Vviewpoints
C
O
L
L
A
G
E
B
Y
A
N
D
R
I
J
B
O
R
Y
S
A
S
S
O
C
I
A
T
E
S
,
U
S
I
N
G
S
H
U
T
T
E
R
S
T
O
C
K
of large classes of attacks. It relies on
trustworthy models of the architectural abstraction—the hardware/software interface—and those too have
advanced recently, in work by the authors and others.
1, 6
Looking Behind
the Hardware Curtain
It has recently become clear that this
is not enough, in several ways. First,
SPECTRE,
11 MELTDOWN,
13 FORE- SHADOW,
18, 20 Rowhammer,
9 Spoiler,
9—suddenly it seems as if there is a new and un- ending stream of vulnerabilities in processors. Previous niche
concepts such as speculative execution
and cache timing side-channels have
taken center stage. Across the whole
hardware/software system, new vulnerabilities such as insufficiently protected memory access from untrustworthy
PCIe or Thunderbolt USB-C peripherals,
15 malicious Wi-Fi firmware,
4 or
alleged hardware implants14 are also
starting to emerge.
We may be facing a crisis in systems
design. What might we do about it?
Here, we consider whether existing approaches are adequate, and where substantial new work is needed.
Prove, Don’t Patch
Many existing commercial operating
systems have extensive vulnerabili-
ties. The MITRE repository of com-
mon software security vulnerabilities
(CVEs: http://cve.mitre.org) currently
has over 110,000 open enumerated
vulnerabilities that have been report-
ed (excluding ones that have been re-
solved, and totally ignoring countless
other vulnerabilities that have never
been reported); the list is growing at
a rate of approximately 50 new vulner-
abilities each day. Patches cannot pos-
sibly keep up with the weaknesses. In
addition, patching silicon takes years
and potentially costs billions of dol-
lars, which clearly tilts the balance
firmly in favor of the attacker.
Recent advances such as the seL4
microkernel,
10 the CertiKOS virtual-machine hierarchy,
8 and the Comp-Cert verified compiler12 have significantly contributed to the state of the
art in formally proven correctness of
operating-system kernels. This technology is not yet widespread, but it offers the potential to prove the absence
Inside Risks
Through Computer
Architecture, Darkly
Total-system hardware and microarchitectural
issues are becoming increasingly critical.
DOI: 10.1145/3325284