Meltdown and Spectre: Complexity and the death of security
|
|
|
- Aubrey Sharp
- 5 years ago
- Views:
Transcription
1 Meltdown and Spectre: Complexity and the death of security May 8, 2018
2 Meltdown and Spectre: Wait, my computer does what? May 8, 2018
3 Meltdown and Spectre: Whoever thought that was a good idea? May 8, 2018
4 Meltdown and Spectre: I give up. Can I just retire now? May 8, 2018
5 No one alive understands how computers behave.
6
7 Kernel co-location Race conditions Page tables Cache mapping Process forks Branch prediction Cache hierarchy Out-of-order execution Pipelined CPU design High-resolution timers Speculative execution Physical memory map
8 Computers are complex systems.
9
10 kernel kernel stack itunes Page Table Chrome Page Table stack heap data Read data location Read data location heap data code code
11 kernel kernel stack itunes Page Table Chrome Page Table stack heap heap data data code code Read kernel location deadbeef
12 Memory hierarchy and cache Core 0 Core 3 Regs Regs 1: Here s your data 2: Access allowed? L1 data cache L1 inst. cache... L1 data cache L1 inst. cache 1: Access allowed? 2: OK, here s your data L2 unified cache L2 unified cache 1: Access allowed? 2: OK, here s your data 1: Access allowed? 2: OK, here s your data L3 unified cache (shared by all cores) Main Memory
13 Fetch Decode Execute Memory Write back PC update Check for exception PC Inst. Memory PC incr. icode ifun ra rb valc valp A Register file B M E vala valb A L U A ALU B CC ALU cntrl Cnd vale A d d r D a t a Mem cntrl Data Memory valm New PC
14 x86 Pipelining Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check If orange 5 doesn t depend on 3 & 4, why wait? Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check
15 x86 Pipelining CDB Reorder buffer µop µop µop µop µop µop µop µop Frontend Branch Predictor µop Cache µops L1 Instruction Cache Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop MUX Allocation Queue ITLB Execution Engine Memory Subsystem Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Load Buffer Store Buffer L1 Data Cache DTLB STLB L2 Cache µop µop µop µop Green and orange can t retire yet
16 What we know so far You re not supposed to access kernel L1 cache timing is wrong x86 pipelining is complex Macroarchitecture!= microarchitecture First!= First Invisible side effects are visible
![x = array[q]; 0 1 2 3 4 5 6 7](/docs-images/83/88057331/images/17-3.jpg "Access time [cycles] 500 400 300")
17 Cache-based side channels Guess what q is! x = array[q]; Access time [cycles] Page for (i = 0; i < 8; i++) { start_timer(); y = array[i]; stop_timer(); }
18 Meltdown 1 ; rcx = kernel address 2 ; rbx = probe array 3 retry: 4 mov al, byte [rcx] 5 shl rax, 0xc 6 jz retry 7 mov rbx, qword [rbx + rax] Read a byte of the kernel Multiply byte by : Maybe I should check if step 4 was valid Use value to hit cache line
19 Meltdown O-ho! Ah! Second First byte is is x = array[y]; ATTACK! fork() for (i = 0; i < 8; i++) { start_timer(); y = array[i]; stop_timer(); }
20 Meltdown 0 max Physical memory User Kernel Process memory contains... the kernel, which contains physical memory, which contains the memory contents of every process.
21 Meltdown kernel kernel stack stack Short-term fix KAISER/PTI/ KVAS heap heap data data Long-term fix Split address space Replace hardware code code
22 x86 Pipelining CDB Reorder buffer µop µop µop µop µop µop µop µop Frontend Branch Predictor µop Cache µops L1 Instruction Cache Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop MUX Allocation Queue ITLB Execution Engine Memory Subsystem Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Load Buffer Store Buffer L1 Data Cache DTLB STLB L2 Cache µop µop µop µop
![Speculative execution if (x < array_length) y = array[x]; a b c d e f g h](/docs-images/83/88057331/images/23-2.jpg "x is 2 x is 5 x is 1 x is 327 y becomes c y becomes f y becomes b y")
23 Speculative execution if (x < array_length) y = array[x]; a b c d e f g h x is 2 x is 5 x is 1 x is 327 y becomes c y becomes f y becomes b y becomes
24 Spectre variant 1 Cache hit Cache miss if (x < array1_size) Cache hit y = array2[array1[x] * 256]; Cache miss x = &target - &array1 array1[x] is the target
25 Spectre variant 2 widgets
26 Meltdown Spectre Short-term fix KAISER/PTI/ KVAS Microcode patch OS update Recompile binaries Change compiler Browser hardening What about applications? Long-term fix Split address space Replace hardware????
27
28 And so it begins BUSTED
29 And so it begins
30 A return to the past
31
32 Thank you and good luck!
Meltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? January 24, 2018 Meltdown and Spectre: Whoever thought that was a good idea? January
Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
Who am I? Moritz Lipp PhD Graz University of
Who am I? Moritz Lipp PhD student @ Graz University of Technology @mlqxyz moritz.lipp@iaik.tugraz.at 1 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology Who am I? Michael Schwarz
arxiv: v1 [cs.cr] 3 Jan 2018
![arxiv: v1 [cs.cr] 3 Jan 2018](/thumbs/77/75781083.jpg "arxiv: v1 [cs.cr] 3 Jan 2018")
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
Performance is awesome!
Acknowledgements I Background music for the choir song kindly provided by Kerbo-Kev. Cooking photos kindly provided by Becca Lee (ladyfaceblog). Santa Clause images by http://www.thevectorart.com/ Some
CS:APP Chapter 4 Computer Architecture Wrap-Up Randal E. Bryant Carnegie Mellon University
CS:APP Chapter 4 Computer Architecture Wrap-Up Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Overview Wrap-Up of PIPE Design Performance analysis Fetch stage design Exceptional
Data Hazard vs. Control Hazard. CS429: Computer Organization and Architecture. How Do We Fix the Pipeline? Possibilities: How Do We Fix the Pipeline?
Data Hazard vs. Control Hazard CS429: Computer Organization and Architecture There are two types of hazards that interfere with flow through a pipeline. Dr. Bill Young Department of Computer Science University
CS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 4, 2018 at 07:36 CS429 Slideset 16: 1 Data Hazard vs. Control
CS:APP Chapter 4 Computer Architecture Sequential Implementation
CS:APP Chapter 4 Computer Architecture Sequential Implementation Randal E. Bryant Carnegie Mellon University CS:APP Y86 Instruction Set Byte ra rb ra rb V rb rb V ra D rb ra rb D D rb ra ra rb D ra rb
Systems I. Datapath Design II. Topics Control flow instructions Hardware for sequential machine (SEQ)
Systems I Datapath Design II Topics Control flow instructions Hardware for sequential machine (SEQ) Executing Jumps jxx Dest 7 fn Dest fall thru: XX XX Not taken target: XX XX Taken Read 5 bytes Increment
Overview. CS429: Computer Organization and Architecture. Y86 Instruction Set. Building Blocks
Overview CS429: Computer Organization and Architecture Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: March 15, 2018 at 10:54 How do we build a digital computer?
To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
CSC 252: Computer Organization Spring 2018: Lecture 11
CSC 252: Computer Organization Spring 2018: Lecture 11 Instructor: Yuhao Zhu Department of Computer Science University of Rochester Action Items: Assignment 3 is due March 2, midnight Announcement Programming
Spectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
CS:APP Chapter 4 Computer Architecture Wrap-Up Randal E. Bryant Carnegie Mellon University
CS:APP Chapter 4 Computer Architecture Wrap-Up Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP2e Overview Wrap-Up of PIPE Design Exceptional conditions Performance analysis Fetch
Photo David Wright STEVEN R. BAGLEY PIPELINES AND ILP
Photo David Wright https://www.flickr.com/photos/dhwright/3312563248 STEVEN R. BAGLEY PIPELINES AND ILP INTRODUCTION Been considering what makes the CPU run at a particular speed Spent the last two weeks
CS429: Computer Organization and Architecture
CS429: Computer Organization and Architecture Dr Bill Young Department of Computer Sciences University of Texas at Austin Last updated: March 15, 2018 at 10:58 CS429 Slideset 13: 1 The ISA Byte 0 1 2 3
Stage Computation: Arith/Log. Ops
Stage Computation: Arith/Log. Ops OPl ra, rb Fetch icode:ifun M 1 [PC] ra:rb M 1 [PC+1] Read instruction byte Read register byte back valp PC+2 vala R[rA] valb R[rB] vale valb OP vala Set CC R[rB] vale
Where Have We Been? Logic Design in HCL. Assembly Language Instruction Set Architecture (Y86) Finite State Machines
Where Have We Been? Assembly Language Instruction Set Architecture (Y86) Finite State Machines States and Transitions Events Where Are We Going? Tracing Instructions at the Register Level Build a CPU!
God created the integers, all else is the work of man Leopold Kronecker
Sequential Hardware God created the integers, all else is the work of man Leopold Kronecker (He believed in the reduction of all mathematics to arguments involving only the integers and a finite number
CS 3330: SEQ part September 2016
1 CS 3330: SEQ part 2 15 September 2016 Recall: Timing 2 compute new values between rising edges compute compute compute compute clock signal registers, memories change at rising edges next value register
Systems I. Datapath Design II. Topics Control flow instructions Hardware for sequential machine (SEQ)
Systems I Datapath Design II Topics Control flow instructions Hardware for sequential machine (SEQ) Executing Jumps jxx Dest 7 fn Dest fall thru: XX XX Not taken target: XX XX Taken Fetch Decode Read 5
CS 261 Fall Mike Lam, Professor. CPU architecture
CS 261 Fall 2017 Mike Lam, Professor CPU architecture Topics CPU stages and design Pipelining Y86 semantics CPU overview A CPU consists of Combinational circuits for computation Sequential circuits for
Superscalar Processors Ch 14
Superscalar Processors Ch 14 Limitations, Hazards Instruction Issue Policy Register Renaming Branch Prediction PowerPC, Pentium 4 1 Superscalar Processing (5) Basic idea: more than one instruction completion
Superscalar Processing (5) Superscalar Processors Ch 14. New dependency for superscalar case? (8) Output Dependency?
Superscalar Processors Ch 14 Limitations, Hazards Instruction Issue Policy Register Renaming Branch Prediction PowerPC, Pentium 4 1 Superscalar Processing (5) Basic idea: more than one instruction completion
The ISA. Fetch Logic
The ISA CS429: Computer Organization and Architecture Dr Bill Young Department of Computer Science University of Texas at Austin Last updated: July 5, 2018 at 11:55 Byte 0 1 2 3 4 5 6 7 8 9 halt 0 0 nop
CS:APP Chapter 4 Computer Architecture Sequential Implementation
CS:APP Chapter 4 Computer Architecture Sequential Implementation Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Y86 Instruction Set Byte 0 1 2 3 4 5 nop 0 0 halt 1 0 rrmovl
CISC: Stack-intensive procedure linkage. [Early] RISC: Register-intensive procedure linkage.
![CISC: Stack-intensive procedure linkage. [Early] RISC: Register-intensive procedure linkage.](/thumbs/74/69962204.jpg "CISC: Stack-intensive procedure linkage. [Early] RISC: Register-intensive procedure linkage.")
CISC: Stack-intensive procedure linkage. The stack is used for procedure arguments and return addresses. [Early] RISC: Register-intensive procedure linkage. Registers are used for procedure arguments and
CMSC411 Fall 2013 Midterm 2 Solutions
CMSC411 Fall 2013 Midterm 2 Solutions 1. (12 pts) Memory hierarchy a. (6 pts) Suppose we have a virtual memory of size 64 GB, or 2 36 bytes, where pages are 16 KB (2 14 bytes) each, and the machine has
Last time: forwarding/stalls. CS 6354: Branch Prediction (con t) / Multiple Issue. Why bimodal: loops. Last time: scheduling to avoid stalls
CS 6354: Branch Prediction (con t) / Multiple Issue 14 September 2016 Last time: scheduling to avoid stalls 1 Last time: forwarding/stalls add $a0, $a2, $a3 ; zero or more instructions sub $t0, $a0, $a1
Computer Science 104:! Y86 & Single Cycle Processor Design!
Computer Science 104: Y86 & Single Cycle Processor Design Alvin R. Lebeck Slides based on those from Randy Bryant CS:APP Administrative HW #4 Due tomorrow tonight HW #5 up soon ing: 4.1-4.3 Today Review
bitwise (finish) / SEQ part 1
bitwise (finish) / SEQ part 1 1 Changelog 1 Changes made in this version not seen in first lecture: 14 September 2017: slide 16-17: the x86 arithmetic shift instruction is sar, not sra last time 2 bitwise
Sequential Implementation
CS:APP Chapter 4 Computer Architecture Sequential Implementation Randal E. Bryant adapted by Jason Fritts http://csapp.cs.cmu.edu CS:APP2e Hardware Architecture - using Y86 ISA For learning aspects of
Foundations of Computer Systems
18-600 Foundations of Computer Systems Lecture 7: Processor Architecture & Design John P. Shen & Gregory Kesden September 20, 2017 Lecture #7 Processor Architecture & Design Lecture #8 Pipelined Processor
CSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Instruction Commit The End of the Road (um Pipe) Commit is typically the last stage of the pipeline Anything an insn. does at this point is irrevocable Only actions following
SEQ without stages. valc register file ALU. Stat ZF/SF. instr. length PC+9. R[srcA] R[srcB] srca srcb dstm dste. Data in Data out. Instr. Mem.
![SEQ without stages. valc register file ALU. Stat ZF/SF. instr. length PC+9. R[srcA] R[srcB] srca srcb dstm dste. Data in Data out. Instr. Mem.](/thumbs/83/88179011.jpg "SEQ without stages. valc register file ALU. Stat ZF/SF. instr. length PC+9. R[srcA] R[srcB] srca srcb dstm dste. Data in Data out. Instr. Mem.")
Exam Review 1 SEQ without stages 2 0xF 0xF %rsp valc register file PC+9 PC + Instr. Mem. instr. length ra rb %rsp 0xF 0xF %rsp srca srcb dstm dste R[srcA] R[srcB] next R[dstM] next R[dstE] 0 8 ALU alua
F28HS Hardware-Software Interface: Systems Programming
F28HS Hardware-Software Interface: Systems Programming Hans-Wolfgang Loidl School of Mathematical and Computer Sciences, Heriot-Watt University, Edinburgh Semester 2 2017/18 0 No proprietary software has
Computer Science 104:! Y86 & Single Cycle Processor Design!
Computer Science 104:! Y86 & Single Cycle Processor Design! Alvin R. Lebeck! Slides based on those from Randy Bryant 1! CS:APP! CS:APP! Administrative! 2! CS:APP! Instruction Set Architecture! Application!
Computer Science 104:! Y86 & Single Cycle Processor Design!
Computer Science 104: Y86 & Single Cycle Processor Design Alvin R. Lebeck Slides based on those from Randy Bryant 1 CS:APP Administrative Homework #4 My office hours today 11:30-12:30 Reading: text 4.3
Computer Science 104:! Y86 & Single Cycle Processor Design!
Computer Science 104:! Y86 & Single Cycle Processor Design! Alvin R. Lebeck! Slides based on those from Randy Bryant CS:APP! Administrative! 2! CS:APP! Y86 Instruction Set! Byte! 0 1 2 3 4 5 nop 0 0 halt
Chapter 4! Processor Architecture!!
Chapter 4! Processor Architecture!! Sequential Implementation! Instructor: Dr. Hyunyoung Lee! Texas A&M University! Based on slides provided by Randal E. Bryant, CMU Topics Covered! Hardware Control Language
SEQ part 3 / HCLRS 1
SEQ part 3 / HCLRS 1 Changelog 1 Changes made in this version not seen in first lecture: 21 September 2017: data memory value MUX input for call is PC + 10, not PC 21 September 2017: slide 23: add input
Pipeline design. Mehran Rezaei
Pipeline design Mehran Rezaei How Can We Improve the Performance? Exec Time = IC * CPI * CCT Optimization IC CPI CCT Source Level * Compiler * * ISA * * Organization * * Technology * With Pipelining We
Systems I. Pipelining II. Topics Pipelining hardware: registers and feedback paths Difficulties with pipelines: hazards Method of mitigating hazards
Systems I Pipelining II Topics Pipelining hardware: registers and feedback paths ifficulties with pipelines: hazards Method of mitigating hazards Adding Pipeline Registers val, valm _icode, _valm rite
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California, San Diego The Tension between
For Tuesday. Finish Chapter 4. Also, Project 2 starts today
For Tuesday Finish Chapter 4 Also, Project 2 starts today 1 Sequential Y86 Implementation 1. Fetch From icode (4 bits) & ifun (4 bits) [valc (4bytes)] Calc valp 2. Decode: get ra [rb] [%esp] 3. Execute
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
Wrap-Up. Lecture 10 Computer Architecture V. Performance Metrics. Overview. CPI for PIPE (Cont.) CPI for PIPE. Clock rate
Lecture 10 Computer Architecture V Overview rap-up of PIP esign Performance analysis etch stage design xceptional conditions odern High-Performance Processors Out-of-order execution rap-up 10 1 atorarkitektur
Wrap-Up. Lecture 10 Computer Architecture V. Performance Metrics. Overview. CPI for PIPE (Cont.) CPI for PIPE. Clock rate
Lecture 10 Computer Architecture V Overview rap-up of PIP esign Performance analysis etch stage design xceptional conditions rap-up Performance etrics Clock rate easured in egahertz or Gigahertz unction
CS 2410 Mid term (fall 2015) Indicate which of the following statements is true and which is false.
CS 2410 Mid term (fall 2015) Name: Question 1 (10 points) Indicate which of the following statements is true and which is false. (1) SMT architectures reduces the thread context switch time by saving in
Itanium 2 Processor Microarchitecture Overview
Itanium 2 Processor Microarchitecture Overview Don Soltis, Mark Gibson Cameron McNairy, August 2002 Block Diagram F 16KB L1 I-cache Instr 2 Instr 1 Instr 0 M/A M/A M/A M/A I/A Template I/A B B 2 FMACs
CS:APP Chapter 4! Computer Architecture! Sequential! Implementation!
CS:APP Chapter 4! Computer Architecture! Sequential! Implementation! Randal E. Bryant! Carnegie Mellon University! http://csapp.cs.cmu.edu CS:APP2e! Y86 Instruction Set #1! Byte! 0 1 2 3 4 5 halt 0 0 nop
Spectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
Micro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
Pipelining 3: Hazards/Forwarding/Prediction
Pipelining 3: Hazards/Forwarding/Prediction 1 pipeline stages 2 fetch instruction memory, most PC computation decode reading register file execute computation, condition code read/write memory memory read/write
BOBCAT: AMD S LOW-POWER X86 PROCESSOR
ARCHITECTURES FOR MULTIMEDIA SYSTEMS PROF. CRISTINA SILVANO LOW-POWER X86 20/06/2011 AMD Bobcat Small, Efficient, Low Power x86 core Excellent Performance Synthesizable with smaller number of custom arrays
IF1 --> IF2 ID1 ID2 EX1 EX2 ME1 ME2 WB. add $10, $2, $3 IF1 IF2 ID1 ID2 EX1 EX2 ME1 ME2 WB sub $4, $10, $6 IF1 IF2 ID1 ID2 --> EX1 EX2 ME1 ME2 WB
EE 4720 Homework 4 Solution Due: 22 April 2002 To solve Problem 3 and the next assignment a paper has to be read. Do not leave the reading to the last minute, however try attempting the first problem below
Changelog. Changes made in this version not seen in first lecture: 13 Feb 2018: add slide on constants and width
HCL 1 Changelog 1 Changes made in this version not seen in first lecture: 13 Feb 2018: add slide on constants and width simple ISA 4: mov-to-register 2 irmovq $constant, %ryy rrmovq %rxx, %ryy mrmovq 10(%rXX),
Processor Architecture II! Sequential! Implementation!
Processor Architecture II! Sequential! Implementation! Lecture 6, April 14 th 2011 Alexandre David Slides by Randal E. Bryant! Carnegie Mellon University! Y86 Instruction Set! Byte! 0 1 2 3 4 5 nop 0 0
Spectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
Superscalar Processors Ch 13. Superscalar Processing (5) Computer Organization II 10/10/2001. New dependency for superscalar case? (8) Name dependency
Superscalar Processors Ch 13 Limitations, Hazards Instruction Issue Policy Register Renaming Branch Prediction 1 New dependency for superscalar case? (8) Name dependency (nimiriippuvuus) two use the same
Processes. CS 416: Operating Systems Design, Spring 2011 Department of Computer Science Rutgers University
Processes Design, Spring 2011 Department of Computer Science Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode instruction Execute instruction CPU
Meltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
CS 3330 Exam 2 Fall 2017 Computing ID:
S 3330 Fall 2017 Exam 2 Variant page 1 of 8 Email I: S 3330 Exam 2 Fall 2017 Name: omputing I: Letters go in the boxes unless otherwise specified (e.g., for 8 write not 8 ). Write Letters clearly: if we
HARDWARE SPECULATION. Mahdi Nazm Bojnordi. CS/ECE 6810: Computer Architecture. Assistant Professor School of Computing University of Utah
HARDWARE SPECULATION Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Mid-term exam: Mar. 5 th No homework till after
Computer Systems Architecture I. CSE 560M Lecture 10 Prof. Patrick Crowley
Computer Systems Architecture I CSE 560M Lecture 10 Prof. Patrick Crowley Plan for Today Questions Dynamic Execution III discussion Multiple Issue Static multiple issue (+ examples) Dynamic multiple issue
Midterm Exam CSC February 2009
Midterm Exam CSC 252 26 February 2009 Directions; PLEASE READ This exam has 7 questions, all of which have subparts. Each question indicates its point value. The total is 90 points. Questions 3(d) and
Pentium IV-XEON. Computer architectures M
Pentium IV-XEON Computer architectures M 1 Pentium IV block scheme 4 32 bytes parallel Four access ports to the EU 2 Pentium IV block scheme Address Generation Unit BTB Branch Target Buffer I-TLB Instruction
The Pentium II/III Processor Compiler on a Chip
The Pentium II/III Processor Compiler on a Chip Ronny Ronen Senior Principal Engineer Director of Architecture Research Intel Labs - Haifa Intel Corporation Tel Aviv University January 20, 2004 1 Agenda
Wrap-Up. CS:APP Chapter 4 Computer Architecture. Overview. Performance Metrics. CPI for PIPE. Randal E. Bryant. Carnegie Mellon University
CS:APP Chapter 4 Computer Architecture rap-up Overview rap-up of PIP esign Performance analysis etch stage design xceptional conditions odern High-Performance Processors Out-of-order execution Randal.
are Softw Instruction Set Architecture Microarchitecture are rdw
Program, Application Software Programming Language Compiler/Interpreter Operating System Instruction Set Architecture Hardware Microarchitecture Digital Logic Devices (transistors, etc.) Solid-State Physics
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS DANIEL SANCHEZ MIT CHRISTOS KOZYRAKIS STANFORD ISCA-40 JUNE 27, 2013 Introduction 2 Current detailed simulators are slow (~200
CSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Instruction Commit The End of the Road (um Pipe) Commit is typically the last stage of the pipeline Anything an insn. does at this point is irrevocable Only actions following
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS
ZSIM: FAST AND ACCURATE MICROARCHITECTURAL SIMULATION OF THOUSAND-CORE SYSTEMS DANIEL SANCHEZ MIT CHRISTOS KOZYRAKIS STANFORD ISCA-40 JUNE 27, 2013 Introduction 2 Current detailed simulators are slow (~200
ECE 331 Hardware Organization and Design. UMass ECE Discussion 10 4/5/2018
ECE 331 Hardware Organization and Design UMass ECE Discussion 10 4/5/2018 Today s Discussion Topics Direct and Set Associative Cache Midterm Review Hazards Code reordering and forwarding Direct Mapped
Data Hazards Compiler Scheduling Pipeline scheduling or instruction scheduling: Compiler generates code to eliminate hazard
Data Hazards Compiler Scheduling Pipeline scheduling or instruction scheduling: Compiler generates code to eliminate hazard Consider: a = b + c; d = e - f; Assume loads have a latency of one clock cycle:
Branch Prediction & Speculative Execution. Branch Penalties in Modern Pipelines
6.823, L15--1 Branch Prediction & Speculative Execution Asanovic Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 6.823, L15--2 Branch Penalties in Modern Pipelines UltraSPARC-III
Techniques for Mitigating Memory Latency Effects in the PA-8500 Processor. David Johnson Systems Technology Division Hewlett-Packard Company
Techniques for Mitigating Memory Latency Effects in the PA-8500 Processor David Johnson Systems Technology Division Hewlett-Packard Company Presentation Overview PA-8500 Overview uction Fetch Capabilities
Systems I. Pipelining IV
Systems I Pipelining IV Topics Implementing pipeline control Pipelining and performance analysis Implementing Pipeline Control W icode val val dst dst _icode icode Bch val vala dst dst e_bch Pipe control
A superscalar machine is one in which multiple instruction streams allow completion of more than one instruction per cycle.
CS 320 Ch. 16 SuperScalar Machines A superscalar machine is one in which multiple instruction streams allow completion of more than one instruction per cycle. A superpipelined machine is one in which a
Case Study IBM PowerPC 620
Case Study IBM PowerPC 620 year shipped: 1995 allowing out-of-order execution (dynamic scheduling) and in-order commit (hardware speculation). using a reorder buffer to track when instruction can commit,
ECE331: Hardware Organization and Design
ECE331: Hardware Organization and Design Lecture 27: Midterm2 review Adapted from Computer Organization and Design, Patterson & Hennessy, UCB Midterm 2 Review Midterm will cover Section 1.6: Processor
Processors, Performance, and Profiling
Processors, Performance, and Profiling Architecture 101: 5-Stage Pipeline Fetch Decode Execute Memory Write-Back Registers PC FP ALU Memory Architecture 101 1. Fetch instruction from memory. 2. Decode
William Stallings Computer Organization and Architecture 8 th Edition. Chapter 14 Instruction Level Parallelism and Superscalar Processors
William Stallings Computer Organization and Architecture 8 th Edition Chapter 14 Instruction Level Parallelism and Superscalar Processors What is Superscalar? Common instructions (arithmetic, load/store,
Hardware-based Speculation
Hardware-based Speculation Hardware-based Speculation To exploit instruction-level parallelism, maintaining control dependences becomes an increasing burden. For a processor executing multiple instructions
CS 3330 Exam 2 Spring 2016 Name: EXAM KEY Computing ID: KEY
S 3330 Spring 2016 xam 2 Variant U page 1 of 6 mail I: KY S 3330 xam 2 Spring 2016 Name: XM KY omputing I: KY Letters go in the boxes unless otherwise specified (e.g., for 8 write not 8 ). Write Letters
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance
Hardware-Based Speculation
Hardware-Based Speculation Execute instructions along predicted execution paths but only commit the results if prediction was correct Instruction commit: allowing an instruction to update the register
MIPS Pipelining. Computer Organization Architectures for Embedded Computing. Wednesday 8 October 14
MIPS Pipelining Computer Organization Architectures for Embedded Computing Wednesday 8 October 14 Many slides adapted from: Computer Organization and Design, Patterson & Hennessy 4th Edition, 2011, MK
Portland State University ECE 587/687. Memory Ordering
Portland State University ECE 587/687 Memory Ordering Copyright by Alaa Alameldeen, Zeshan Chishti and Haitham Akkary 2018 Handling Memory Operations Review pipeline for out of order, superscalar processors
Reorder Buffer Implementation (Pentium Pro) Reorder Buffer Implementation (Pentium Pro)
Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers) physical register file that is the same size as the architectural registers
Final Exam Fall 2007
ICS 233 - Computer Architecture & Assembly Language Final Exam Fall 2007 Wednesday, January 23, 2007 7:30 am 10:00 am Computer Engineering Department College of Computer Sciences & Engineering King Fahd
ECE 571 Advanced Microprocessor-Based Design Lecture 4
ECE 571 Advanced Microprocessor-Based Design Lecture 4 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 28 January 2016 Homework #1 was due Announcements Homework #2 will be posted
cs281: Introduction to Computer Systems CPUlab Datapath Assigned: Oct. 29, Due: Nov. 3
cs281: Introduction to Computer Systems CPUlab Datapath Assigned: Oct. 29, Due: Nov. 3 The objective of this exercise is to familiarize you with the Datapath of the Y86 CPU and to introduce you to the
Pipelining: Overview. CPSC 252 Computer Organization Ellen Walker, Hiram College
Pipelining: Overview CPSC 252 Computer Organization Ellen Walker, Hiram College Pipelining the Wash Divide into 4 steps: Wash, Dry, Fold, Put Away Perform the steps in parallel Wash 1 Wash 2, Dry 1 Wash
Module 5: "MIPS R10000: A Case Study" Lecture 9: "MIPS R10000: A Case Study" MIPS R A case study in modern microarchitecture.
Module 5: "MIPS R10000: A Case Study" Lecture 9: "MIPS R10000: A Case Study" MIPS R10000 A case study in modern microarchitecture Overview Stage 1: Fetch Stage 2: Decode/Rename Branch prediction Branch
Giving credit where credit is due
CSCE 230J Computer Organization Processor Architecture III: Sequential Implementation Dr. Steve Goddard goddard@cse.unl.edu http://cse.unl.edu/~goddard/courses/csce230j Giving credit where credit is due
William Stallings Computer Organization and Architecture. Chapter 11 CPU Structure and Function
William Stallings Computer Organization and Architecture Chapter 11 CPU Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Registers
Giving credit where credit is due
CSC 230J Computer Organization Processor Architecture VI: rap-up r. Steve Goddard goddard@cse.unl.edu Giving credit where credit is due ost of slides for this lecture are based on slides created by r.
SPECULOSE: Analyzing the Security Implications of Speculative Execution in CPUs
SPECULOSE: Analyzing the Security Implications of Speculative Execution in CPUs Giorgi Maisuradze CISPA, Saarland University Saarland Informatics Campus giorgi.maisuradze@cispa.saarland Christian Rossow