Big quote: "Computer systems have become massively complex in pursuit of the seemingly number-one goal of performance. We’ve been extraordinarily successful at making them faster and more powerful, but also more complicated, facilitated by our many ways of creating abstractions. The tower of abstractions has allowed us to gain confidence in our designs through separate reasoning and verification, separating hardware from software, and introducing security boundaries. But we see again that our abstractions leak, side-channels exist outside of our models, and now, down deep in the hardware where we were not supposed to see, there are vulnerabilities in the very chips we deployed the world over. Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it."
In a recent white paper, researchers with Google security analyzed the continued prevalence and viability of side-channel vulnerabilities. Spectre and Meltdown gained notoriety last year, and fall into a class of attacks known as side-channel attacks -- specifically, side-channel attacks that prey upon CPU's speculative execution functionality.
The team behind the white paper was comprised of researchers and software engineers Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest. The team set out to explore the implications of side-channel attacks on security, software, and programming languages. While the paper is rife with details, evaluation was based on three primary topics: finding side-channels, understanding the speculative vulnerabilities, and mitigation. For each, the team built models and proof of concept.
Ultimately, they found that speculative vulnerabilities present a challenge that no software or code-based mitigation can truly address. The conclusion is that all processors that employ speculative execution will remain vulnerable at a hardware level, and the only magic bullet is a significant change in CPU design, leading to more secure hardware and the isolation of hardware and operating system processes. The research paper states that we need hardware and OS isolation now more than ever, which is why Google introduced Site Isolation with Chrome 66, and why Mozilla is planning to do the same with Project Fission.
What seems like the most obvious solution is to remove speculative execution, as the paper states. However, speculative execution is an important performance optimization technique used by most x86 processors, so CPU manufacturers would rather minimize vulnerabilities in other ways. Moreover, speculative execution is just too valuable to stop using. The paper outlines a few other possible mitigation techniques such as timer mitigation or branchless masking, but each come with caveats of their own, and there is no guarantee of their comprehensiveness.
The paper concludes that current CPU and architecture design are facing three unsolved problems: finding side-channel vulnerabilities, understanding them, and mitigating them in efficient and comprehensive ways. The paper ends with a statement, illuminating the security for performance trade-off CPUs have been making and suggesting that side-channel attack vectors will remain as long as CPU architecture remains unchanged.
"It is now a painful irony that today, defense requires even more complexity with software mitigations, most of which we know to be incomplete. And complexity makes these three open problems all that much harder. Spectre is perhaps, too appropriately named, as it seems destined to haunt us for a long time."