Communications of the ACM

Vviewpoints

C O L L A G E B Y A N D R I J B O R Y S A S S O C I A T E S , U S I N G S H U T T E R S T O C K

of large classes of attacks. It relies on trustworthy models of the architectural abstraction—the hardware/software interface—and those too have advanced recently, in work by the authors and others. 1, 6

Looking Behind
the Hardware Curtain

It has recently become clear that this is not enough, in several ways. First,

SPECTRE, 11 MELTDOWN, 13 FORE- SHADOW, 18, 20 Rowhammer, 9 Spoiler, 9—suddenly it seems as if there is a new and un- ending stream of vulnerabilities in processors. Previous niche concepts such as speculative execution and cache timing side-channels have taken center stage. Across the whole hardware/software system, new vulnerabilities such as insufficiently protected memory access from untrustworthy PCIe or Thunderbolt USB-C peripherals, 15 malicious Wi-Fi firmware, 4 or alleged hardware implants14 are also starting to emerge.

We may be facing a crisis in systems design. What might we do about it? Here, we consider whether existing approaches are adequate, and where substantial new work is needed.

Prove, Don’t Patch

Many existing commercial operating
systems have extensive vulnerabili-
ties. The MITRE repository of com-
mon software security vulnerabilities
(CVEs: http://cve.mitre.org) currently
has over 110,000 open enumerated
vulnerabilities that have been report-
ed (excluding ones that have been re-
solved, and totally ignoring countless
other vulnerabilities that have never
been reported); the list is growing at
a rate of approximately 50 new vulner-
abilities each day. Patches cannot pos-
sibly keep up with the weaknesses. In
addition, patching silicon takes years
and potentially costs billions of dol-
lars, which clearly tilts the balance
firmly in favor of the attacker.

Recent advances such as the seL4 microkernel, 10 the CertiKOS virtual-machine hierarchy, 8 and the Comp-Cert verified compiler12 have significantly contributed to the state of the art in formally proven correctness of operating-system kernels. This technology is not yet widespread, but it offers the potential to prove the absence