This is a blog post by CCC Chair Mark D. Hill of the University of Wisconsin-Madison.
As readers on the CCC blog know, the Meltdown and Spectre microprocessor design flaws revealed in early 2018 made clear that many, if not most, computer systems can leak sensitive information via implementation timing “channel.” Fortuitously and concurrent with this revelation, the US National Science Foundation had commissioned a March 2018 workshop on “Side and Covert Channels in Computing Systems” led by Guru Prasadh Venkataramani of George Washington University and Patrick Schaumont of Virginia Tech.
The report has just been issued. It provides too many research recommendations to summarize here, but let me whet your appetite with a few samples. These may be obvious to experts, but I suspect that they are less well appreciated broadly:
- While CPU timing attacks are now well known, graphics processing units (GPUs) and other accelerators (e.g. ML) can also be vulnerable.
- Many mitigation techniques require software-hardware co-design, as software-only can be slow and hardware-only inflexible.
- Developing taxonomies can be useful for spotting gaps.
- Systems that can be physically accessed (not just remote like cloud computers) are even harder to protect.
- Internet of Things (IoT) devices are a particular concern due to possible physical access, long-life without patching, and containing sensitive information that can be used elsewhere.
These recommendations are a start, but we all need to talk and work together to ensure progress.
Other recent, CCC activity includes the Aug 12-13, 2018 Leadership in Embedded Security Workshop as well as the February 2019 AAAS panel on Cybersecurity: Transcending Physics, Technology, and Society.