Hacker News new | ask | show | jobs
by MrZipf 2607 days ago
Mark Aiken wrote a paper on Singularity with and and without Memory Protection:

https://www.microsoft.com/en-us/research/publication/deconst...

By design, Singularity didn't support dynamic code loading so untrusted code would run in another software isolated process (SIP) and separated by a channel boundary (IPC). With Spectre, you'd need to rethink what happens with IPC to and fro the untrusted processes. The core of the system wouldn't need this though.

Singularity also looked to proof carrying code as a way of building reliable systems. Unfortunately, it'd be hard to prove there isn't a Spectre style attack lurking in a piece of code.
1 comments
monocasa 2607 days ago
Even if the untrusted code is in another SIP, if it was susceptible to Spectre you'd be able to break down that boundary.
link
MrZipf 2607 days ago
In Singularity, the system gets to decide what happens at SIP boundaries (and the kernel ABI boundary).

HIP is the full address space change, but any mitigation steps can be introduced in the IPC hand-off between SIPs (or at the kernel ABI) compiled into the untrusted process. This code is compiler controlled. The system is in ring-0 so IPC code gets full access to available instructions (such as mitigation is possible there).

Of course doing this makes channel communication in both directions slow for untrusted processes, but that is the cost of doing business with Spectre. And if someone wrote a browser that didn't use channels for talking to the JS engine, then all bets would be off.

link
monocasa 2607 days ago
With Spectre, malicious processea doesn't need to have code execution cross a SIP boundary in order to break confidentiality of other colocated SIPs. As a malicious SIP, I can just read out the rest of the hardware visible context.
link
MrZipf 2607 days ago
How does the hardware visible context get suitably updated if the confidential data in the other SIP isn't touched by execution (speculative or otherwise)? Doesn't something need to be pulling that state into the visible context?
link
monocasa 2607 days ago
As far as the hardware is concerned, the confidential information in the other SIP is already visible.
link
MrZipf 2607 days ago
This was stupid comment, long day. Totally looking at this the wrong way.
link