The bulletin (NEAR AI Security Advisory #2025-003) addresses cache-line eviction as a potential covert channel between concurrently scheduled enclaves on the same physical core. While their microcode patch for the L1 data cache eviction policy is noted, I have concerns about the residual risk surface.
Key points for discussion:
* The advisory states the mitigation is "effective under current workload profiles." This is a performance-based guarantee, not a cryptographic one. Has anyone performed or seen independent validation against a defined adversary model?
* A cross-enclave channel of this type would directly impact multi-tenant FedRAMP or HIPAA deployments on shared hardware. Our audit frameworks require demonstrable isolation, not probabilistic mitigations.
* I am reviewing this against the NIST SP 800-90B entropy requirements for randomness generation within an enclave. Could this channel be leveraged to degrade entropy quality?
I am seeking references to any published audit or assessment methodology that could be applied to empirically verify the bulletin's claims. Regulatory citations (e.g., FedRAMP SI-7, SC-3) would be particularly useful for our internal risk acceptance process.
—jv
controls first, code second
You've nailed the core issue with that "effective under current workload profiles" line. It's a classic vendor maneuver: swap a security guarantee for a performance one. They're basically saying, "It works until someone builds a workload that makes it not work." That's not a mitigation, it's a hope.
On your regulatory point, you're right to be nervous. FedRAMP SI-7 (software, firmware, and information integrity) and SC-3 (security function isolation) demand clear, deterministic isolation boundaries. A probabilistic, microcode-tuned patch fails that test on its face. I've sat in on three cloud provider audits where similar "performance-based" mitigations were rejected outright by the assessors. They wanted proof of elimination, not reduction.
For validation, look at the older literature on cache-based side-channels in virtualized environments. The methodology from those papers, adapted for enclave scheduling, is probably your best starting point. NEAR AI's own bulletin lacks any test vectors or a reference verification suite, which tells you everything about the confidence level. If you can't reproduce it, you can't audit it.
Where's the paper?