Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency
|
|
- Colleen Snow
- 5 years ago
- Views:
Transcription
1 Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California, San Diego
2 The Tension between Performance and Security SPECTRE 35 LAW SUITS FILED AGAINST CPU COMPANY NEW SIDE-CHANNELS PROCESSOR STOCK MARKET DROPPED HEARTBLEED ROWHAMMER MELTDOWN!2
3 State-of-the-art defenses!3
4 State-of-the-art defenses void foo (int key, int v) { char c[12]; } c[key] = v; Bounds Checking!3
5 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) } c[key] = v; Bounds Checking!3
6 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else x = x^2 Constant-Time Execution!3
7 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution!3
8 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution void foo () { return; } Canary Checks!3
9 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution void foo () { canary_check; return; } Canary Checks!3
10 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking void foo () { canary_check; return; } Canary Checks if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution mov %rcx, c35841h mov qword ptr [rax+48h], %rcx Constant Blinding!3
11 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking void foo () { canary_check; return; } Canary Checks if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution mov %rcx, c35841h mov %rcx, 3BF43B1820E7ED7Dh mov %rdx, 3BF53B182024B53Ch xor %rcx, %rdx mov qword ptr [rax+48h], %rcx Constant Blinding!3
12 State-of-the-art defenses void foo (int key, int v) { if (key[i] == 1) } char c[12]; if (key < 12) c[key] = v; Recompilation/Binary Translation else Significant Performance Overhead x = x^2 * m; dummy_mult; x = x^2 Bounds Checking Constant-Time Execution void foo () { canary_check; return; } Canary Checks Visible to Attackers mov %rcx, c35841h mov %rcx, 3BF43B1820E7ED7Dh mov %rdx, 3BF53B182024B53Ch xor %rcx, %rdx mov qword ptr [rax+48h], %rcx Constant Blinding!3
13 State-of-the-art software defenses!4
14 State-of-the-art software defenses Vulnerable!4
15 State-of-the-art software defenses Vulnerable Compilation!4
16 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation!4
17 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation Secure!4
18 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation Secure Processor!4
19 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Processor!4
20 State-of-the-art software defenses Injecting security checks/ obfuscating High Performance Vulnerable Sensitive Region High Performance Mode Processor!4
21 State-of-the-art software defenses Injecting security checks/ obfuscating High Performance Vulnerable Sensitive Region Secure Mode Processor!4
22 State-of-the-art software defenses Dynamic Injecting security checks/ obfuscating Legacy Binaries High Performance Vulnerable Cycle-Level Transition Time Sensitive Region Invisible to the Attacker Secure Mode Processor!4
23 Mobilizing the micro-ops Exploiting Translated ISAs Intel Xeon Processor!5
24 Mobilizing the micro-ops Exploiting Translated ISAs WB Execute Rename Instruction Decoder Fetch!5
25 Mobilizing the micro-ops Exploiting Translated ISAs Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder Rename Execute WB!5
26 Mobilizing the micro-ops Exploiting Translated ISAs ld t0, [0x803ac] Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder add, t0, t0, 1 st [0x803ac], t0 Rename Execute WB!5
27 Mobilizing the micro-ops Exploiting Translated ISAs ld t0, [0x803ac] Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder security_check1 add, t0, t0, 1 security_check2 st [0x803ac], t0 Rename Execute WB!5
28 Outline Motivation Context-Sensitive Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!6
29 X86 front-end Decoders 1:1 X86 Instructions Macro-op Dispatcher 1:4 Fusion Queue MSROM Cache!7
30 Context-Sensitive Decoding Decoders Runtime System Model Specific Registers 1:1 1:4 X86 Instructions Macro-op Dispatcher CSD Fusion Queue MSROM Watchdog Timer Taint Tracking Hot Spot Detector Protection Domain Crossing Cache!8
31 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 1:4 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9
32 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 1:4 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue MSROM Cache!9
33 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9
34 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9
35 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9
36 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9
37 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue MSROM Cache!9
38 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue Taint Tracking MSROM Cache!9
39 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue Taint Tracking MSROM Cache!9
40 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM Cache!9
41 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM cmp 0x803ac, BOUND br_gt EXCEPTION ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 Cache!9
42 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM cmp 0x803ac, BOUND br_gt EXCEPTION ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 Cache!9
43 Where do custom translations come from? Hard-coded at manufacture time Intel s micro-code update procedure!10
44 Where do custom translations come from? Intel s micro-code update procedure!10
45 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!11
46 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Micro-Code Update (x86) Runtime System Macro-to-Micro Translation Micro-code Engine Optimizations!11
47 Micro-code update Processor Micro-Code Update Driver Micro-Code Update (x86) Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!12
48 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Micro-Code Update (x86) Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!13
49 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Micro -ops Optimizations Runtime System!14
50 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System Optimized s!15
51 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System Custom Translation!16
52 Outline Motivation Context-Sensitive-Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!17
53 Cache side-channel attacks Process Victim Process Processor Shared Data Cache!18
54 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache!18
55 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache!18
56 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache...!18
57 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access)!18
58 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access) Leaves Memory Signature!18
59 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access) Probing Cache Lines Leaves Memory Signature!18
60 Cache side-channel defense Process Victim Process Processor Shared Data Cache!19
61 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache!19
62 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache!19
63 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache...!19
64 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access)!19
65 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access) Doesn t Leave Memory Signature!19
66 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access) Probing Cache Lines Doesn t Leave Memory Signature!19
67 Stealth-mode translation Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher CSD Fusion MSROM DIFT!20
68 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher CSD Fusion MSROM DIFT!20
69 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion MSROM DIFT!20
70 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Key-Dependent Mem Access MSROM DIFT!20
71 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Key-Dependent Mem Access MSROM DIFT!20
72 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Key-Dependent Mem Access DIFT MSROM ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 mov t0,range.size top: ld t1,[t0+range.start],t0 subi t0,cbs br_lt top!20
73 Attacker s perspective Without Context-Sensitive Decoding!21
74 Attacker s perspective Key: Without Context-Sensitive Decoding!21
75 Attacker s perspective Key: F E D C B A Without Context-Sensitive Decoding!21
76 Attacker s perspective CSD With Context-Sensitive Decoding!21
77 Performance of stealth mode 4.9% We greatly improve security with less than 5% performance overhead!22
78 Outline Motivation Context-Sensitive-Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!23
79 Unit-level power gating SPEC2006 Omnetpp benchmark Intense Vector Activity Period Zero Vector Activity Period Infrequent Vector Activity Period!24
80 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Vector Activity Predictor MSROM Vector Processing Unit!25
81 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit!25
82 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
83 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Vector Instruction Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
84 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
85 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Scalarized s Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
86 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Scalarized s Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
87 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Fusion Scalarized s Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25
88 Energy results Energy Normalized to Conventional Power Gating ~12% Context-Sensitive Decoding using devectorization mode can improve energy by 12%!26
89 Potential applications On-Demand Type Safety More WatchPoints Information Flow Tracking Sandboxing More Performance Counters Malware Detection Programming Languages Debugging Security!27
90 Conclusion Context-Sensitive Decoding enables the decoder to dynamically alter the behavior of programmer-visible ISA instructions. Change the functionality of the software without programmer or compiler intervention We presented stealth mode translation, an under the cover security defense against cache side channel attacks We enable selective devectorization via CSD, saving energy while simultaneously achieving a speedup over conventional power gating.!28
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency
Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram Ashish Venkat Dean M. Tullsen University of California, San Diego {mtaram asvenkat
More informationSecurity-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
More informationMeltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? May 8, 2018 Meltdown and Spectre: Whoever thought that was a good idea? May 8,
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationCS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines Sreepathi Pai UTCS September 14, 2015 Outline 1 Introduction 2 Out-of-order Scheduling 3 The Intel Haswell
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationENGN1640: Design of Computing Systems Topic 06: Advanced Processor Design
ENGN1640: Design of Computing Systems Topic 06: Advanced Processor Design Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering Brown University
More informationMeltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? January 24, 2018 Meltdown and Spectre: Whoever thought that was a good idea? January
More informationExploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
More informationDecoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor
1 Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Presenter: Yue Zheng Yulin Shi Outline Motivation & Background Hardware DIFT
More informationLast time: forwarding/stalls. CS 6354: Branch Prediction (con t) / Multiple Issue. Why bimodal: loops. Last time: scheduling to avoid stalls
CS 6354: Branch Prediction (con t) / Multiple Issue 14 September 2016 Last time: scheduling to avoid stalls 1 Last time: forwarding/stalls add $a0, $a2, $a3 ; zero or more instructions sub $t0, $a0, $a1
More informationSubversive-C: Abusing and Protecting Dynamic Message Dispatch
Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz
More informationCore Fusion: Accommodating Software Diversity in Chip Multiprocessors
Core Fusion: Accommodating Software Diversity in Chip Multiprocessors Authors: Engin Ipek, Meyrem Kırman, Nevin Kırman, and Jose F. Martinez Navreet Virk Dept of Computer & Information Sciences University
More informationECE 571 Advanced Microprocessor-Based Design Lecture 4
ECE 571 Advanced Microprocessor-Based Design Lecture 4 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 28 January 2016 Homework #1 was due Announcements Homework #2 will be posted
More informationEECC551 - Shaaban. 1 GHz? to???? GHz CPI > (?)
Evolution of Processor Performance So far we examined static & dynamic techniques to improve the performance of single-issue (scalar) pipelined CPU designs including: static & dynamic scheduling, static
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationUG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects
Announcements UG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects Inf3 Computer Architecture - 2017-2018 1 Last time: Tomasulo s Algorithm Inf3 Computer
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationTo accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
More informationPredicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters
Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters Junaid Nomani and Jakub Szefer Computer Architecture and Security Laboratory Yale University junaid.nomani@yale.edu
More informationMetodologie di Progettazione Hardware-Software
Metodologie di Progettazione Hardware-Software Advanced Pipelining and Instruction-Level Paralelism Metodologie di Progettazione Hardware/Software LS Ing. Informatica 1 ILP Instruction-level Parallelism
More informationMulti-threaded processors. Hung-Wei Tseng x Dean Tullsen
Multi-threaded processors Hung-Wei Tseng x Dean Tullsen OoO SuperScalar Processor Fetch instructions in the instruction window Register renaming to eliminate false dependencies edule an instruction to
More informationBlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA
BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?
More informationCall Paths for Pin Tools
, Xu Liu, and John Mellor-Crummey Department of Computer Science Rice University CGO'14, Orlando, FL February 17, 2014 What is a Call Path? main() A() B() Foo() { x = *ptr;} Chain of function calls that
More informationReconfigurable and Self-optimizing Multicore Architectures. Presented by: Naveen Sundarraj
Reconfigurable and Self-optimizing Multicore Architectures Presented by: Naveen Sundarraj 1 11/9/2012 OUTLINE Introduction Motivation Reconfiguration Performance evaluation Reconfiguration Self-optimization
More informationMicroarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 15, 2007 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
More informationSecuring High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.
Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.celio, jose.renau} @esperantotech.com 8th RISC-V Workshop Barcelona,
More informationMulti-cycle Instructions in the Pipeline (Floating Point)
Lecture 6 Multi-cycle Instructions in the Pipeline (Floating Point) Introduction to instruction level parallelism Recap: Support of multi-cycle instructions in a pipeline (App A.5) Recap: Superpipelining
More informationMicroarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 18, 2005 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationComputer Architecture: Multi-Core Processors: Why? Prof. Onur Mutlu Carnegie Mellon University
Computer Architecture: Multi-Core Processors: Why? Prof. Onur Mutlu Carnegie Mellon University Moore s Law Moore, Cramming more components onto integrated circuits, Electronics, 1965. 2 3 Multi-Core Idea:
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationCSE 240A Midterm Exam
Student ID Page 1 of 7 2011 Fall Professor Steven Swanson CSE 240A Midterm Exam Please write your name at the top of each page This is a close book, closed notes exam. No outside material may be used.
More informationCPI < 1? How? What if dynamic branch prediction is wrong? Multiple issue processors: Speculative Tomasulo Processor
1 CPI < 1? How? From Single-Issue to: AKS Scalar Processors Multiple issue processors: VLIW (Very Long Instruction Word) Superscalar processors No ISA Support Needed ISA Support Needed 2 What if dynamic
More informationCS146 Computer Architecture. Fall Midterm Exam
CS146 Computer Architecture Fall 2002 Midterm Exam This exam is worth a total of 100 points. Note the point breakdown below and budget your time wisely. To maximize partial credit, show your work and state
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationThe Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationProcesses. CS 416: Operating Systems Design, Spring 2011 Department of Computer Science Rutgers University
Processes Design, Spring 2011 Department of Computer Science Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode instruction Execute instruction CPU
More informationDEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS. Yarden Assaf
DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS Assaf Carlsbad @assaf_carlsbad Yarden Shafir @yarden_shafir Yarden I started dancing at the age of 7 and later competed with a rhythmic gymnastics
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationWhite Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationReal-World Buffer Overflow Protection in User & Kernel Space
Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http://raksha.stanford.edu 1 Motivation Buffer
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationChapter 4. Advanced Pipelining and Instruction-Level Parallelism. In-Cheol Park Dept. of EE, KAIST
Chapter 4. Advanced Pipelining and Instruction-Level Parallelism In-Cheol Park Dept. of EE, KAIST Instruction-level parallelism Loop unrolling Dependence Data/ name / control dependence Loop level parallelism
More informationComputer Architecture: Multi-Core Processors: Why? Onur Mutlu & Seth Copen Goldstein Carnegie Mellon University 9/11/13
Computer Architecture: Multi-Core Processors: Why? Onur Mutlu & Seth Copen Goldstein Carnegie Mellon University 9/11/13 Moore s Law Moore, Cramming more components onto integrated circuits, Electronics,
More informationCompiling for Nehalem (the Intel Core Microarchitecture, Intel Xeon 5500 processor family and the Intel Core i7 processor)
Compiling for Nehalem (the Intel Core Microarchitecture, Intel Xeon 5500 processor family and the Intel Core i7 processor) Martyn Corden Developer Products Division Software & Services Group Intel Corporation
More informationCS152 Computer Architecture and Engineering VLIW, Vector, and Multithreaded Machines
CS152 Computer Architecture and Engineering VLIW, Vector, and Multithreaded Machines Assigned April 7 Problem Set #5 Due April 21 http://inst.eecs.berkeley.edu/~cs152/sp09 The problem sets are intended
More informationSecure Programming Lecture 15: Information Leakage
Secure Programming Lecture 15: Information Leakage David Aspinall 21st March 2017 Outline Overview Language Based Security Taint tracking Information flow security by type-checking Summary Recap We have
More informationSeveral Common Compiler Strategies. Instruction scheduling Loop unrolling Static Branch Prediction Software Pipelining
Several Common Compiler Strategies Instruction scheduling Loop unrolling Static Branch Prediction Software Pipelining Basic Instruction Scheduling Reschedule the order of the instructions to reduce the
More informationCS / ECE 6810 Midterm Exam - Oct 21st 2008
Name and ID: CS / ECE 6810 Midterm Exam - Oct 21st 2008 Notes: This is an open notes and open book exam. If necessary, make reasonable assumptions and clearly state them. The only clarifications you may
More informationCS152 Computer Architecture and Engineering CS252 Graduate Computer Architecture. VLIW, Vector, and Multithreaded Machines
CS152 Computer Architecture and Engineering CS252 Graduate Computer Architecture VLIW, Vector, and Multithreaded Machines Assigned 3/24/2019 Problem Set #4 Due 4/5/2019 http://inst.eecs.berkeley.edu/~cs152/sp19
More informationCSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.
CSE 237B Fall 2009 Virtualization, Security and RTOS Rajesh Gupta Computer Science and Engineering University of California, San Diego. Overview What is virtualization? Types of virtualization and VMs
More informationPipelining to Superscalar
Pipelining to Superscalar ECE/CS 752 Fall 207 Prof. Mikko H. Lipasti University of Wisconsin-Madison Pipelining to Superscalar Forecast Limits of pipelining The case for superscalar Instruction-level parallel
More informationComputer Architecture
Computer Architecture Lecture 3: ISA Tradeoffs Dr. Ahmed Sallam Suez Canal University Spring 2015 Based on original slides by Prof. Onur Mutlu Design Point A set of design considerations and their importance
More informationOptimizing Models of an FPGA Embedded System. Adam Donlin Xilinx Research Labs September 2004
Optimizing Models of an FPGA Embedded System Adam Donlin Xilinx Research Labs September 24 Outline Target System Architecture Model Optimizations and Simulation Impact Port Datatypes Threads and Methods
More informationLecture 8 Dynamic Branch Prediction, Superscalar and VLIW. Computer Architectures S
Lecture 8 Dynamic Branch Prediction, Superscalar and VLIW Computer Architectures 521480S Dynamic Branch Prediction Performance = ƒ(accuracy, cost of misprediction) Branch History Table (BHT) is simplest
More informationSimplified and Effective Serial and Parallel Performance Optimization
HPC Code Modernization Workshop at LRZ Simplified and Effective Serial and Parallel Performance Optimization Performance tuning Using Intel VTune Performance Profiler Performance Tuning Methodology Goal:
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationA Software Solution for Hardware Vulnerabilities
A Software Solution for Hardware Vulnerabilities Komail Dharsee University of Rochester Ethan Johnson University of Rochester John Criswell University of Rochester 1 / 22 Hardware Bugs! AMD recently shipped
More informationCFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer
CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationPipelining, Branch Prediction, Trends
Pipelining, Branch Prediction, Trends 10.1-10.4 Topics 10.1 Quantitative Analyses of Program Execution 10.2 From CISC to RISC 10.3 Pipelining the Datapath Branch Prediction, Delay Slots 10.4 Overlapping
More informationLecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.
Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow
More informationReduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction
ISA Support Needed By CPU Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction So far we have dealt with control hazards in instruction pipelines by: 1 2 3 4 Assuming that the branch
More informationILP concepts (2.1) Basic compiler techniques (2.2) Reducing branch costs with prediction (2.3) Dynamic scheduling (2.4 and 2.5)
Instruction-Level Parallelism and its Exploitation: PART 1 ILP concepts (2.1) Basic compiler techniques (2.2) Reducing branch costs with prediction (2.3) Dynamic scheduling (2.4 and 2.5) Project and Case
More informationA Fault Tolerant Superscalar Processor
A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level Fault Check Regimen in a Superscalar Processor by V. Reddy and E. Rotenberg (2008)] P R E S E N T E D B Y NAN Z
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationCS450/650 Notes Winter 2013 A Morton. Superscalar Pipelines
CS450/650 Notes Winter 2013 A Morton Superscalar Pipelines 1 Scalar Pipeline Limitations (Shen + Lipasti 4.1) 1. Bounded Performance P = 1 T = IC CPI 1 cycletime = IPC frequency IC IPC = instructions per
More informationEN164: Design of Computing Systems Topic 08: Parallel Processor Design (introduction)
EN164: Design of Computing Systems Topic 08: Parallel Processor Design (introduction) Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering
More informationInstruction-Level Parallelism and Its Exploitation
Chapter 2 Instruction-Level Parallelism and Its Exploitation 1 Overview Instruction level parallelism Dynamic Scheduling Techniques es Scoreboarding Tomasulo s s Algorithm Reducing Branch Cost with Dynamic
More informationComputer Architecture s Changing Definition
Computer Architecture s Changing Definition 1950s Computer Architecture Computer Arithmetic 1960s Operating system support, especially memory management 1970s to mid 1980s Computer Architecture Instruction
More informationCPI IPC. 1 - One At Best 1 - One At best. Multiple issue processors: VLIW (Very Long Instruction Word) Speculative Tomasulo Processor
Single-Issue Processor (AKA Scalar Processor) CPI IPC 1 - One At Best 1 - One At best 1 From Single-Issue to: AKS Scalar Processors CPI < 1? How? Multiple issue processors: VLIW (Very Long Instruction
More informationPageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on. Blaise-Pascal Tine Sudhakar Yalamanchili
PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on Blaise-Pascal Tine Sudhakar Yalamanchili Outline Background: Memory Security Motivation Proposed Solution Implementation Evaluation Conclusion
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationTestudo: Heavyweight Security Analysis via Statistical Sampling
Testudo: Heavyweight Security Analysis via Statistical Sampling Joseph L. Greathouse Ilya Wagner David A. Ramos Gautam Bhatnagar Todd Austin Valeria Bertacco Seth Pettie Advanced Computer Architecture
More informationInstruction Level Parallelism
Instruction Level Parallelism The potential overlap among instruction execution is called Instruction Level Parallelism (ILP) since instructions can be executed in parallel. There are mainly two approaches
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationCS 361S - Network Security and Privacy Spring Homework #2
CS 361S - Network Security and Privacy Spring 2014 Homework #2 Due: 11am CDT (in class), April 17, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating (e.g.,
More informationPerformance analysis basics
Performance analysis basics Christian Iwainsky Iwainsky@rz.rwth-aachen.de 25.3.2010 1 Overview 1. Motivation 2. Performance analysis basics 3. Measurement Techniques 2 Why bother with performance analysis
More informationBEng (Hons.) Telecommunications. BSc (Hons.) Computer Science with Network Security
BEng (Hons.) Telecommunications BSc (Hons.) Computer Science with Network Security Cohorts: BTEL/15B/FT BCNS/16B/FT Examinations for 2016-2017 / Semester 2 Resit Examinations for BTEL/13B/FT & BTEL/15B/FT
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationBuffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.
Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures
More informationMaximum Security with Minimum Impact : Going Beyond Next Gen
SESSION ID: SP03-W10 Maximum Security with Minimum Impact : Going Beyond Next Gen Wendy Moore Director, User Protection Trend Micro @WMBOTT Hyper-competitive Cloud Rapid adoption Social Global Mobile IoT
More informationTDT 4260 lecture 7 spring semester 2015
1 TDT 4260 lecture 7 spring semester 2015 Lasse Natvig, The CARD group Dept. of computer & information science NTNU 2 Lecture overview Repetition Superscalar processor (out-of-order) Dependencies/forwarding
More informationMemory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
More informationWrong Path Events and Their Application to Early Misprediction Detection and Recovery
Wrong Path Events and Their Application to Early Misprediction Detection and Recovery David N. Armstrong Hyesoon Kim Onur Mutlu Yale N. Patt University of Texas at Austin Motivation Branch predictors are
More informationCS654 Advanced Computer Architecture. Lec 2 - Introduction
CS654 Advanced Computer Architecture Lec 2 - Introduction Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California,
More informationPerformance Characterization, Prediction, and Optimization for Heterogeneous Systems with Multi-Level Memory Interference
The 2017 IEEE International Symposium on Workload Characterization Performance Characterization, Prediction, and Optimization for Heterogeneous Systems with Multi-Level Memory Interference Shin-Ying Lee
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More information