Comments by "Scott Franco" (@scottfranco1962) on "The Semiconductor Security War" video.

  1. Who cares? I don't. The man does his research. Sit down and eat your jujubees.
    7
  2. Spectre works from the fact that speculative execution can access pages that are normally forbidden, because if the access were to actually go through, it would terminate with a page fault. The "cracker" code then uses timing differences to read the fetched data. As an example (I'm probably messing this up, its been a long time) the speculative code can mask a single bit from the illegal data location, then use that as an address indirect to two pages, one with the bit 1 and another with the bit 0. The two pages have known access speeds, so the timing difference of execution tells you if the bit is set or not. Then you repeat for each bit. Thus you can know the contents of data at a location even though you cannot directly access it. This kind of thing can be easily prevented by proper CPU design, such as stopping speculative access immediately for addresses that do not have permissions. It can be stopped in software by randomizing the locations of sensitive data or even the ordering of pages. I recall a big push for Linux kernel designers to randomize the page placements of the OS to prevent reading of locations in the kernel.
    5
  3. The key would be to control your tooling down to the mask level (the layout). IE., separating the pure software/data phase from the physical implementation phase. Masks can be compared to the generated layout, and even a fabbed chip can be compared to its layout without reverse engineering it. It is of course true that many of the EDA phases get "thrown over the wall", that is, a Verilog design can be send to a vendor to be laid out. However, the security there is up to the client. If the chip needs high security, the client can bring the tooling in-house to be more secure.
    1