On 18 Apr 2024, at 13:40, Demi Marie Obenour <demioben...@gmail.com> wrote: > > > How does time protection handle these two cases? > > 1. Untrusted code can request a service from trusted code that involves > processing sensitive data, and this request may take an unbounded > amount of time. In this case, it is not possible to pad the time > actually consumed to the maximum possible value, because the maximum > possible value does not exist. […]
that’s an *algorithmic* timing channel (and therefore requires different approaches). Time protection is about *microarchitectural* timing channels. Please check the paper on what threats it addresses: https://trustworthy.systems/publications/abstracts/Ge_YCH_19.abstract > 2. Operations on sensitive data must be able to consume all available > CPU resources. The main example I can think of is human-interactive > systems. These may be so heavily oversubscribed that it is simply > not possible to statically allocate resources to different security > domains. Instead, even security domains involving sensitive data > must be able to compete with each other. this isn’t a microarchitectural channel either. Gernot _______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems
