Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Iridium Banner AMIStore App Store A600 Memory

AuthorTopic: What's the advantage of memory protection when the ISA if full of holes.  (Read 2224 times)

0 Members and 1 Guest are viewing this topic.

Offline H_Celine

In the light of rowhammer, spectre, meltdown et al. I believe there is prudent to revisit this question.

If I use a flat single address-space I gain lots of speed (no need to copy data, just copy a pointer).
I also get what was yesteryear called an unsafe system, but is not the memory-protection of a moderns CPU but a false sense of security with all these newly discovered side-channels and other hardware bugs discovered and yet undiscovered?

If I had a choice between paying for speed and paying for false security, I would surely not choose the latter.

What I am saying (except the small detail that the herein described products probably do not exist) is:
If I was going to build a system based on what we know today, I would go for a flat single address-space on the workstation/server and leave the security to a system (firewall) running on Harvard architecture.

-H.C.

Offline SamuraiCrow

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #1 on: December 21, 2018, 12:15:38 PM »
I agree!  If we could only get symmetric multiprocessing we would be ok.

Offline ronniebeck

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #2 on: December 21, 2018, 12:41:40 PM »
The christmas troll is alive and well.

But for those seriously interested in securing their Windows/Linux PC, the CIA issued some security guide lines following Specter.  You could try the following.

Just go into your PC's BIOS, and navigate your way into the "Alternate Operating System Architecture" options.  If you don't find this, it might be that you plugged the USB keyboard in upside down so the escape key is now in the backspace position.  Correct this.  Enable "Flat memory".  This will take an hour or so to straighten out all the bits, especially if your PC is older and the bits are now very crooked from the years of unflat memory use.  After this, you can turn on the RAM firewall.   This is the real solution.  Specter can't get passed the firewall, especially if you enable it on the RAM chips directly.  The last step is to disable "Contiguous Memory Map."  This is the safest option because any out of control program that tries to eat all your ram will eventually bump into the next program further up the memory address range and will stop there.  As a good practice, you can load multiple copies of Notepad.exe/Vi ever few megabytes in the memory map.  If you need a bigger allocation, just close one of the copies of notepad.  They also recommend disabling pointer copying because they claim there are security problems with this.  They don't detail this but doing a packet capture on the RAM firewall I don't see any pointers falling out.  So I don't see the problem there.

Good luck!

Offline AdvancedFollower

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #3 on: December 21, 2018, 02:56:14 PM »
Putting a lock on my front door is inconvenient. it slows me down because I have to unlock it every time I want to go inside and lock when I leave. Also, locks can be picked or broken, I might forget to lock it, or someone might just bypass it and break a window. Therefore locks are pointless and I might as well always leave my front door unlocked.
 

Offline H_Celine

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #4 on: December 21, 2018, 06:23:05 PM »
@ronniebeck: rotfl, excellent thanks for the laugh ;D

Putting a lock on my front door is inconvenient. it slows me down because I have to unlock it every time I want to go inside and lock when I leave. Also, locks can be picked or broken, I might forget to lock it, or someone might just bypass it and break a window. Therefore locks are pointless and I might as well always leave my front door unlocked.
What I am saying is more like: Why keep wasting time on locking/unlocking the front door, when the windows are broken, the lock on the back door is missing, and there is a giant hole in the side-wall?
 

Offline AdvancedFollower

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #5 on: December 22, 2018, 03:30:48 PM »
@ronniebeck: rotfl, excellent thanks for the laugh ;D

Putting a lock on my front door is inconvenient. it slows me down because I have to unlock it every time I want to go inside and lock when I leave. Also, locks can be picked or broken, I might forget to lock it, or someone might just bypass it and break a window. Therefore locks are pointless and I might as well always leave my front door unlocked.
What I am saying is more like: Why keep wasting time on locking/unlocking the front door, when the windows are broken, the lock on the back door is missing, and there is a giant hole in the side-wall?

Well that analogy isn't particularly accurate since it's nowhere near that bad. The newly discovered weaknesses are of the "side-channel" type, and very difficult to exploit. The worst ones like Meltdown and the most severe forms of Spectre have already been patched since one year ago (and since I'm running AMD processors, the issues were never as severe anyway). The others are mostly theoretical, and are even harder to implement in practice, with no active exploits taking place. In part, this is actually thanks to process isolation and memory protection in modern operating systems, which makes an attack (even if that's theoretical at the moment) even less likely to actually succeed in gaining access to private data outside of the compromised user process.
« Last Edit: December 22, 2018, 03:34:03 PM by AdvancedFollower »
 

Offline H_Celine

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #6 on: December 23, 2018, 02:25:27 AM »


Well that analogy isn't particularly accurate since it's nowhere near that bad.
And your analogy completely ignored the fact that I proposed delegating security to a actually secure system (one where instruction- and data- address-space is physically separated).

The newly discovered weaknesses are of the "side-channel" type, and very difficult to exploit. The worst ones like Meltdown and the most severe forms of Spectre have already been patched since one year ago (and since I'm running AMD processors, the issues were never as severe anyway).

From what I am reading the fixing is still an ongoing process. For example the Linux 4.20 speed regression debacle (on windows side situation so more opaque). And regarding speed regression, some claim one have to disable hyper-threading, even if that is not true most of these so called fixes are noting but disabling functions in the CPU that exist to make it go faster. In my opinion; handicapping the CPU is not really a fix.

There are also lots of Laptops/Motherboards that have not received a single bios-update since Spectre/Meltdown was discovered (and I believe older CPU's that no microcode update is made available for). And they kept finding new Spectre variants for a long time, there are probably other undiscovered holes in the ISA, they have practically just scratched  the surface yet.
 

Offline Fats

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #7 on: December 23, 2018, 02:16:59 PM »
And your analogy completely ignored the fact that I proposed delegating security to a actually secure system (one where instruction- and data- address-space is physically separated).

Am I understanding you correctly you want to protect your computer by only looking at the internet traffic from this computer ? Which most of the time is encrypted anyway ?
Trust me...                                              I know what I\'m doing
 

Offline H_Celine

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #8 on: December 23, 2018, 03:00:02 PM »

Am I understanding you correctly you want to protect your computer by only looking at the internet traffic from this computer ? Which most of the time is encrypted anyway ?

No, I probably should have specified. This is another product whose non-existence baffles me: It's a known fact that you can get unrestricted DMA-access trough for example a Firewire port (I believe the same goes for Thunderbolt), and that this could be used to infect a system given physical access. What I am thinking is: It must be possible to use the same approach not to infect, but to run antivirus/security software form an external system.
If the external system is Harvard architecture you get two levels of separation:
The security software runs in the instruction address-space of the Harvard architecture, doing the work in the data address-space of the same system and on the address space of the Server/Workstation. While your server/workstation gets to use its work along unimpeded as long as the Security software on the other box does not flag anything. 
 

Offline Thomas Richter

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #9 on: December 23, 2018, 05:48:28 PM »
And your analogy completely ignored the fact that I proposed delegating security to a actually secure system (one where instruction- and data- address-space is physically separated).
This doesn't help you the least. In fact, up-to-date intel CPUs have an "execute permission" bit in the MMU which prevents execution of data as code. Current malware is already beyond this, and also beyond the "separate address spaces". The trick is to put the right data onto the CPU stack, namely data that "by coincidence" represents a return address that goes into a function that, by pure chance, is part of the functional part of the program and implements a feature necessary for the malware bootstrap process, such as downloading another piece of code.

The same trick can also be applied to the Haward architecture - to prevent this, you would need separate data and code stacks, and separate data and code stack pointers. We currently do not have that, but I afraid even if we would, there would possibly another trick one can play.
 

Offline H_Celine

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #10 on: December 23, 2018, 07:09:35 PM »
The same trick can also be applied to the Haward architecture - to prevent this, you would need separate data and code stacks, and separate data and code stack pointers. We currently do not have that, but I afraid even if we would, there would possibly another trick one can play.

I believe I was clear on the fact that my proposal is based om products data do not exist.


This doesn't help you the least. In fact, up-to-date intel CPUs have an "execute permission" bit in the MMU which prevents execution of data as code. Current malware is already beyond this, and also beyond the "separate address spaces". The trick is to put the right data onto the CPU stack, namely data that "by coincidence" represents a return address that goes into a function that, by pure chance, is part of the functional part of the program and implements a feature necessary for the malware bootstrap process, such as downloading another piece of code.


Taken into account that this product does not exist, my suggestion is based on the the use of pure Harvard architecture. Meaning separate stacks and pointers, and separate address-space on physically separate memory buses. And my assumption is that, using a Firewall as example:
Nothing coming in trough a network card on/in the data- bus/address-space would be able to usurp the firewall software.
 

Offline Thomas Richter

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #11 on: December 23, 2018, 08:22:51 PM »
Taken into account that this product does not exist, my suggestion is based on the the use of pure Harvard architecture. Meaning separate stacks and pointers, and separate address-space on physically separate memory buses. And my assumption is that, using a Firewall as example:
Nothing coming in trough a network card on/in the data- bus/address-space would be able to usurp the firewall software.
Of course it would, unless you will never attempt to execute a program from the internet, or some other source. At some point, even a Havard architecture system need to copy data to code section if it wants to execute arbitrary programs, and there is no program to detect whether a program is potentially malware - without executing the program itself.
 

Offline H_Celine

Re: What's the advantage of memory protection when the ISA if full of holes.
« Reply #12 on: December 23, 2018, 09:26:09 PM »

Of course it would, unless you will never attempt to execute a program from the internet, or some other source. At some point, even a Havard architecture system need to copy data to code section if it wants to execute arbitrary programs, and there is no program to detect whether a program is potentially malware - without executing the program itself.

Why would I want my firewall execute arbitrary programs?
As for detecting if a program is malware I would leave that to the antivirus. And yes to check if a program is malware you have to execute it. I assume regular security software does this in a sandbox. In my proposal it the sandbox would be hardware based; If you run the security software in the instruction address-space of the (pure) Harvard architecture and give this software a "slave-processor"* on the data address-space and memory-bus that it can use as a sandbox to check the safety of arbitrary programs before giving the real server/workstation permission to execute them. This using a system like I described four posts above this. And before anyone complains that Firewire/Thunderbolt is too slow there are always PCIe Non-Transparent-Bridges which is actually a product that exists.

Edit:
*By "slave-processor" i refer to a processor that would be practically identical to the processor in the server/workstation except it would not be in control of it self. The main (Harvard) CPU would have the ability to directly override things like the PC and peek into registers and stack. It wold use part of the data-address-space (or even better a separate third address-space) of the Harvard architecture as its single flat-address-space. It would be a "hardware based sandbox" imitating the real server/workstation.

Edit2:
And I see this could be understood as two systems (sorry for being unclear). Just to specify, I would run:
-Firewall on pure Harvard architecture.
-Server/workstation on a single flat address-space system.
-antivirus/security-policies et.al. on a pure Harvard architecture with a "slave-processor sandbox" imitating the server/workstation and direct DMA access to said server/workstation.
« Last Edit: December 23, 2018, 10:00:26 PM by H_Celine »