Re: Hyper-Threading Considered Harmful

From: Tom Linden (tom_at_kednos.com)
Date: 05/17/05


Date: Mon, 16 May 2005 19:36:58 -0700

On Tue, 17 May 2005 02:00:40 +0000 (UTC), David Wagner
<daw@taverner.cs.berkeley.edu> wrote:

> Eric Cordian wrote:
>> My personal opinion is that the recommendation that everyone disable
>> hyperthreading on multi-user systems is premature.
>
> Some personal opinions:
>
> 1) I usually assume that any typical multi-user system is insecure.
> If you have untrusted users with accounts on your machine, you should
> assume they can get root on your machine if they care enough.
> Today's commodity OS's usually aren't able to stand up to that threat
> model.
>
> 2) Given that, the real question is whether this attack can be mounted
> even if the attacker does not have an account on your system. For
> instance,
> if the attacker can get you to run Java applets of his construction on
> your
> system, can he steal your RSA keys? What is the full extent of ways that
> attackers can mount such hyperthreading attacks?
>
> 3) If the answer to question 2) is sufficiently limited, we might wish
> to consider alternative countermeasures. For example: don't run a web
> browser, Java applets from untrusted sources, etc. on the same machine
> where you store your RSA key.
>
> 4) Any decision on how to respond to this threat should begin by doing
> a cost-benefit analysis. What are the possible countermeasures? What
> are the costs and benefits of each countermeasure? For instance, if the
> performance benefit from hyperthreading is minimal, and the value of the
> RSA key is very high, then disabling hyperthreading might be the right
> answer in that scenario. But the answers to cost-benefit analyses are
> often very fact- and scenario-dependent, so I'm not sure there are any
> general answers that are optimal for everyone.

So do you believe the VMS is reasonably secure only due to its relative
obscurity, or do you think the security module is adequately robust?