What's the advantage of memory protection when the ISA if full of holes.

[H_Celine]

In the light of rowhammer, spectre, meltdown et al. I believe there is prudent to revisit this question.

If I use a flat single address-space I gain lots of speed (no need to copy data, just copy a pointer).
I also get what was yesteryear called an unsafe system, but is not the memory-protection of a moderns CPU but a false sense of security with all these newly discovered side-channels and other hardware bugs discovered and yet undiscovered?

If I had a choice between paying for speed and paying for false security, I would surely not choose the latter.

What I am saying (except the small detail that the herein described products probably do not exist) is:
If I was going to build a system based on what we know today, I would go for a flat single address-space on the workstation/server and leave the security to a system (firewall) running on Harvard architecture.

-H.C.

[H_Celine]

@ronniebeck: rotfl, excellent thanks for the laugh

Putting a lock on my front door is inconvenient. it slows me down because I have to unlock it every time I want to go inside and lock when I leave. Also, locks can be picked or broken, I might forget to lock it, or someone might just bypass it and break a window. Therefore locks are pointless and I might as well always leave my front door unlocked.

What I am saying is more like: Why keep wasting time on locking/unlocking the front door, when the windows are broken, the lock on the back door is missing, and there is a giant hole in the side-wall?

[H_Celine]

Well that analogy isn't particularly accurate since it's nowhere near that bad.

And your analogy completely ignored the fact that I proposed delegating security to a actually secure system (one where instruction- and data- address-space is physically separated).

The newly discovered weaknesses are of the "side-channel" type, and very difficult to exploit. The worst ones like Meltdown and the most severe forms of Spectre have already been patched since one year ago (and since I'm running AMD processors, the issues were never as severe anyway).

From what I am reading the fixing is still an ongoing process. For example the Linux 4.20 speed regression debacle (on windows side situation so more opaque). And regarding speed regression, some claim one have to disable hyper-threading, even if that is not true most of these so called fixes are noting but disabling functions in the CPU that exist to make it go faster. In my opinion; handicapping the CPU is not really a fix.

There are also lots of Laptops/Motherboards that have not received a single bios-update since Spectre/Meltdown was discovered (and I believe older CPU's that no microcode update is made available for). And they kept finding new Spectre variants for a long time, there are probably other undiscovered holes in the ISA, they have practically just scratched  the surface yet.

[H_Celine]

Am I understanding you correctly you want to protect your computer by only looking at the internet traffic from this computer ? Which most of the time is encrypted anyway ?

No, I probably should have specified. This is another product whose non-existence baffles me: It's a known fact that you can get unrestricted DMA-access trough for example a Firewire port (I believe the same goes for Thunderbolt), and that this could be used to infect a system given physical access. What I am thinking is: It must be possible to use the same approach not to infect, but to run antivirus/security software form an external system.
If the external system is Harvard architecture you get two levels of separation:
The security software runs in the instruction address-space of the Harvard architecture, doing the work in the data address-space of the same system and on the address space of the Server/Workstation. While your server/workstation gets to use its work along unimpeded as long as the Security software on the other box does not flag anything. 

[H_Celine]

The same trick can also be applied to the Haward architecture - to prevent this, you would need separate data and code stacks, and separate data and code stack pointers. We currently do not have that, but I afraid even if we would, there would possibly another trick one can play.

I believe I was clear on the fact that my proposal is based om products data do not exist.

This doesn't help you the least. In fact, up-to-date intel CPUs have an "execute permission" bit in the MMU which prevents execution of data as code. Current malware is already beyond this, and also beyond the "separate address spaces". The trick is to put the right data onto the CPU stack, namely data that "by coincidence" represents a return address that goes into a function that, by pure chance, is part of the functional part of the program and implements a feature necessary for the malware bootstrap process, such as downloading another piece of code.

Taken into account that this product does not exist, my suggestion is based on the the use of pure Harvard architecture. Meaning separate stacks and pointers, and separate address-space on physically separate memory buses. And my assumption is that, using a Firewall as example:
Nothing coming in trough a network card on/in the data- bus/address-space would be able to usurp the firewall software.

[H_Celine]

Of course it would, unless you will never attempt to execute a program from the internet, or some other source. At some point, even a Havard architecture system need to copy data to code section if it wants to execute arbitrary programs, and there is no program to detect whether a program is potentially malware - without executing the program itself.

Why would I want my firewall execute arbitrary programs?
As for detecting if a program is malware I would leave that to the antivirus. And yes to check if a program is malware you have to execute it. I assume regular security software does this in a sandbox. In my proposal it the sandbox would be hardware based; If you run the security software in the instruction address-space of the (pure) Harvard architecture and give this software a "slave-processor"* on the data address-space and memory-bus that it can use as a sandbox to check the safety of arbitrary programs before giving the real server/workstation permission to execute them. This using a system like I described four posts above this. And before anyone complains that Firewire/Thunderbolt is too slow there are always PCIe Non-Transparent-Bridges which is actually a product that exists.

Edit:
*By "slave-processor" i refer to a processor that would be practically identical to the processor in the server/workstation except it would not be in control of it self. The main (Harvard) CPU would have the ability to directly override things like the PC and peek into registers and stack. It wold use part of the data-address-space (or even better a separate third address-space) of the Harvard architecture as its single flat-address-space. It would be a "hardware based sandbox" imitating the real server/workstation.

Edit2:
And I see this could be understood as two systems (sorry for being unclear). Just to specify, I would run:
-Firewall on pure Harvard architecture.
-Server/workstation on a single flat address-space system.
-antivirus/security-policies et.al. on a pure Harvard architecture with a "slave-processor sandbox" imitating the server/workstation and direct DMA access to said server/workstation.