[...] Recently, security researchers have found that some innovations have let secrets flow freely out of computer hardware the same way software vulnerabilities have led to cyberattacks and data breaches. The best known recent examples were the chip flaws nicknamed Spectre and Meltdown that affected billions of computers, smartphones and other electronic devices. On July 10, researchers announced they discovered new variants of those flaws exploiting the same fundamental leaks in the majority of microprocessors manufactured within the last 20 years.
This realization has led to calls from microchip industry leaders, including icons John Hennessy and David Patterson, for a complete rethinking of computer architecture to put security first. I have been a researcher in the computer architecture field for 15 years – as a graduate student and professor, with stints in industry research organizations – and conduct research in power-management, microarchitecture and security. It's not the first time designers have had to reevaluate everything they were doing. However, this awakening requires a faster and more significant change to restore users' trust in hardware security without ruining devices' performance and battery life.
Is Open Hardware the answer?
(Score: 4, Insightful) by Gaaark on Thursday July 19 2018, @09:28PM (4 children)
Open hardware is the only answer, methinks, because if security costs too much, the designers boss will say NOPE!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by arslan on Thursday July 19 2018, @10:37PM
That's ideal, but I'd settle for some sort of reg. compliance with hefty fines, this is already common for industry, heck the chip maker themselves probably have a number of commercial codes to comply with, chuck in another for cyber/info sec.
(Score: 2) by darkfeline on Friday July 20 2018, @07:35PM (2 children)
How is open hardware the answer? Linux is open, therefore it does not have security issues?
Open software works because issues can be quickly fixed and patched once found (even then, old systems cause problems). For hardware, even if security issues are found quickly, fabricating and installing new chips is expensive, assuming everyone has a chip fab in their closet.
The real solution is to not run untrusted code. Your software and hardware will always have vulnerabilities. So long as you avoid running untrusted code, a huge number of problems just go away.
So long as we insist on running untrusted code on the same hardware that is handling trusted data, there will always be side channel attacks. Feel free to bookmark this post, when the next side channel RAM read vulnerability comes out or side channel CPU temperature/fan speed vulnerability, or disk vibration microphone vulnerability, or...
Join the SDF Public Access UNIX System today!
(Score: 2) by Gaaark on Friday July 20 2018, @08:44PM
Even trusted code can have security issues. My point is i'd rather trust open code and hardware then, say, MS code and Intel hardware.
Open code usually gets fixed properly (the first time) and fast, unlike MS code, and just look at the Oracle article with, what, 300 security
nightmaresissues!Bookmark THIS post for the next Intel/Oracle/MS/Apple/?/.........
Give me open hardware and software i can read about/through ANY DAY. YOU may trust... i don't.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by AssCork on Tuesday July 31 2018, @02:53AM
"Trusted Code" - maybe enforced by a Trust Platform Module [wikipedia.org], so that only modern BIOS (like UEFI [wikipedia.org]) will only load boot-code signed by the right authority?
NICE TRY, MICROSOFT!
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 4, Informative) by Apparition on Thursday July 19 2018, @09:30PM (3 children)
ARM says, "No." [osnews.com]
Note that the site only lasted a few days before ARM pulled it due to bad PR.
(Score: 5, Informative) by takyon on Thursday July 19 2018, @09:49PM (2 children)
https://archive.fo/SkiH0 [archive.fo]
Note that it's an archive of an Internet Archive capture, but if you follow the original link it has been "excluded" from the Wayback Machine. ARM tried to cover their tracks.
Keep an eye on RISC-V. It needs to succeed.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by hendrikboom on Saturday July 21 2018, @01:27AM (1 child)
Seems to me the ARM architecture has a number of variations. too.
(Score: 2) by takyon on Saturday July 21 2018, @01:40AM
Are the variations in Samsung Eyxnos, Apple A*, Qualcomm Snapdragon, et al. on the level of "private extensions" of the instruction set?
Either way, I don't think we need to analyze this Microsoftesque marketing propaganda too deeply. If there is truth in it, it has been stretched as far as possible to help promote ARM DesignShart.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by bob_super on Thursday July 19 2018, @10:07PM
I remember dealing with .mil customers, who would listen to our tech/sales info, excuse themselves to go read some classified NSA memo about our security flaws, and then quietly decide whether to buy from something else.
For all its flaws, the NSA has been hitting manufacturers with insufficient security at the wallet. For lack of a Clearance, I couldn't say how long the list was, compared to our competitors. But I know for a fact that the major .mil suppliers have been putting the pressure. And they buy at some attention-grabbing margins.
(Score: 2, Interesting) by Anonymous Coward on Thursday July 19 2018, @10:49PM (4 children)
Could open hardware have impeded meltdown and spectre ? Or simply it have already been spotted is easy to point at it.
I'm really in favor for open hardware, but attributing it deceptive magic capabilities, doesn't do any good to it. Hardware is a very specialized niche, that made me recall about openssl had pretty serious flaws but only a handful of people had the skills to advert and patch it. Great exposure of sources is desirable, but does not imply great security as a consequence, specially if it is an intricate field like cryptography or hardware developing.
(Score: 0) by Anonymous Coward on Friday July 20 2018, @12:03AM
Nope spéculative execution flaw were theorized at a ieee conf in 1995 ... it was rediscovered 20y layers...
https://web.archive.org/web/20180506083456/https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf [archive.org]
(Score: 2) by HiThere on Friday July 20 2018, @12:31AM
Spectre, probably not. I don't think anyone really expected that kind of attack to work. (It had been theorized, but implementation is a separate matter.)
Meltdown, however, was blatant disregard of safety for slightly faster execution.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by urza9814 on Friday July 20 2018, @02:04PM
I think you're only considering one aspect of being "open" though. It's not just about more people being able to inspect the code/schematics and ensure they're free from defects; it's also about having choice and diversity in the ecosystem in general.
Viruses work the same on computers that they do in biology -- if the virus targets a gene that is shared by 100% of the population, it tears through that population relatively quickly. If it targets a gene shared by only 1% of the population, it's probably not going to spread all that much. Same is true of computing -- if you allow people to mix and match various open components, instead of installing a single monolithic system, then EVERYONE is less likely to get a virus because it's just going to be harder to find flaws that the virus can exploit in all of the possible software environments.
If you use open data formats, then when a flaw is discovered in one program or device you have the option of moving everything to a competing devices that isn't vulnerable in the same way. When the specs are open, more people can investigate potential solutions or mitigation options. When the exact cause and consequence of the flaw are public knowledge, then you aren't stuck waiting for a single vendor to issue their fix.
Is it a magic solution to all potential security concerns? Of course not. But it does offer a ton of advantages.
(Score: 0) by Anonymous Coward on Friday July 20 2018, @04:42PM
no, only a handful of people were contributing while the vast majority of these dinosaur closed model companies just leeched. the openssl situation does not represent some fundamental flaw in FOSS but is just the typical behavior of these slavetrading companies that happen to use a little FOSS without pitching in shit.
(Score: 2) by The Mighty Buzzard on Friday July 20 2018, @12:43AM
It's an answer anyway. It's not the only one though.
My rights don't end where your fear begins.
(Score: 4, Insightful) by bzipitidoo on Friday July 20 2018, @02:34AM
Once again we see that security was not the top priority, or such a huge security hole as Spectre could never have slid by for _20_ years. They knew it could be possible but chose not to investigate. Didn't want to do anything that might reduce performance, even when they went all security Nazi and put on a big act.
Over and over, we see performance, or convenience or money quietly put ahead of security. Just look at all the crap that's possible in C, all kinds of things not checked, because performance. And who actually uses SELinux? And I mean, really uses it, not just runs SELinux in such a disabled, open state it might as well not be present?
But seems everyone still feels they have to act like nothing is more important than security. Why, just suggesting there could be more important things than preventative security is practically treason. Be good to get that lie exposed.
However, having said all that, I certainly would prefer a system that is not vulnerable to Spectre, if the price is not too high. That is, I'm not going to dig up an old mid 1990s era 32bit 133Mhz Pentium system, stuff it with 256M of RAM (64M was considered a good amount then) and make that my primary computer, just to avoid Spectre. Way too big a performance hit from today's 64bit multicore machines with 10 times or more the memory. A 1% hit to performance to stop Spectre, yes, a 50% or greater hit, no way.
(Score: 0) by Anonymous Coward on Friday July 20 2018, @04:45PM
"Is Open Hardware the answer?"
yes, buying chips from these slaveware peddlers will never be secure.