to be attacked creates many new vulnerabilities. Two more vulnerabilities
in the virtual-machine architecture
were subsequently reported.
37, 38 One
of them, called Foreshadow, allows
penetration of the Intel SGX security
mechanisms designed to protect the
highest risk data (such as encryption
keys). New vulnerabilities are being
discovered monthly.
Side-channel attacks are not new,
but in most earlier cases, a software
flaw allowed the attack to succeed. In
the Meltdown, Spectre, and other attacks, it is a flaw in the hardware implementation that exposes protected
information. There is a fundamental
difficulty in how processor architects
define what is a correct implementation of an ISA because the standard
definition says nothing about the
performance effects of executing an
instruction sequence, only about the
ISA-visible architectural state of the
execution. Architects need to rethink
their definition of a correct implementation of an ISA to prevent such security flaws. At the same time, they should
be rethinking the attention they pay
computer security and how architects
can work with software designers to
implement more-secure systems. Architects (and everyone else) depend
too much on more information systems to willingly allow security to be
treated as anything less than a first-class design concern.
Future Opportunities in
Computer Architecture
“What we have before us are some breathtaking opportunities disguised as insoluble
problems.” —John Gardner, 1965
Inherent inefficiencies in general-purpose processors, whether from ILP
techniques or multicore, combined
with the end of Dennard scaling and
Moore’s Law, make it highly unlikely,
in our view, that processor architects
and designers can sustain significant
rates of performance improvements in
general-purpose processors. Given the
importance of improving performance
to enable new software capabilities,
we must ask: What other approaches
might be promising?
There are two clear opportunities, as
well as a third created by combining the
two. First, existing techniques for building software make extensive use of high-
Overlooked Security
In the 1970s, processor architects
focused significant attention on enhancing computer security with concepts ranging from protection rings
to capabilities. It was well understood by these architects that most
bugs would be in software, but they
believed architectural support could
help. These features were largely unused by operating systems that were
deliberately focused on supposedly
benign environments (such as personal computers), and the features
involved significant overhead then, so
were eliminated. In the software community, many thought formal verification and techniques like microkernels
would provide effective mechanisms
for building highly secure software.
Unfortunately, the scale of our collective software systems and the drive for
performance meant such techniques
could not keep up with processor performance. The result is large software
systems continue to have many security flaws, with the effect amplified due
to the vast and increasing amount of
personal information online and the
use of cloud-based computing, which
shares physical hardware among potential adversaries.
Although computer architects and
others were perhaps slow to realize
the growing importance of security,
they began to include hardware support for virtual machines and encryption. Unfortunately, speculation introduced an unknown but significant
security flaw into many processors. In
particular, the Meltdown and Spectre
security flaws led to new vulnerabilities that exploit vulnerabilities in the
microarchitecture, allowing leakage
of protected information at a high
rate.
14 Both Meltdown and Spectre use
so-called side-channel attacks whereby information is leaked by observing
the time taken for a task and converting information invisible at the ISA
level into a timing visible attribute. In
2018, researchers showed how to exploit one of the Spectre variants to leak
information over a network without
the attacker loading code onto the target processor.
34 Although this attack,
called NetSpectre, leaks information
slowly, the fact that it allows any machine on the same local-area network
(or within the same cluster in a cloud)
The end of Dennard
scaling meant
architects had to
find more efficient
ways to exploit
parallelism.