CUPERTINO, Calif. — Experts called for a new generation of secure-by-design computers at the Hot Chips conference here. In small steps in that direction, Microsoft and Google described their separate but similar hardware security architectures.
The Spectre/Meltdown vulnerabilities disclosed in January woke engineers up to how decades-old techniques such as speculative execution also could be doors to side-channel attacks. Red Hat alone spent tens of thousands of engineering hours patching those flaws in Linux, a fraction of the work also in progress at chip makers such as AMD, Arm, IBM and Intel estimated to cost the industry millions of dollars.
Today’s patches manage but don’t fix underlying vulnerabilities, some of which may persist for years, experts said. New variants of the attacks emerged as recently as last week and are expected to keep cropping up for the foreseeable future.
“There are a lot of side channels, and closing them all is impossible… This is a whole set of things to change, and it will take a long time,” said John Hennessy, chairman of Google parent Alphabet and a veteran processor architect, in a keynote calling for the start of a new security era.
Red Hat worked on an initial set of Spectre/Meltdown patches for eight chip architectures across 15 versions of Linux, representing 10,000 hours of engineering. New variants discovered last week “already costed us more than 10,000 hours” in part because they involved both the kernel and the hypervisor, said Jon Masters, who oversees the work at Red Hat.
“We need computer architecture 2.0 that defines computing that doesn’t leak — the only problem is we don’t know how to do it,” said Mark Hill, professor of computer science at the University of Wisconsin at Madison, in a panel discussion here.
Hill suggested a laundry list of techniques for securing processors such as isolating branch predictors, partitioning caches and reduce aliasing. “There are many possibilities, and none of them feel good to me yet,” he said, noting it’s not clear whether the security problem can be fixed or simply managed.
“I’m delighted to hear people like John Hennessy call this an era of security — it’s better late than never,” said Ruby Lee, a veteran security researcher from Princeton who attended the event.
“It’s good were not just looking at fixes one problem at a time — that’s what the security industry has tended to do…[The first principle for a secure architecture should be] no access without authorization,” she added.
Several speakers called for work in open-source software and hardware. “We have seen a lot of attacks against microcode of closed, undocumented behavior in machines — it’s hard to trust what you can’t see,” said Masters.