On 18 Apr 2024, at 13:40, Demi Marie Obenour
How does time protection handle these two cases?
1. Untrusted code can request a service from trusted code that involves processing sensitive data, and this request may take an unbounded amount of time. In this case, it is not possible to pad the time actually consumed to the maximum possible value, because the maximum possible value does not exist. […]
that’s an *algorithmic* timing channel (and therefore requires different approaches). Time protection is about *microarchitectural* timing channels. Please check the paper on what threats it addresses: https://trustworthy.systems/publications/abstracts/Ge_YCH_19.abstract
2. Operations on sensitive data must be able to consume all available CPU resources. The main example I can think of is human-interactive systems. These may be so heavily oversubscribed that it is simply not possible to statically allocate resources to different security domains. Instead, even security domains involving sensitive data must be able to compete with each other.
this isn’t a microarchitectural channel either. Gernot