This is awesome research, but don't panic. ;] SMT isn't evil here... Fundamentally, secret-dependent control flow has been specifically discouraged and avoided in "constant-time" crypto code for a while now. Upgrade your crypto libraries! The crypto community is really on this.https://twitter.com/CesarPereidaG/status/1058296725419507712 …
-
Also, unless you're using VMs, truly malicious code on your physical core is .... a much bigger problem. And if you *are* using VMs, all the major cloud vendors have already isolated your core. All the non cloud VM stacks are on it too. L1TF makes this risk look tiny.
Containers come to mind. Also, plenty of on-premise VM stuff isn't doing proper core isolation. And in general any multiuser systems. We rely on untrusted code not escaping OS privilege boundaries all the time.
-
-
Yes, but in all of those cases is *this* even close to the most serious risk considering it is limited to info leak, high difficulty, low bandwidth, inability to target arbitrary data, etc....? Outside of very specific areas (crypto, maybe a few others) this shouldn't be a prio.
-
The problem with that mindset is you think you're ~safe until your not and someone comes up with a high impact exploit for your platform. The stars align and you're truly screwed.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.