I've lost count of all the side-channels that have been discovered since Meltdown/Spectre, and to be honest, I quite frankly really don't care any more than I did before... I don't run untrusted code (yes, that includes JavaScript) and I'm the only user of my PC. Since Intel first introduced "protected" mode in the 286 I've felt the notion that it was only intended for protection against accidental errors, not deliberate maliciousness. From that perspective, all this "side-channel hide-and-seek" seems like an exercise in futility to add a level of security to something that was inherently not designed for such.
Since this attack goes directly to a physical address, it can in theory read any memory in the system. Notably, that includes data kept within an SGX encrypted enclave, which is supposed to be protected from this kind of thing.
Maybe one of the more positive things to come of this mess... and proof that DRM-enabling technologies will(should?) always be broken by design.
> I don't run untrusted code (yes, that includes JavaScript)
It's great that you are so security minded, but do you honestly think every single layperson using a computer ought to never run any untrusted code again, not even javascript? You don't think that that philosophy would set back the state of personal computing a bit?
You don't run untrusted code at all? I'd be very interested in hearing how you establish trust in all the code running on your system, as that seems quite a difficult task for most modern Operating system/application stacks.
"From that perspective, all this "side-channel hide-and-seek" seems like an exercise in futility to add a level of security to something that was inherently not designed for such."
It seems that this SGX thing was designed for such. That's what makes this new attack notable.
I don't think any of these attacks really have much of an impact on your PC. However, there are many public cloud servers which do run untrusted code on the same hardware as your code, or others' code that manipulates your data.
[+] [-] userbinator|7 years ago|reply
Since this attack goes directly to a physical address, it can in theory read any memory in the system. Notably, that includes data kept within an SGX encrypted enclave, which is supposed to be protected from this kind of thing.
Maybe one of the more positive things to come of this mess... and proof that DRM-enabling technologies will(should?) always be broken by design.
[+] [-] shawnz|7 years ago|reply
It's great that you are so security minded, but do you honestly think every single layperson using a computer ought to never run any untrusted code again, not even javascript? You don't think that that philosophy would set back the state of personal computing a bit?
[+] [-] raesene9|7 years ago|reply
[+] [-] perl4ever|7 years ago|reply
It seems that this SGX thing was designed for such. That's what makes this new attack notable.
[+] [-] rhinoceraptor|7 years ago|reply
[+] [-] wagnerpatriota|7 years ago|reply
[+] [-] Jedd|7 years ago|reply
But zero comments at 6h