14

Wikipedia mentions this paper without going into details: The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems:

As mentioned in the preceding scenario, caches present potential for covert timing channels. Even without MSRs for direct measurements of cache activity, cache hits and misses can be detected strictly from instruction timing, as described in Wray1991. To eliminate these flows, caches must be managed. This can reduce their efficiency considerably, depending on cache architecture, as it introduces otherwise unnecessary cache flush and invalidation activity.

Wray1991 is

John C Wray: An analysis of Covert Timing Channels, Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, pages 2-7, 1991.

That sounds pretty close to Meltdown/Spectre, doesn't it?

chx
  • 615
  • 3
  • 13
  • 4
    This essentially assumes that every use of timing of cache access is the same as this paper from 1991. It's not. Speculative execution of instructions (which is the base of these new attacks) were not in use in 1991. But that one has to watch out in theory for possible side channels in various places is long known. – Steffen Ullrich Jan 10 '18 at 12:36
  • What wikipedia article are you referring to? Also how is the year 1995 relevant here, seeing that you only cite sources from 1991. – Tom K. Jan 10 '18 at 13:10
  • a) wikipedia on meltdown b) the linked paper (Sibert et al) is from 1995. – chx Jan 10 '18 at 15:34
  • back in the 80s you could observe non-constant comparisons with an oscilloscope. Intel CPUs weren't superscaler until the mid-90s, around the time OSes became "multitasking", so a software-based timing attack wasn't very practical at the time of those papers... – dandavis Jan 10 '18 at 19:23
  • 5
    It's a common mistake to think that Meltdown and Spectre are about cache timing. They aren't -- cache timing is merely the side channel that the current proof-of-concept attacks use to relay the results of the attack. – Mark Jan 10 '18 at 20:43

1 Answers1

11

The Wray paper is about categorisation of covert channels, and from a rapid reading, it does reference an attack on a cache by two processes explicitly loading memory locations, but to be used as a timing mechanism.

The Sibert paper, in the section 3.10 merely identifies the covert channel, not the actual Meltdown flaw.

In conclusion, although it can sound like Meltdown/Spectre, these papers only identify the existence of the covert channel used in the recent exploits, and have not discovered the vulnerabilities themselves. These are the result of the use of this covert channel over the speculative execution mechanism of the processors.

niutech
  • 103
  • 3
M'vy
  • 13,033
  • 3
  • 47
  • 69