Schneier on Security

Clive Robinson • May 5, 2021 2:57 PM

@ metaschima, ALL,

These vulnerabilities will continue to come.

Yup back when Spector/Meltdown were the first of the CPU “go faster stripes” to go ker-boom I did say that CPU Hardware faults giving side channels would be,

“The Xmas Gift that keeps giving”

And so far that is what has happened, and I can see a lot more comming…

This current one is unlikely to be fixed easily or without a significant performance hit.

Whilst many users will not notice very much (Most Office apps spend over 90% of their time in an idle loop waiting on user input) others will notice a lot, especially those running servers, especially those providing cloud services.

The sensible thing if you need the speed is to disconect your system from all communications, thus it can not be attacked by this issues.

Not so for cloud servers and people trying to use them as for that communications are essential.

Which realy should make people question the wisdom of using cloud services as these sort of CPU issues are not going to go away any time soon…

Clive Robinson • May 6, 2021 2:57 AM

@ SpaceLifeForm, ALL,

Smells like spin.

It’s worse than that and if Intel do not know that then they should not be making CPUs.

Whilst “constant-time programming” can be written to be not vulnerable to side-channel attacks, it’s really not at alleasy.

Worse it places large time penalties on sodtware. That is all Intel are realy saying is,

“If you write really inefficient code that circumvents all the CPU “go faster stripe” hardware tricks, even though it will be slower to develop and execute than us fixing the hardware problem, it means we don’t have to fix it or get hit with a recall on a decade of CPU sales which will bankrupt us”…

As you are aware I’ve been warning against “Marketing Spec-manship” for a couple of decades. Because it was obvious that wirhout extream care covert side channels be they time or power based would open up.

My basic warning as always is,

“Securiry -v- Efficiency”

As a general rule the more you have of one the less you have of the other.

Just remember the following,

At the moment researchers are only looking at ‘TIME’ based side channels, there are several other classes of side channels including ‘POWER’ and ‘SPECTRUM’ and some more that are even more esoteric.”

And those are ‘Pasive’ TEMPEST type attacks, there are also ‘Active’ injection type attacks I’ve mentioned before, to add to the ever growing pile…

And people wonder why I talk about using Energy Gapping and two computers, one that is ‘gapped’ for activities that require confidentiality or privacy (ie all activities). And one that forms a communications end point that is assumed to be ‘Public Broadcast’ in nature. The trick is developing a secure gap crossing technique where not only is traffic encrypted, it’s also designed to make getting malware across very difficult and to instrument it for signs of someone trying to push malware across.

I could go on, I have in the past, however,

As you say “Just saying”…

Clive Robinson • May 6, 2021 8:46 AM

@ Winter,

What is the alternative?

There are many that exist currently, and it’s reasonably certain to say there will, just like hardware and software bugs be more in the future.

The problem is “instances -v- classes” it is pointless coming up with a solution for any given instance, that is the “bolt another cludge on till it breaks under the weight of cludges”. I’ve mentioned this before and used “Victorian artisanal steam engine builders” as a historic example of the wrong direction to go in.

What you need is properly designed systems for security. That is ones that cover many “known classes” and also “unknown clases” the easiest way to do this is by “encapsulation and segregation”. Put a machine inside a faraday cage with issolated power supply and user and whilst malware or bugs on the system could crash it or do other “Denial Of Service”(DOS) attacks, it can not directly leak information as there is no direct communications path. However DOD can have knock on effects, and it could result in leaks of information in other ways from outside the energy gapped perimiter[1].

No cloud data processing?

Accessable systems or systems outside of your security perimiter are currently by definition “outside of your control” thus they are not secure without suitably robust protections. The three areas you need to consider are,

1, Communications,
2, Storage,
3, Processing.

For the first two there are known ways of protecting the information via encryption. However currently we can not encrypt the third in anything close to an effective manner. So “NO” cloud processing, it is most definately not something you want to be doing at aby time if you have a duty of confidentiality or need privacy. As far as the West is concerned all commercial entities have a duty of care with regards confidentiality. As Elon Musk found, being honest about things can get you million dollar punitive fines from the likes of the SEC. As others have found you can be litigated against by shareholders or other investors as well as competitors and agencies…

Then the question comes up, is that any more secure? The main security problem is software maintenance, updates and settings.

Much of the problems with software is that it is so very vulnerable when on a system with communications because it can be seen by others, thus attacked.

As a rule of thumb all commercial grade software is released before it should be, and is in no way designed for security (you can not “bolt it on” thus anything that has legacy code, has legacy vulnerabilities). For instance Win10 has legacy code in the kernel going back at least as far as NT4 if not earlier, it’s why 20year or older vulnarabilities come up from time to time.

If you correctly issolate systems then the vectors by which it can be attacked become irrelevant as far as outsider attacks are concerned. Because no outsiders can get to the system as it has no communications[2].

Maintaining your own servers might be less secure than being open to this attack.

That depends on where and how tou set the security perimiter. As a roigh rule of thumb the further out you set the security perimiter, the easier it is to setup and maintain. Trying to secure a computer with external communications is at best going to fail in a short order of time. This leads to the administrators “Hamster Wheel of pain” where it matters not a jot how hard you run you never get anywhere. Because every piece of hardware you use, every piece of software you install and every patch you apply bring unknown vulnerabilities that will sooner or later become known.

As it’s a game you can never win, why bother playing it? Instead play a game you have a way better than evens chance of winning.

As Tsun Zu and many others since have said,

1, Pick your choice of battle grounds.
2, Fight to your advantage not the enemies.
3, Don’t get trapped by the enemy into fighting on their choices, ground or terms.

If you follow those rules then even when the numbers favour the eneny thousands to one you can still fight and eventually by attrician get them to retreate, give up, or capitulate. We call this “Asymmetrical War Fare” and with care the smaller forces can defeat the superior forces much of the time.

[1] Whilst data can not be leaked directly from an Energy Gapped system information can leak as meta-data or meta-meta-data. That is a user may respond in certain ways once outside of the gapped perimeter. Which could be meta-data via changes in external operating procedure, or meta-meta-data, such as a change in routine, ordering in pizza,or increased energy usage for lights, coffee machine, toaster/oven, microwave that could be seen via a Smart Meter that samples both voltage and current as well as the phases between them at upto 600 times a second and send data back via the Cellular data network to any point in the world.

[2] As for insider attacks the old “access to the front pannel” saying still holds when data is not encrypted (ie being processed). There are various mitigations and techniques that can minimise insider attack risk, but if a user or administrator can see the data or encryption keys then it’s game over. Obviously users are ment to see unencrypted data as that is what they work with. However there are some ways where nobody gets to see the encryption keys but that is a subject for abother day about HSM’s that don’t have a stellar record of getting things right (due to poor design choices at some point in time).

Clive Robinson • May 6, 2021 9:24 AM

@ Dave, ALL,

Constant-time code is nearly impossible to write, particularly since any microarchitectural change can immediately make it non-constant-time again.

And those problems are not going to change any times soon, especially “microarchitectural change” Marketing are not going to give up on the “Go faster stripes” model thay have stuck to “like turd to a blanket” for the past half century or so…

Clive Robinson • May 7, 2021 6:48 AM

@ Winter, SpaceLifeForm, ALL,

When half your employees are working from home, how many Evil Maids will they employ themselves?

Do you mean the employees or the employer?

I think from the “Nasty Barclay Brothers” putting, “crotch detectors” under “hot desk units” at their newspaper, through Amazon reportedly putting sensors in employee toilets to ensure they are actually bodily evacuating, to a well known “gig economy” software development outsourcer putting sound, video, keyboard and other sensors that carry on spying 25×7 on the computers of people that work for them, I would assume it’s the employer wanting to “spy” on employees as surreptitiously as possible, just to avoid “bad publicity” (see Amazon and their 18month “non compeate” clause that unfairly stops people working, that even the USG thinks should be stopped).

Clive Robinson • May 8, 2021 3:05 AM

@ SpaceLifeForm, ALL,

No cloud. Run your own servers.

It’s what I’ve been saying for years one way or another for even more reasons all of which get to come true fairly quickly…

The cloud is an attempt to move people from the “ownership model” to the “rental model” where by whay initially looks like a good “accounting” decision very quickly becomes “rental hell”.

The people pushing this model know that in practice most computer systems are basically ideling for the majority of the time. Thus they can supply computing power to a large averaged peak load, where as individuals have to have computing power to the individual peak load. Thus the cloud providers have upto a hundreded to one advantage. Then unlike the individual they have bulk buying leverage with hardware suppliers. Thus it’s easy to see how they can get a five hundred to one or better advantage. Yet they only offer maybe a 20-30% saving to the end user over maybe a year… Then it starts swinging their way and that advantage goes away so after about 18months the cost to the end user will not only be the same, but will rise against them for each month they rent there after…

The downside gets worse, the cost of individual conputers is based on volume production where development costs get spread across the entire volume. If the volume drops then the slice of those costs per machine goes up slowly at first but then quite dramatically.

So switching to cloud setvice provider provision is walking into a trap, which only works because people are way to short sighted to realise that they are being cheated into not just a rental model, but one that also steals the very value that needs to be protected the most.

Hence we’ve kind of seen the dangers of “outsourcing” with China and India rather dramatically with COVID, the cloud is actually a rather more dangerous form of outsourcing you are effectively selling your self into worse than slavery, but will people stop doing it?

I very much doubt it.