Security Panel Position Statements
Moderator: David Kaeli (Northeastern University)
Panelists: Mohit Tiwari (University of Texas, Austin), Yunsi
Fei (Northeastern University)
- David Kaeli - The rate and impact of cybersecurity
threats have accelerated over the past decade. A recent report by IBM
Security and the Ponemon Institute reported that the average cost of a
data breach worldwide in 2018 was estimated to be over $3.86M. Over 4.5B
data records were breached in the first half of 2018 alone. The leakage of
sensitive information is a fast-growing concern. Side-channels and covert
channels have been increasing in number and variants, which has been a
growing concern given their ability to reveal sensitive data to untrusted
parties.
Side channels involve information leakage where an adversary can gain
access to a victim's data through program execution that generates leakage
in the form of timing, power or electromagnetic signals. Covert channels
involve a malicious insider colluding with an adversary to facilitate
leakage of sensitive information.
Side and covert channels have become major concerns for the computer
industry. In early 2018, the Meltdown and Spectre attacks were identified,
raising the bar for the computer architecture community to treat
cybersecurity as a first-class design requirements. This particular class
of exploits are enabled by microarchitecture optimizations deployed in
many current commercial processors. A recent NSF Workshop discussed many
of the challenges associated with side-channels and covert-channels
present in today’s computing systems.
This panel will explore key changes that are needed in the computer
architecture community to begin to address these challenges. A major shift
that needs to occur is for commercial vendors to share the low-level
details of their microarchitectures, as well as their detailed RTL design.
This will allow the hardware security community to join in the
process of identifying these attack surfaces, and make our future hardware
more robust to attacks.
An alternative approach is to move to open standards and “bake” security
into the hardware from day one. But there is skepticism that this will
work in the near term.
- Yunsi Fei (in support first approach) - From
Flush+Reload to Zombieload: While cache side-channel attacks were
discovered more than twenty years ago, their impact has been limited to
cryptographic software over this time, and therefore have not been
considered a real issue in cybersecurity. Only after they were
demonstrated in a cloud setting around 2012, have cache side-channel
attacks been viewed as critical cyber threats and drawn the attention in
the field of system security. 2018 was the year of the “hardware bug”,
where critical microarchitectural features designed for performance –
out-of-order execution and speculative execution – were found vulnerable
and exploited to cross software boundaries (user-kernel, user-user,
host-enclave), and completely defeating software security. The role of
cache-based covert channel is to lure the secret out from a cave, and
provide it to the adversary. The focus on microarchitectural security
landscape has evolved quickly. Recently, a new class of Microarchitectural
Data Sampling (MDS) attacks has identified a series of buffers that can
leak in-flight secrets, further amplifying the power of microarchitectural
side-channel attacks.
Effective security solutions involves a fast-moving landscape. It takes
talented system/software engineers to connect all the dots, identify the
vulnerability, and crafting effective code and real use cases to discover
impactful attacks. Yet, at the end of the day, these are hardware bugs,
and it is better to err on the side of architecture and hardware to
fundamentally mitigate or remove these vulnerabilities. The question is,
do we have open hardware and ecosystems (simulators and emulators)
available that are accurate enough, in terms of both fidelity/accuracy, to
support the daunting task of secure computer architecture redesign?
- Mohit Tiwari (in support of the alternative
perspective) - Micro-processors today are over-grown calculators, designed
for performance and designed to be agnostic to user- and application-level
security concerns. As a result, all hardware-assisted abstractions are
‘leaky’. I vote for the motion that information about the
micro-architecture has to be exposed to software, so that software can
create a range of defenses against evolving threat models. One incremental
design point is to give a few instructions -- cmov, ALU ops, etc -- whose
side-effects are bounded on an otherwise OOO core. More revolutionary
ideas could put the entire micro-architecture under software control -- i.e.,
there are no unforeseen side-effects that break software-level
abstractions. Existing processor designs can start with the former design
to give users a legacy-compliant path while the more dramatic designs can
find their way to practice via high-assurance systems. In summary, with a
well-designed security-aware ISA, we can avoid the constraint of
full-system simulations for architecture-security research.
Back to CARD webpage