint and adds all the protection That's that's that's really needed for this issue So that's that's a lot of the focus of what we're doing is making sure that there are no issues of hyperthreading I don't know is anyone turning off hyperthreading now Couple okay. I know one particular engineer always sitting in the back I wanted to make sure that particular engineer knows that he doesn't need to turn off hyperthreading anymore in his product Thank you for asking the question So another side channel is memory access and it also has other attacks like like row hammer And it could actually be interesting to extend trust domains into memory So limit a trust domain to a memory channel or a dim. Do you have any plans to build such a thing? It's the first I'd ever heard of it. It's an interesting idea. I think I'll definitely be Jotting that down. I think it's a really interesting idea. Yeah Yes, could you illustrate the current progress on Mitigations against the recent cash-out attacks that partially circumvent mitigations you presented MDS So the question is the Recent issue about that that people were calling cash out. I Have to think through my jet lag brain about exactly what that that maps do Yeah, what what basically that again, this is one of these great names I I got to think about the actual technology because the name sometimes is confusing to me. So In this case, this is another as I understand it. This is another I may not understand this correctly So take this with a grain of thought. I think this is another MDS like attack So you can use the same kind of you know strategy for it But but actually this is another example where the microcode itself will actually Fix the whole problem. And so there's a microcode update that will actually fix these entirely. Yeah So it's it's it's a it's a different area. It doesn't it doesn't affect the medic other mitigations I talked about yeah Yeah, so a follow-up question to Core scheduling What kind of cleanup does it do when it hands over from the core from one? Security domain to another one. So for example from one guest. We have to know that if it's about yeah I gotta be a little bit careful here because I know Jesse is looking at me. He's like yeah, what's your answer in this one? I unfortunately, I don't know the answer exactly there is there's The little I know about it a little knowledge is sometimes a dangerous thing is that the link scheduler has Placement algorithm and a load balancing algorithm So what's necessary is that you have to you have to both modify placement to say it make sure you're not placing things incorrectly And also when you're doing load balancing need on load balancing correctly, so both of them need to be modified I believe is the answer Hi, thanks for the presentation. I have a question about the trust domains you mentioned so implemented in C group apparently Yeah, that's the idea. Yes is the idea more to Like you had named like AVX Yeah, that the AVX 5 tell was an example. Sorry. I'm not repeating the question. I apologize. Go ahead. Ask your question I'll yeah, the question was Is the idea for now to specify C groups? I mean on the CPU part of C groups only the subsets of the Instructions you wish to to use or is the idea to be more generic like okay this process Considered not trustworthy. I'm I'm being a bit Okay in precise on purpose here. I think what I heard I'm having trouble Hearing from back here. I think what I heard you ask is what's the sort of policy you might use for C groups? Yes, because it seems to delegate the choice of who applies the policy to the users I mean sorry to the program owners Let's say yeah, correct and and what we're trying to do with this is to find mechanism as opposed to policy and so We we this is kind of a common design principle for Unix and Lennox is to is to define mechanism and allow whoever is Using it to define the policy I would imagine a common thing to do in the case of a cloud service provider for example would be to have every Every tenant if you're in a multi-tenant infrastructure as a sort of sort of Implementation is to have every tenant being its own C group in that way That's probably not a bad, you know strategy Yeah, okay makes sense. Thanks. Hello. Thank you for the talk. I was just wondering personally What are you doing to protect future generations of CPU by design against the current attacks currently known attacks? That's a great question is what are we doing? Not we in this case. What is Intel doing because we is where I'm just a bunch of software So then the case of what is Intel doing to you know kind of address these things with future processors as we As security research researchers work with Intel There's a major effort to look at the architecture overall and to understand You know is this something that that that we can fix in future processors and so and it's not just you know, can we Use the fixes that we've done at one point in time We're constantly looking at ways of optimizing the mitigations as well So that's a strong, you know area of work to make sure that that future processors don't have any of these issues Yeah, but you know, of course, it's there's it's a constant area of work. I think I'm out of time. Yeah, I think that time Thank you for fielding so many questions and for coming to talk to us today