Software-based Microarchitectural Attacks
|
|
|
- Griffin Atkinson
- 5 years ago
- Views:
Transcription
1 Software-based Microarchitectural Attacks Daniel Gruss January 23, 2019 Graz University of Technology Frame Rate of Slide Deck: 11 fps 1 Daniel Gruss Graz University of Technology
2
3
4
5
6
7
8 Revolutionary concept! Store your food at home, never go to the grocery store during cooking. Can store ALL kinds of food. ONLY TODAY INSTEAD OF $1,300 ORDER VIA PHONE:
9 CPU Cache printf("%d", i); printf("%d", i); 4 Daniel Gruss Graz University of Technology
10 CPU Cache printf("%d", i); printf("%d", i); Cache miss 4 Daniel Gruss Graz University of Technology
11 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request 4 Daniel Gruss Graz University of Technology
12 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request Response 4 Daniel Gruss Graz University of Technology
13 CPU Cache printf("%d", i); printf("%d", i); Cache miss i Request Response 4 Daniel Gruss Graz University of Technology
14 CPU Cache printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 4 Daniel Gruss Graz University of Technology
15 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 4 Daniel Gruss Graz University of Technology
16 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i No DRAM access, much faster Request Response 4 Daniel Gruss Graz University of Technology
17 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 5 Daniel Gruss Graz University of Technology
18 Flush+Reload ATTACKER Shared Memory VICTIM flush access cached Shared Memory cached access 5 Daniel Gruss Graz University of Technology
19 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 5 Daniel Gruss Graz University of Technology
20 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 5 Daniel Gruss Graz University of Technology
21 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 5 Daniel Gruss Graz University of Technology
22 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 5 Daniel Gruss Graz University of Technology
23 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 5 Daniel Gruss Graz University of Technology
24 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access fast if victim accessed data, slow otherwise 5 Daniel Gruss Graz University of Technology
25 Memory Access Latency Cache Hits Number of accesses Access time [CPU cycles] 6 Daniel Gruss Graz University of Technology
26 Memory Access Latency Cache Hits Cache Misses Number of accesses Access time [CPU cycles] 6 Daniel Gruss Graz University of Technology
27 Cache Template Attack Demo
28 Cache Template Address 0x7c680 0x7c6c0 0x7c700 0x7c740 0x7c780 0x7c7c0 0x7c800 0x7c840 0x7c880 0x7c8c0 0x7c900 0x7c940 0x7c980 0x7c9c0 0x7ca00 0x7cb80 0x7cc40 0x7cc80 0x7ccc0 0x7cd00 Key g h i j k l m n o p q r s t u v w x y z 8 Daniel Gruss Graz University of Technology
29
30 Back to Work
31
32
33 Wait for an hour
34 Wait for an hour LATENCY
35
36 Dependency Parallelize
37 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt ( width * width + height * height ); int area = width * height ; printf (" Area %d x %d = %d\n", width, height, area ); 10 Daniel Gruss Graz University of Technology
38 Out-of-order Execution Dependency int width = 10, height = 5; float diagonal = sqrt ( width * width + height * height ); int area = width * height ; Parallelize printf (" Area %d x %d = %d\n", width, height, area ); 10 Daniel Gruss Graz University of Technology
39 Building Meltdown char data = *( char *) 0 xffffffff81a000e0 ; printf ("%c\n", data ); 11 Daniel Gruss Graz University of Technology
40 Building Meltdown char data = *( char *) 0 xffffffff81a000e0 ; printf ("%c\n", data ); segfault at ffffffff81a000e0 ip sp ffce4a80610 error 5 in reader 11 Daniel Gruss Graz University of Technology
41 Building Meltdown Adapted code *( volatile char *) 0; array [84 * 4096] = 0; // unreachable 12 Daniel Gruss Graz University of Technology
42 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page 13 Daniel Gruss Graz University of Technology
43 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page This also works on AMD and ARM! 13 Daniel Gruss Graz University of Technology
44 Building Meltdown Combine the two things char data = *( char *) 0 xffffffff81a000e0 ; array [ data * 4096] = 0; 14 Daniel Gruss Graz University of Technology
45 Building Meltdown Flush+Reload again... Access time [cycles] Page... Meltdown actually works. 15 Daniel Gruss Graz University of Technology
46
47 Take the kernel addresses... Kernel addresses in user space are a problem (the wall does not work) 17 Daniel Gruss Graz University of Technology
48 Take the kernel addresses... Kernel addresses in user space are a problem (the wall does not work) Why don t we take the kernel addresses Daniel Gruss Graz University of Technology
49 ...and remove them...and remove them if not needed? 18 Daniel Gruss Graz University of Technology
50 ...and remove them...and remove them if not needed? User accessible check in hardware is not reliable 18 Daniel Gruss Graz University of Technology
51
52 Kernel Address Isolation to have Side channels Efficiently Removed
![KAISER /ˈkʌɪzə/ 1. [german] Emperor, ruler of an empire 2.](/docs-images/95/124666290/images/53-0.jpg "largest penguin, emperor penguin Kernel Address Isolation to have Side")
53 KAISER /ˈkʌɪzə/ 1. [german] Emperor, ruler of an empire 2. largest penguin, emperor penguin Kernel Address Isolation to have Side channels Efficiently Removed
54 Speculative Execution Let us get rid of bottlenecks 19 Daniel Gruss Graz University of Technology
55 Speculative Execution Use the naughty/nice list of last year 19 Daniel Gruss Graz University of Technology
56 Speculative Execution Finally, check predictions with list of this year 19 Daniel Gruss Graz University of Technology
57 Speculative Execution Throwing away wrongly manufactured presents 19 Daniel Gruss Graz University of Technology
58 Speculative Execution Correct predictions result in free time 19 Daniel Gruss Graz University of Technology
59
60 Spectre-PHT (aka Spectre Variant 1) LUT index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
61 Spectre-PHT (aka Spectre Variant 1) LUT index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
62 Spectre-PHT (aka Spectre Variant 1) LUT index = 0; char* data = "textkey"; if (index < 4) Speculate els e en th Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
63 Spectre-PHT (aka Spectre Variant 1) LUT index = 0; char* data = "textkey"; if (index < 4) Execute Index t Prediction LUT[data[index] * 4096] 21 els e en th 0 Daniel Gruss Graz University of Technology
64 Spectre-PHT (aka Spectre Variant 1) LUT index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
65 Spectre-PHT (aka Spectre Variant 1) LUT index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
66 Spectre-PHT (aka Spectre Variant 1) LUT index = 1; char* data = "textkey"; if (index < 4) Index e Speculate els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
67 Spectre-PHT (aka Spectre Variant 1) LUT index = 1; char* data = "textkey"; if (index < 4) Index e then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
68 Spectre-PHT (aka Spectre Variant 1) LUT index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
69 Spectre-PHT (aka Spectre Variant 1) LUT index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
70 Spectre-PHT (aka Spectre Variant 1) LUT index = 2; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction Index x LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
71 Spectre-PHT (aka Spectre Variant 1) LUT index = 2; char* data = "textkey"; if (index < 4) then Prediction Index x LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology else
72 Spectre-PHT (aka Spectre Variant 1) LUT index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
73 Spectre-PHT (aka Spectre Variant 1) LUT index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
74 Spectre-PHT (aka Spectre Variant 1) LUT index = 3; char* data = "textkey"; if (index < 4) Speculate Index t Prediction LUT[data[index] * 4096] 21 els e en th 0 Daniel Gruss Graz University of Technology
75 Spectre-PHT (aka Spectre Variant 1) LUT index = 3; char* data = "textkey"; if (index < 4) Index t then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
76 Spectre-PHT (aka Spectre Variant 1) LUT index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
77 Spectre-PHT (aka Spectre Variant 1) LUT index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
78 Spectre-PHT (aka Spectre Variant 1) LUT index = 4; Index K char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
79 Spectre-PHT (aka Spectre Variant 1) LUT index = 4; Index K char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
80 Spectre-PHT (aka Spectre Variant 1) LUT index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
81 Spectre-PHT (aka Spectre Variant 1) LUT index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
82 Spectre-PHT (aka Spectre Variant 1) LUT index = 5; Index E char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
83 Spectre-PHT (aka Spectre Variant 1) LUT index = 5; Index E char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
84 Spectre-PHT (aka Spectre Variant 1) LUT index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
85 Spectre-PHT (aka Spectre Variant 1) LUT index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 21 Daniel Gruss Graz University of Technology
86 Spectre-PHT (aka Spectre Variant 1) LUT index = 6; char* data = "textkey"; Index Y if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
87 Spectre-PHT (aka Spectre Variant 1) LUT Index Y index = 6; char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 21 0 Daniel Gruss Graz University of Technology
88 Systematization Tree prediction Transient cause? fault microarchitectural buffer Spectre-type fault type Meltdown-type in-place (IP) vs., out-of-place (OP) mistraining strategy Cross-address-space Spectre-PHT Same-address-space Spectre-BTB Spectre-RSB Spectre-STL Meltdown-NM Meltdown-AC Meltdown-DE Meltdown-PF Meltdown-UD Meltdown-SS Meltdown-BR Meltdown-GP Cross-address-space Same-address-space Cross-address-space Same-address-space Meltdown-US Meltdown-P Meltdown-RW Meltdown-PK Meltdown-XD Meltdown-SM Meltdown-MPX Meltdown-BND PHT-CA-IP PHT-CA-OP PHT-SA-IP PHT-SA-OP BTB-CA-IP BTB-CA-OP BTB-SA-IP BTB-SA-OP RSB-CA-IP RSB-CA-OP RSB-SA-IP RSB-SA-OP 22 Daniel Gruss Graz University of Technology
89
90 Mitigations Attack Defense InvisiSpec SafeSpec DAWG RSB Stuffing Retpoline Poison Value Index Masking Site Isolation SLH YSNB IBRS STIPB IBPB Serialization Taint Tracking Timer Reduction Sloth SSBD/SSBB Intel ARM AMD Spectre-PHT Spectre-BTB Spectre-RSB Spectre-STL Spectre-PHT Spectre-BTB Spectre-RSB Spectre-STL Spectre-PHT Spectre-BTB Spectre-RSB Spectre-STL Mitigated ( ), partially mitigated ( ), not mitigated ( ), theoretically mitigated ( ), theoretically impeded ( ), not theoretically impeded ( ), or out of scope ( ). 23 Daniel Gruss Graz University of Technology
91 Conclusions new class of attacks 24 Daniel Gruss Graz University of Technology
92 Conclusions new class of attacks many problems to solve around microarchitectural attacks and especially transient execution attacks 24 Daniel Gruss Graz University of Technology
93 Conclusions new class of attacks many problems to solve around microarchitectural attacks and especially transient execution attacks dedicate more time into identifying problems and not solely in mitigating known problems 24 Daniel Gruss Graz University of Technology
94 Software-based Microarchitectural Attacks Daniel Gruss January 23, 2019 Graz University of Technology 25 Daniel Gruss Graz University of Technology
Performance is awesome!
Acknowledgements I Background music for the choir song kindly provided by Kerbo-Kev. Cooking photos kindly provided by Becca Lee (ladyfaceblog). Santa Clause images by http://www.thevectorart.com/ Some
The Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
Who am I? Moritz Lipp PhD Graz University of
Who am I? Moritz Lipp PhD student @ Graz University of Technology @mlqxyz moritz.lipp@iaik.tugraz.at 1 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology Who am I? Michael Schwarz
Spectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
Meltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
Spectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
Micro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
ARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
CSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
Exploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance
Meltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
Spectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
From bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
White Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents
White Paper How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet Programs that do a lot of I/O are likely to be the worst hit by the patches designed to fix the Meltdown
arxiv: v2 [cs.cr] 16 Jun 2018
![arxiv: v2 [cs.cr] 16 Jun 2018](/thumbs/92/110990756.jpg "arxiv: v2 [cs.cr] 16 Jun 2018")
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation Khaled N. Khasawneh Department of Computer Science and Engineering University of California, Riverside Email: kkhas1@ucr.edu
Effective Virtual CPU Configuration in Nova
Effective Virtual CPU Configuration in Nova Kashyap Chamarthy OpenStack Summit Berlin, 2018 1 / 39 Timeline of recent CPU flaws, 2018 (a) Jan 03 Spectre v1: Bounds Check Bypass Jan
Meltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? January 24, 2018 Meltdown and Spectre: Whoever thought that was a good idea? January
Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. April 12, 2018 L16-1
Virtual Memory Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. L16-1 Reminder: Operating Systems Goals of OS: Protection and privacy: Processes cannot access each other s data Abstraction:
Évolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
Virtual Memory. Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. November 15, MIT Fall 2018 L20-1
Virtual Memory Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. L20-1 Reminder: Operating Systems Goals of OS: Protection and privacy: Processes cannot access each other s data Abstraction:
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
The Processor: Instruction-Level Parallelism
The Processor: Instruction-Level Parallelism Computer Organization Architectures for Embedded Computing Tuesday 21 October 14 Many slides adapted from: Computer Organization and Design, Patterson & Hennessy
Control Hazards. Branch Prediction
Control Hazards The nub of the problem: In what pipeline stage does the processor fetch the next instruction? If that instruction is a conditional branch, when does the processor know whether the conditional
CMSC22200 Computer Architecture Lecture 8: Out-of-Order Execution. Prof. Yanjing Li University of Chicago
CMSC22200 Computer Architecture Lecture 8: Out-of-Order Execution Prof. Yanjing Li University of Chicago Administrative Stuff! Lab2 due tomorrow " 2 free late days! Lab3 is out " Start early!! My office
Computer Architecture Lecture 12: Out-of-Order Execution (Dynamic Instruction Scheduling)
18-447 Computer Architecture Lecture 12: Out-of-Order Execution (Dynamic Instruction Scheduling) Prof. Onur Mutlu Carnegie Mellon University Spring 2015, 2/13/2015 Agenda for Today & Next Few Lectures
COS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Outline Protection mechanisms
arxiv: v1 [cs.cr] 3 Jan 2018
![arxiv: v1 [cs.cr] 3 Jan 2018](/thumbs/77/75781083.jpg "arxiv: v1 [cs.cr] 3 Jan 2018")
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
Kaisen Lin and Michael Conley
Kaisen Lin and Michael Conley Simultaneous Multithreading Instructions from multiple threads run simultaneously on superscalar processor More instruction fetching and register state Commercialized! DEC
Meltdown, Spectre, and Security Boundaries in LEON/GRLIB. Technical note Doc. No GRLIB-TN-0014 Issue 1.1
Template: GQMS-TPLT-1-1-0 Meltdown, Spectre, and Security Boundaries in LEON/GRLIB Technical note 2018-03-15 Doc. No Issue 1.1 Date: 2018-03-15 Page: 2 of 8 CHANGE RECORD Issue Date Section / Page Description
Hardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
William Stallings Computer Organization and Architecture 8th Edition. Cache Memory
William Stallings Computer Organization and Architecture 8th Edition Chapter 4 Cache Memory Characteristics Location Capacity Unit of transfer Access method Performance Physical type Physical characteristics
Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters
Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters Junaid Nomani and Jakub Szefer Computer Architecture and Security Laboratory Yale University junaid.nomani@yale.edu
COS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Outline Protection
Memory Hierarchy. Slides contents from:
Memory Hierarchy Slides contents from: Hennessy & Patterson, 5ed Appendix B and Chapter 2 David Wentzlaff, ELE 475 Computer Architecture MJT, High Performance Computing, NPTEL Memory Performance Gap Memory
TDT Coarse-Grained Multithreading. Review on ILP. Multi-threaded execution. Contents. Fine-Grained Multithreading
Review on ILP TDT 4260 Chap 5 TLP & Hierarchy What is ILP? Let the compiler find the ILP Advantages? Disadvantages? Let the HW find the ILP Advantages? Disadvantages? Contents Multi-threading Chap 3.5
Retpoline: A Branch Target Injection Mitigation
Retpoline: A Branch Target Injection Mitigation White Paper Revision 003 June, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new
SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT
SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong Zhuojia Shen John Criswell Alan Cox Sandhya Dwarkadas University of Rochester University of Rochester University of Rochester Rice University
Microarchitecture Security Roundtable
Microarchitecture Security Roundtable Background, discussion points, and agenda Table of Contents Table of Contents Purpose of this Roundtable Schedule Attendees Agenda Background Reading Meltdown and
Intel Analysis of Speculative Execution Side Channels
Intel Analysis of Speculative Execution Side Channels White Paper Revision 1.0 January 2018 Document Number: 336983-001 Intel technologies features and benefits depend on system configuration and may require
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
COSC 6385 Computer Architecture - Memory Hierarchy Design (III)
COSC 6385 Computer Architecture - Memory Hierarchy Design (III) Fall 2006 Reducing cache miss penalty Five techniques Multilevel caches Critical word first and early restart Giving priority to read misses
Cavium ThunderX2 CN99XX PMU Events (Abridged) July 31, 2018
Cavium ThunderX2 CN99XX PMU s (Abridged) July 31, 2018 1 Introduction The ARM architecture defines several events as part of the Performance Monitor Unit (PMU) Extension. The Cavium ThunderX2 CN99XX processor
CSE 351. Virtual Memory
CSE 351 Virtual Memory Virtual Memory Very powerful layer of indirection on top of physical memory addressing We never actually use physical addresses when writing programs Every address, pointer, etc
Last class: Today: Course administration OS definition, some history. Background on Computer Architecture
1 Last class: Course administration OS definition, some history Today: Background on Computer Architecture 2 Canonical System Hardware CPU: Processor to perform computations Memory: Programs and data I/O
Speculative Execution Side Channel Mitigations
Speculative Execution Side Channel Mitigations Revision 3.0 May 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new information is
Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.
Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.celio, jose.renau} @esperantotech.com 8th RISC-V Workshop Barcelona,
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines Sreepathi Pai UTCS September 14, 2015 Outline 1 Introduction 2 Out-of-order Scheduling 3 The Intel Haswell
Maximizing Face Detection Performance
Maximizing Face Detection Performance Paulius Micikevicius Developer Technology Engineer, NVIDIA GTC 2015 1 Outline Very brief review of cascaded-classifiers Parallelization choices Reducing the amount
Lecture 8: GPU Programming. CSE599G1: Spring 2017
Lecture 8: GPU Programming CSE599G1: Spring 2017 Announcements Project proposal due on Thursday (4/28) 5pm. Assignment 2 will be out today, due in two weeks. Implement GPU kernels and use cublas library
Outline. 1 Reiteration. 2 Cache performance optimization. 3 Bandwidth increase. 4 Reduce hit time. 5 Reduce miss penalty. 6 Reduce miss rate
Outline Lecture 7: EITF20 Computer Architecture Anders Ardö EIT Electrical and Information Technology, Lund University November 21, 2012 A. Ardö, EIT Lecture 7: EITF20 Computer Architecture November 21,
Meltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? May 8, 2018 Meltdown and Spectre: Whoever thought that was a good idea? May 8,
CISC / RISC. Complex / Reduced Instruction Set Computers
Systems Architecture CISC / RISC Complex / Reduced Instruction Set Computers CISC / RISC p. 1/12 Instruction Usage Instruction Group Average Usage 1 Data Movement 45.28% 2 Flow Control 28.73% 3 Arithmetic
CPU models after Spectre & Meltdown. Paolo Bonzini Red Hat, Inc. KVM Forum 2018
CPU models after Spectre & Meltdown Paolo Bonzini Red Hat, Inc. KVM Forum 2018 Can this guest run on that machine? It depends! Host processor Microcode version Kernel version QEMU Machine type 2 How can
Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors
SECURITY ADVISORY Processor based Speculative Execution Vulnerabilities AKA Spectre and Meltdown Version 1.6 Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors
Protection. Disclaimer: some slides are adopted from book authors slides with permission 1
Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Today Protection Security 2 Examples of OS Protection Memory protection Between user processes Between user and
Department of Computer Science, Institute for System Architecture, Operating Systems Group. Real-Time Systems '08 / '09. Hardware.
Department of Computer Science, Institute for System Architecture, Operating Systems Group Real-Time Systems '08 / '09 Hardware Marcus Völp Outlook Hardware is Source of Unpredictability Caches Pipeline
Meltdown Attack Lab. 1 Introduction. SEED Labs Meltdown Attack Lab 1
SEED Labs Meltdown Attack Lab 1 Meltdown Attack Lab Copyright 2018 Wenliang Du, Syracuse University. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
Hardware-Based Speculation
Hardware-Based Speculation Execute instructions along predicted execution paths but only commit the results if prediction was correct Instruction commit: allowing an instruction to update the register
Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
Lecture 21: Parallelism ILP to Multicores. Parallel Processing 101
18 447 Lecture 21: Parallelism ILP to Multicores S 10 L21 1 James C. Hoe Dept of ECE, CMU April 7, 2010 Announcements: Handouts: Lab 4 due this week Optional reading assignments below. The Microarchitecture
Power Measurement Using Performance Counters
Power Measurement Using Performance Counters October 2016 1 Introduction CPU s are based on complementary metal oxide semiconductor technology (CMOS). CMOS technology theoretically only dissipates power
and data combined) is equal to 7% of the number of instructions. Miss Rate with Second- Level Cache, Direct- Mapped Speed
5.3 By convention, a cache is named according to the amount of data it contains (i.e., a 4 KiB cache can hold 4 KiB of data); however, caches also require SRAM to store metadata such as tags and valid
Advanced cache optimizations. ECE 154B Dmitri Strukov
Advanced cache optimizations ECE 154B Dmitri Strukov Advanced Cache Optimization 1) Way prediction 2) Victim cache 3) Critical word first and early restart 4) Merging write buffer 5) Nonblocking cache
Virtual Memory. CS 351: Systems Programming Michael Saelee
Virtual Memory CS 351: Systems Programming Michael Saelee registers cache (SRAM) main memory (DRAM) local hard disk drive (HDD/SSD) remote storage (networked drive / cloud) previously: SRAM
Anne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS DANIEL SANCHEZ MIT CHRISTOS KOZYRAKIS STANFORD ISCA-40 JUNE 27, 2013 Introduction 2 Current detailed simulators are slow (~200
Sudhakar Yalamanchili, Georgia Institute of Technology (except as indicated) Active thread Idle thread
Intra-Warp Compaction Techniques Sudhakar Yalamanchili, Georgia Institute of Technology (except as indicated) Goal Active thread Idle thread Compaction Compact threads in a warp to coalesce (and eliminate)
ECE 552 / CPS 550 Advanced Computer Architecture I. Lecture 15 Very Long Instruction Word Machines
ECE 552 / CPS 550 Advanced Computer Architecture I Lecture 15 Very Long Instruction Word Machines Benjamin Lee Electrical and Computer Engineering Duke University www.duke.edu/~bcl15 www.duke.edu/~bcl15/class/class_ece252fall11.html
Photo David Wright STEVEN R. BAGLEY PIPELINES AND ILP
Photo David Wright https://www.flickr.com/photos/dhwright/3312563248 STEVEN R. BAGLEY PIPELINES AND ILP INTRODUCTION Been considering what makes the CPU run at a particular speed Spent the last two weeks
Computer Architecture Background
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 2b Computer Architecture Background Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS DANIEL SANCHEZ MIT CHRISTOS KOZYRAKIS STANFORD ISCA-40 JUNE 27, 2013 Introduction 2 Current detailed simulators are slow (~200
Chapter 4 The Processor (Part 4)
Department of Electr rical Eng ineering, Chapter 4 The Processor (Part 4) 王振傑 (Chen-Chieh Wang) ccwang@mail.ee.ncku.edu.tw ncku edu Depar rtment of Electr rical Engineering, Feng-Chia Unive ersity Outline
Superscalar Processors Ch 14
Superscalar Processors Ch 14 Limitations, Hazards Instruction Issue Policy Register Renaming Branch Prediction PowerPC, Pentium 4 1 Superscalar Processing (5) Basic idea: more than one instruction completion
Superscalar Processing (5) Superscalar Processors Ch 14. New dependency for superscalar case? (8) Output Dependency?
Superscalar Processors Ch 14 Limitations, Hazards Instruction Issue Policy Register Renaming Branch Prediction PowerPC, Pentium 4 1 Superscalar Processing (5) Basic idea: more than one instruction completion
Fall 2011 Prof. Hyesoon Kim
Fall 2011 Prof. Hyesoon Kim 1 1.. 1 0 2bc 2bc BHR XOR index 2bc 0x809000 PC 2bc McFarling 93 Predictor size: 2^(history length)*2bit predict_func(pc, actual_dir) { index = pc xor BHR taken = 2bit_counters[index]
Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University. See P&H Chapter: , 5.8, 5.10, 5.15; Also, 5.13 & 5.
Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University See P&H Chapter: 5.1-5.4, 5.8, 5.10, 5.15; Also, 5.13 & 5.17 Writing to caches: policies, performance Cache tradeoffs and
Side Channel Analysis Security issue ANALYST CONSULTATION JANUARY
Side Channel Analysis Security issue ANALYST CONSULTATION JANUARY 3 2018 briefing Objectives Provide information on a new class of security issue & mitigation Provide context on how this issue has brought
Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction
ISA Support Needed By CPU Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction So far we have dealt with control hazards in instruction pipelines by: 1 2 3 4 Assuming that the branch
Advanced Computer Architecture
ECE 563 Advanced Computer Architecture Fall 2010 Lecture 6: VLIW 563 L06.1 Fall 2010 Little s Law Number of Instructions in the pipeline (parallelism) = Throughput * Latency or N T L Throughput per Cycle
Hardware-Based Speculation
Hardware-Based Speculation Execute instructions along predicted execution paths but only commit the results if prediction was correct Instruction commit: allowing an instruction to update the register
CS 220: Introduction to Parallel Computing. Beginning C. Lecture 2
CS 220: Introduction to Parallel Computing Beginning C Lecture 2 Today s Schedule More C Background Differences: C vs Java/Python The C Compiler HW0 8/25/17 CS 220: Parallel Computing 2 Today s Schedule
Control Hazards. Prediction
Control Hazards The nub of the problem: In what pipeline stage does the processor fetch the next instruction? If that instruction is a conditional branch, when does the processor know whether the conditional
Unit 2. Chapter 4 Cache Memory
Unit 2 Chapter 4 Cache Memory Characteristics Location Capacity Unit of transfer Access method Performance Physical type Physical characteristics Organisation Location CPU Internal External Capacity Word
Writing high performance code. CS448h Nov. 3, 2015
Writing high performance code CS448h Nov. 3, 2015 Overview Is it slow? Where is it slow? How slow is it? Why is it slow? deciding when to optimize identifying bottlenecks estimating potential reasons for
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California, San Diego The Tension between
Software Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University
Software Solutions to Micro-architectural Side Channels Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University Introduction Research interests Computer system security
238P: Operating Systems. Lecture 5: Address translation. Anton Burtsev January, 2018
238P: Operating Systems Lecture 5: Address translation Anton Burtsev January, 2018 Two programs one memory Very much like car sharing What are we aiming for? Illusion of a private address space Identical
JavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
Advanced optimizations of cache performance ( 2.2)
Advanced optimizations of cache performance ( 2.2) 30 1. Small and Simple Caches to reduce hit time Critical timing path: address tag memory, then compare tags, then select set Lower associativity Direct-mapped
EITF20: Computer Architecture Part 5.1.1: Virtual Memory
EITF20: Computer Architecture Part 5.1.1: Virtual Memory Liang Liu liang.liu@eit.lth.se 1 Outline Reiteration Cache optimization Virtual memory Case study AMD Opteron Summary 2 Memory hierarchy 3 Cache
Processor (IV) - advanced ILP. Hwansoo Han
Processor (IV) - advanced ILP Hwansoo Han Instruction-Level Parallelism (ILP) Pipelining: executing multiple instructions in parallel To increase ILP Deeper pipeline Less work per stage shorter clock cycle
Cache Performance and Memory Management: From Absolute Addresses to Demand Paging. Cache Performance
6.823, L11--1 Cache Performance and Memory Management: From Absolute Addresses to Demand Paging Asanovic Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 Cache Performance 6.823,
Lecture 24: Memory, VM, Multiproc
Lecture 24: Memory, VM, Multiproc Today s topics: Security wrap-up Off-chip Memory Virtual memory Multiprocessors, cache coherence 1 Spectre: Variant 1 x is controlled by attacker Thanks to bpred, x can