I read the research paper on Meltdown, co-authored by a whole lot of very clever hardware engineers (Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg).
I'm not an expert on processor design, really I only know some basics, but I thought I'd throw in my 10 cents worth. Hopefully it will help to stimulate constructive discussion on how to prevent such exploits from being possible in future processor architectures.
The way I see things, Meltdown only succeeds because there are impressions left in the cache (covert channel), by transient Instructions (speculative instructions executed out of order but never committed), that are able to access protected memory, prior to checking if the memory is indeed protected. Various means of examining the cache such as Flush+Reload are then used to extract the protected data from the cache.
My suggestion, for what its worth, would be to add another bit to every byte (or whatever unit is used to hold data in the cache). This bit which I will call the Cache Commit Flag, could be used to indicate if the cache unit has been committed. The Cache Commit Flag would only be set once the out of order instruction that accessed the cache was committed. Any other instruction attempting to access the same memory location would be forced to reload the data into cache from main memory. An alternative approach would be put the instruction in a wait state to simulate the delay that would be incurred by accessing main memory.
Basically the cache location would only be accessible once the instruction that caused it to load was committed.
The Cache Commit Flag would obviously take up more silicon, and slow down cache access until committed. I also think it would probably need to propagate to higher level caches. Since Meltdown relies on covert side channels (a cache exploit) this could potentially stop it in its tracks. I'm not sure if this would stop Spectre as I haven't had time to read the research paper but I suspect it would.
So my question is this. Would this work? if not why not? or perhaps you have a better idea?
Robin, AKA GANGSTA
Hi GANGSTA: Thank you very much for contacting the Intel® Processors communities. Thank you as well for providing that information.
Just to let you know, Intel really appreciates all the feedback and suggestions provided by the peers in our communities and we are sure those details will be very useful. Please keep checking the link below for possible updates on this matter:
Any further questions, please let me know.