Hacker News new | ask | show | jobs
by ryacko 3127 days ago
Then from recent Defcon and Black Hat talks, they are an absymal failure. ( https://www.youtube.com/watch?v=lR0nh-TdpVg Memory Sinkhole - Unleashing An X86 Design Flaw Allowing Universal Privilege Escalation ) (I don't understand it beyond what everyone says it can achieve)

Intel should be considered to be totally unreliable and incompetent.

I mean, no one buys office store safes and expects their things to be secure in them. But a processor is a little more expensive than a cheap safe and holds more valuable things.

Edit: and besides, Fortezza is an SSL protocol option.
2 comments
ryacko 3127 days ago
>SGX is designed to shield software against SMM exploits.

Perhaps if we add one more thing, x86 will finally be secure. You are right, Intel should be left to their own devices.

link
standupstandup 3127 days ago
I'm not arguing that x86 will ever really be secure. However you handwaved a hypothetical "secure processor architecture". Realistically the way you do that is by making a very simple CPU, however, that would then be too slow to be usable for many applications. As a consequence nobody is doing so.

SGX is at least a middle ground - it integrates the memory access checks very deep into the memory access circuitry, sufficiently deep to block all other privilege levels on the CPU. Whilst there may well be implementation flaws in SGX itself so far most attacks have been mounted via side channels, not directly exploiting CPU bugs.

In this sense my original statement was correct. Intel is pushing secure CPUs forward more than any other vendor.

link
ryacko 3126 days ago
I think a secure processor is very complex, not very simple. The smartest person's working memory cannot operate on more than a few hundred lines of code. A high performance processor that induces a fault when a programming error occurs is certainly very complex.

It is the wrong sense. Intel is playing catchup more than any other vendor and are selling a product that is nothing more than a bunch of cobbled together features, my opinion in the view of the statement that AMD is glued together.

link
nickpsecurity 3126 days ago
They're actually pretty simple if you're mostly trying to defeat software/firmware attacks. You just add some part to run in parallel with the processor, which can be arbitrarily simple or complex, that checks certain things about the data such as length or data type. The first one was implemented in 1961 hardware with it being secure from code injection until the invention of ROP. That's a long time. I'll add a modern take on that which led to a flexible mechanism that can do a dozen or maybe more policies.

http://www.smecc.org/The%20Architecture%20%20of%20the%20Burr...

http://www.crash-safe.org/papers.html

A more complex one is below that was also designed by one person for his dissertation. Knocks out all kinds of issues without modifying the processor. It has stuff to improve for sure but it think it proves the point pretty well. The stuff corporate teams were designing comes nowhere near this because they don't know much about high-security design. A critical part of that isn't features so much as a balancing act between what protection mechanisms do and don't that tries to minimize complexity to low as is possible.

https://theses.lib.vt.edu/theses/available/etd-10112006-2048...

And one open-source one on MIPS for capability-based security that runs FreeBSD:

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

A company or group of hardware volunteers could develop this into something at least as usable as a multi-core ARM CPU on RISC-V or OpenSPARC. It wouldn't take tons of money esp if they worked their way up in complexity. The hard stuff is already done. People just need to apply it. They could even pay these academics to do it for them with open-sourced results. They even get a huge discount on the EDA tools that can be six digits a seat.

You're right that Intel is screwing up and playing catchup cobbling together features. There was stuff in the available literature better than most of what they're doing. They even have a separation kernel from Wind River they're not employing. Managers without security expertise must be pushing a lot of this stuff.

link
ryacko 3126 days ago
The theory is simple. I'm somewhat inclined to think it is not so easily applicable.

It is easy to make a secure coprocessor, since the formal logic proofs aren't for such a long set of code.

The fact that rootkits are even possible, that without malware that doesn't involve an elaborate rewrite of the kernel, shows how terrible everything is.

If I didn't know any better, I'd say that Intel is hiring the designers who thought Internet Explorer should be in the kernel.

link
gggvvh 3126 days ago
Ain’t no problem that couldn’t be solved by adding another layer of indirection, eh?
link
nickpsecurity 3126 days ago
Maybe in web or application software. In hardware, it all runs in parallel. The mechanism of something like SAFE becomes another component receiving input in the CPU pipeline. A conditional of sorts is added so the final write back to whatever memory doesn't happen unless the safety/security checks passed. The failure mode might also do an interrupt for OS so it could log the where and why of the failure. As in, application flaws could be patched quickly.
link
hateduser2 3127 days ago
Seems like you replied to the wrong comment, the intended parent might not see your reply because of this.. probably should repost it in the right place
link
ryacko 3126 days ago
Hmm. I thought comment chains were limited in length.
link
hateduser2 3126 days ago
Not that I know of.. although the reply button sometimes doesn’t show up.. you just have to click Into a comment if it’s missing for you
link
standupstandup 3127 days ago
SGX is designed to shield software against SMM exploits.
link