This is awesome research, but don't panic. ;] SMT isn't evil here... Fundamentally, secret-dependent control flow has been specifically discouraged and avoided in "constant-time" crypto code for a while now. Upgrade your crypto libraries! The crypto community is really on this.https://twitter.com/CesarPereidaG/status/1058296725419507712 …
-
Yes, but in all of those cases is *this* even close to the most serious risk considering it is limited to info leak, high difficulty, low bandwidth, inability to target arbitrary data, etc....? Outside of very specific areas (crypto, maybe a few others) this shouldn't be a prio.
The problem with that mindset is you think you're ~safe until your not and someone comes up with a high impact exploit for your platform. The stars align and you're truly screwed.
-
-
But that’s true about literally everything, not just SMT.
-
Yes, but we usually try to mitigate known vulnerabilities instead of shrugging them off and saying "eh, nobody will find a way to exploit this".
End of conversation
New conversation -
-
-
You cannot disable all attackable surfaces though just because they may be attacked. You have to make risk- and cost-based prioritizations. That's just reality. Disabling SMT, especially because of *this* vuln, seems like a bad priority. Minimal risk avoided at v. high cost.
-
Anyways, we may just take very different views of either risk or cost here. Not sure this discussion is going to uncover much at this point.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.