Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency
Size: px
Start display at page:

Download "Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency"

Transcription

1 Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram, Ashish Venkat, Dean Tullsen University of California, San Diego

2 The Tension between Performance and Security SPECTRE 35 LAW SUITS FILED AGAINST CPU COMPANY NEW SIDE-CHANNELS PROCESSOR STOCK MARKET DROPPED HEARTBLEED ROWHAMMER MELTDOWN!2

3 State-of-the-art defenses!3

4 State-of-the-art defenses void foo (int key, int v) { char c[12]; } c[key] = v; Bounds Checking!3

5 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) } c[key] = v; Bounds Checking!3

6 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else x = x^2 Constant-Time Execution!3

7 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution!3

8 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution void foo () { return; } Canary Checks!3

9 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution void foo () { canary_check; return; } Canary Checks!3

10 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking void foo () { canary_check; return; } Canary Checks if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution mov %rcx, c35841h mov qword ptr [rax+48h], %rcx Constant Blinding!3

11 State-of-the-art defenses void foo (int key, int v) { char c[12]; if (key < 12) c[key] = v; } Bounds Checking void foo () { canary_check; return; } Canary Checks if (key[i] == 1) x = x^2 * m; else dummy_mult; x = x^2 Constant-Time Execution mov %rcx, c35841h mov %rcx, 3BF43B1820E7ED7Dh mov %rdx, 3BF53B182024B53Ch xor %rcx, %rdx mov qword ptr [rax+48h], %rcx Constant Blinding!3

12 State-of-the-art defenses void foo (int key, int v) { if (key[i] == 1) } char c[12]; if (key < 12) c[key] = v; Recompilation/Binary Translation else Significant Performance Overhead x = x^2 * m; dummy_mult; x = x^2 Bounds Checking Constant-Time Execution void foo () { canary_check; return; } Canary Checks Visible to Attackers mov %rcx, c35841h mov %rcx, 3BF43B1820E7ED7Dh mov %rdx, 3BF53B182024B53Ch xor %rcx, %rdx mov qword ptr [rax+48h], %rcx Constant Blinding!3

13 State-of-the-art software defenses!4

14 State-of-the-art software defenses Vulnerable!4

15 State-of-the-art software defenses Vulnerable Compilation!4

16 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation!4

17 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation Secure!4

18 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Compilation Secure Processor!4

19 State-of-the-art software defenses Injecting security checks/ obfuscating Vulnerable Processor!4

20 State-of-the-art software defenses Injecting security checks/ obfuscating High Performance Vulnerable Sensitive Region High Performance Mode Processor!4

21 State-of-the-art software defenses Injecting security checks/ obfuscating High Performance Vulnerable Sensitive Region Secure Mode Processor!4

22 State-of-the-art software defenses Dynamic Injecting security checks/ obfuscating Legacy Binaries High Performance Vulnerable Cycle-Level Transition Time Sensitive Region Invisible to the Attacker Secure Mode Processor!4

23 Mobilizing the micro-ops Exploiting Translated ISAs Intel Xeon Processor!5

24 Mobilizing the micro-ops Exploiting Translated ISAs WB Execute Rename Instruction Decoder Fetch!5

25 Mobilizing the micro-ops Exploiting Translated ISAs Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder Rename Execute WB!5

26 Mobilizing the micro-ops Exploiting Translated ISAs ld t0, [0x803ac] Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder add, t0, t0, 1 st [0x803ac], t0 Rename Execute WB!5

27 Mobilizing the micro-ops Exploiting Translated ISAs ld t0, [0x803ac] Native Instructions (e.g., inc [0x803ac] ) Fetch Instruction Decoder security_check1 add, t0, t0, 1 security_check2 st [0x803ac], t0 Rename Execute WB!5

28 Outline Motivation Context-Sensitive Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!6

29 X86 front-end Decoders 1:1 X86 Instructions Macro-op Dispatcher 1:4 Fusion Queue MSROM Cache!7

30 Context-Sensitive Decoding Decoders Runtime System Model Specific Registers 1:1 1:4 X86 Instructions Macro-op Dispatcher CSD Fusion Queue MSROM Watchdog Timer Taint Tracking Hot Spot Detector Protection Domain Crossing Cache!8

31 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 1:4 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9

32 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 1:4 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue MSROM Cache!9

33 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9

34 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9

35 Principle of Operation Runtime System Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9

36 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher Fusion Queue CSD MSROM Cache!9

37 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue MSROM Cache!9

38 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue Taint Tracking MSROM Cache!9

39 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Queue Taint Tracking MSROM Cache!9

40 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM Cache!9

41 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM cmp 0x803ac, BOUND br_gt EXCEPTION ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 Cache!9

42 Principle of Operation Runtime System Secure Normal Mode Model Specific Registers Decoders 1:1 inc [0x803ac] 1:4 ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Queue Taint Tracking MSROM cmp 0x803ac, BOUND br_gt EXCEPTION ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 Cache!9

43 Where do custom translations come from? Hard-coded at manufacture time Intel s micro-code update procedure!10

44 Where do custom translations come from? Intel s micro-code update procedure!10

45 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!11

46 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Micro-Code Update (x86) Runtime System Macro-to-Micro Translation Micro-code Engine Optimizations!11

47 Micro-code update Processor Micro-Code Update Driver Micro-Code Update (x86) Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!12

48 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Micro-Code Update (x86) Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System!13

49 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Micro -ops Optimizations Runtime System!14

50 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System Optimized s!15

51 Micro-code update Processor Micro-Code Update Driver Verify/ Authenticate Macro-to-Micro Translation Micro-code Engine Optimizations Runtime System Custom Translation!16

52 Outline Motivation Context-Sensitive-Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!17

53 Cache side-channel attacks Process Victim Process Processor Shared Data Cache!18

54 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache!18

55 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache!18

56 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache...!18

57 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access)!18

58 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access) Leaves Memory Signature!18

59 Cache side-channel attacks Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computation (Key-Dependent Data Access) Probing Cache Lines Leaves Memory Signature!18

60 Cache side-channel defense Process Victim Process Processor Shared Data Cache!19

61 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache!19

62 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache!19

63 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache...!19

64 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access)!19

65 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access) Doesn t Leave Memory Signature!19

66 Cache side-channel defense Process Victim Process Pre-Attack Processor Shared Data Cache... Sensitive Computations (Key-Dependent Data Access) Probing Cache Lines Doesn t Leave Memory Signature!19

67 Stealth-mode translation Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher CSD Fusion MSROM DIFT!20

68 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher CSD Fusion MSROM DIFT!20

69 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion MSROM DIFT!20

70 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions inc [0x803ac] Macro-op Dispatcher CSD Fusion Key-Dependent Mem Access MSROM DIFT!20

71 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Key-Dependent Mem Access MSROM DIFT!20

72 Stealth-mode translation Sensitive Code/ Data Addresses Decoders OS/ Antivirus Model Specific Range Registers Regular Decoders X86 Instructions Macro-op Dispatcher inc [0x803ac] CSD Fusion Key-Dependent Mem Access DIFT MSROM ld t0,[0x803ac] add t0, t0, 1 st [0x803ac], t0 mov t0,range.size top: ld t1,[t0+range.start],t0 subi t0,cbs br_lt top!20

73 Attacker s perspective Without Context-Sensitive Decoding!21

74 Attacker s perspective Key: Without Context-Sensitive Decoding!21

75 Attacker s perspective Key: F E D C B A Without Context-Sensitive Decoding!21

76 Attacker s perspective CSD With Context-Sensitive Decoding!21

77 Performance of stealth mode 4.9% We greatly improve security with less than 5% performance overhead!22

78 Outline Motivation Context-Sensitive-Decoding Architecture Use Case I: Side-Channel Defense Use Case II: Selective Devectorization Other Potential Applications Conclusion!23

79 Unit-level power gating SPEC2006 Omnetpp benchmark Intense Vector Activity Period Zero Vector Activity Period Infrequent Vector Activity Period!24

80 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Vector Activity Predictor MSROM Vector Processing Unit!25

81 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit!25

82 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

83 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Vector Instruction Macro-op Dispatcher CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

84 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

85 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Scalarized s Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

86 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Scalarized s Fusion Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

87 Devectorization-mode translation Decoders Regular Decoders Scalar Functional Units X86 Instructions Macro-op Dispatcher Vector Instruction CSD Fusion Scalarized s Infrequent Activity Period Vector Activity Predictor MSROM Vector Processing Unit Power-Gated!25

88 Energy results Energy Normalized to Conventional Power Gating ~12% Context-Sensitive Decoding using devectorization mode can improve energy by 12%!26

89 Potential applications On-Demand Type Safety More WatchPoints Information Flow Tracking Sandboxing More Performance Counters Malware Detection Programming Languages Debugging Security!27

90 Conclusion Context-Sensitive Decoding enables the decoder to dynamically alter the behavior of programmer-visible ISA instructions. Change the functionality of the software without programmer or compiler intervention We presented stealth mode translation, an under the cover security defense against cache side channel attacks We enable selective devectorization via CSD, saving energy while simultaneously achieving a speedup over conventional power gating.!28

Similar documents

Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency

Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency Mohammadkazem Taram Ashish Venkat Dean M. Tullsen University of California, San Diego {mtaram asvenkat

More information

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued

More information

Meltdown and Spectre: Complexity and the death of security

Meltdown and Spectre: Complexity and the death of security Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? May 8, 2018 Meltdown and Spectre: Whoever thought that was a good idea? May 8,

More information

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help

More information

Spectre and Meltdown. Clifford Wolf q/talk

Spectre and Meltdown. Clifford Wolf q/talk Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative

More information

Spectre Returns! Speculation Attacks Using Return Stack Buffer

Spectre Returns! Speculation Attacks Using Return Stack Buffer Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA

More information

in memory: an evolution of attacks Mathias Payer Purdue University

in memory: an evolution of attacks Mathias Payer Purdue University in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory

More information

Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory

Meltdown or Holy Crap: How did we do this to ourselves Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given

More information

CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines

CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines Sreepathi Pai UTCS September 14, 2015 Outline 1 Introduction 2 Out-of-order Scheduling 3 The Intel Haswell

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

T Jarkko Turkulainen, F-Secure Corporation

T Jarkko Turkulainen, F-Secure Corporation T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In

More information

ENGN1640: Design of Computing Systems Topic 06: Advanced Processor Design

ENGN1640: Design of Computing Systems Topic 06: Advanced Processor Design ENGN1640: Design of Computing Systems Topic 06: Advanced Processor Design Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering Brown University

More information

Meltdown and Spectre: Complexity and the death of security

Meltdown and Spectre: Complexity and the death of security Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? January 24, 2018 Meltdown and Spectre: Whoever thought that was a good idea? January

More information

Exploiting Branch Target Injection. Jann Horn, Google Project Zero

Exploiting Branch Target Injection. Jann Horn, Google Project Zero Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I

More information

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor 1 Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Presenter: Yue Zheng Yulin Shi Outline Motivation & Background Hardware DIFT

More information

Last time: forwarding/stalls. CS 6354: Branch Prediction (con t) / Multiple Issue. Why bimodal: loops. Last time: scheduling to avoid stalls

Last time: forwarding/stalls. CS 6354: Branch Prediction (con t) / Multiple Issue. Why bimodal: loops. Last time: scheduling to avoid stalls CS 6354: Branch Prediction (con t) / Multiple Issue 14 September 2016 Last time: scheduling to avoid stalls 1 Last time: forwarding/stalls add $a0, $a2, $a3 ; zero or more instructions sub $t0, $a0, $a1

More information

Subversive-C: Abusing and Protecting Dynamic Message Dispatch

Subversive-C: Abusing and Protecting Dynamic Message Dispatch Subversive-C: Abusing and Protecting Dynamic Message Dispatch Julian Lettner, Benjamin Kollenda, Andrei Homescu, Per Larsen, Felix Schuster, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Michael Franz

More information

Core Fusion: Accommodating Software Diversity in Chip Multiprocessors

Core Fusion: Accommodating Software Diversity in Chip Multiprocessors Core Fusion: Accommodating Software Diversity in Chip Multiprocessors Authors: Engin Ipek, Meyrem Kırman, Nevin Kırman, and Jose F. Martinez Navreet Virk Dept of Computer & Information Sciences University

More information

ECE 571 Advanced Microprocessor-Based Design Lecture 4

ECE 571 Advanced Microprocessor-Based Design Lecture 4 ECE 571 Advanced Microprocessor-Based Design Lecture 4 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 28 January 2016 Homework #1 was due Announcements Homework #2 will be posted

More information

EECC551 - Shaaban. 1 GHz? to???? GHz CPI > (?)

EECC551 - Shaaban. 1 GHz? to???? GHz CPI > (?) Evolution of Processor Performance So far we examined static & dynamic techniques to improve the performance of single-issue (scalar) pipelined CPU designs including: static & dynamic scheduling, static

More information

SGXBounds Memory Safety for Shielded Execution

SGXBounds Memory Safety for Shielded Execution SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,

More information

UG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects

UG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects Announcements UG4 Honours project selection: Talk to Vijay or Boris if interested in computer architecture projects Inf3 Computer Architecture - 2017-2018 1 Last time: Tomasulo s Algorithm Inf3 Computer

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based

More information

Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters

Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters Predicting Program Phases and Defending against Side-Channel Attacks using Hardware Performance Counters Junaid Nomani and Jakub Szefer Computer Architecture and Security Laboratory Yale University junaid.nomani@yale.edu

More information

Metodologie di Progettazione Hardware-Software

Metodologie di Progettazione Hardware-Software Metodologie di Progettazione Hardware-Software Advanced Pipelining and Instruction-Level Paralelism Metodologie di Progettazione Hardware/Software LS Ing. Informatica 1 ILP Instruction-level Parallelism

More information

Multi-threaded processors. Hung-Wei Tseng x Dean Tullsen

Multi-threaded processors. Hung-Wei Tseng x Dean Tullsen Multi-threaded processors Hung-Wei Tseng x Dean Tullsen OoO SuperScalar Processor Fetch instructions in the instruction window Register renaming to eliminate false dependencies edule an instruction to

More information

BlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA

BlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA BlackBox Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring?

More information

Call Paths for Pin Tools

Call Paths for Pin Tools , Xu Liu, and John Mellor-Crummey Department of Computer Science Rice University CGO'14, Orlando, FL February 17, 2014 What is a Call Path? main() A() B() Foo() { x = *ptr;} Chain of function calls that

More information

Reconfigurable and Self-optimizing Multicore Architectures. Presented by: Naveen Sundarraj

Reconfigurable and Self-optimizing Multicore Architectures. Presented by: Naveen Sundarraj Reconfigurable and Self-optimizing Multicore Architectures Presented by: Naveen Sundarraj 1 11/9/2012 OUTLINE Introduction Motivation Reconfiguration Performance evaluation Reconfiguration Self-optimization

More information

Microarchitecture Overview. Performance

Microarchitecture Overview. Performance Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 15, 2007 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make

More information

Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.

Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher. Securing High-performance RISC-V Processors from Time Speculation Christopher Celio, Jose Renau Esperanto Technologies {christopher.celio, jose.renau} @esperantotech.com 8th RISC-V Workshop Barcelona,

More information

Multi-cycle Instructions in the Pipeline (Floating Point)

Multi-cycle Instructions in the Pipeline (Floating Point) Lecture 6 Multi-cycle Instructions in the Pipeline (Floating Point) Introduction to instruction level parallelism Recap: Support of multi-cycle instructions in a pipeline (App A.5) Recap: Superpipelining

More information

Microarchitecture Overview. Performance

Microarchitecture Overview. Performance Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 18, 2005 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Computer Architecture: Multi-Core Processors: Why? Prof. Onur Mutlu Carnegie Mellon University

Computer Architecture: Multi-Core Processors: Why? Prof. Onur Mutlu Carnegie Mellon University Computer Architecture: Multi-Core Processors: Why? Prof. Onur Mutlu Carnegie Mellon University Moore s Law Moore, Cramming more components onto integrated circuits, Electronics, 1965. 2 3 Multi-Core Idea:

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S

Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units

More information

CSE 240A Midterm Exam

CSE 240A Midterm Exam Student ID Page 1 of 7 2011 Fall Professor Steven Swanson CSE 240A Midterm Exam Please write your name at the top of each page This is a close book, closed notes exam. No outside material may be used.

More information

CPI < 1? How? What if dynamic branch prediction is wrong? Multiple issue processors: Speculative Tomasulo Processor

CPI < 1? How? What if dynamic branch prediction is wrong? Multiple issue processors: Speculative Tomasulo Processor 1 CPI < 1? How? From Single-Issue to: AKS Scalar Processors Multiple issue processors: VLIW (Very Long Instruction Word) Superscalar processors No ISA Support Needed ISA Support Needed 2 What if dynamic

More information

CS146 Computer Architecture. Fall Midterm Exam

CS146 Computer Architecture. Fall Midterm Exam CS146 Computer Architecture Fall 2002 Midterm Exam This exam is worth a total of 100 points. Note the point breakdown below and budget your time wisely. To maximize partial credit, show your work and state

More information

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

The Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018

The Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018 The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados

More information

SentinelOne Technical Brief

SentinelOne Technical Brief SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.

More information

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization 04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization

More information

Processes. CS 416: Operating Systems Design, Spring 2011 Department of Computer Science Rutgers University

Processes. CS 416: Operating Systems Design, Spring 2011 Department of Computer Science Rutgers University Processes Design, Spring 2011 Department of Computer Science Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode instruction Execute instruction CPU

More information

DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS. Yarden Assaf

DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS. Yarden Assaf DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS Assaf Carlsbad @assaf_carlsbad Yarden Shafir @yarden_shafir Yarden I started dancing at the age of 7 and later competed with a rhythmic gymnastics

More information

Inside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.

Inside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015. 16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few

More information

White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS

White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance

More information

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre

More information

Real-World Buffer Overflow Protection in User & Kernel Space

Real-World Buffer Overflow Protection in User & Kernel Space Real-World Buffer Overflow Protection in User & Kernel Space Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University http://raksha.stanford.edu 1 Motivation Buffer

More information

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes

More information

Chapter 4. Advanced Pipelining and Instruction-Level Parallelism. In-Cheol Park Dept. of EE, KAIST

Chapter 4. Advanced Pipelining and Instruction-Level Parallelism. In-Cheol Park Dept. of EE, KAIST Chapter 4. Advanced Pipelining and Instruction-Level Parallelism In-Cheol Park Dept. of EE, KAIST Instruction-level parallelism Loop unrolling Dependence Data/ name / control dependence Loop level parallelism

More information

Computer Architecture: Multi-Core Processors: Why? Onur Mutlu & Seth Copen Goldstein Carnegie Mellon University 9/11/13

Computer Architecture: Multi-Core Processors: Why? Onur Mutlu & Seth Copen Goldstein Carnegie Mellon University 9/11/13 Computer Architecture: Multi-Core Processors: Why? Onur Mutlu & Seth Copen Goldstein Carnegie Mellon University 9/11/13 Moore s Law Moore, Cramming more components onto integrated circuits, Electronics,

More information

Compiling for Nehalem (the Intel Core Microarchitecture, Intel Xeon 5500 processor family and the Intel Core i7 processor)

Compiling for Nehalem (the Intel Core Microarchitecture, Intel Xeon 5500 processor family and the Intel Core i7 processor) Compiling for Nehalem (the Intel Core Microarchitecture, Intel Xeon 5500 processor family and the Intel Core i7 processor) Martyn Corden Developer Products Division Software & Services Group Intel Corporation

More information

CS152 Computer Architecture and Engineering VLIW, Vector, and Multithreaded Machines

CS152 Computer Architecture and Engineering VLIW, Vector, and Multithreaded Machines CS152 Computer Architecture and Engineering VLIW, Vector, and Multithreaded Machines Assigned April 7 Problem Set #5 Due April 21 http://inst.eecs.berkeley.edu/~cs152/sp09 The problem sets are intended

More information

Secure Programming Lecture 15: Information Leakage

Secure Programming Lecture 15: Information Leakage Secure Programming Lecture 15: Information Leakage David Aspinall 21st March 2017 Outline Overview Language Based Security Taint tracking Information flow security by type-checking Summary Recap We have

More information

Several Common Compiler Strategies. Instruction scheduling Loop unrolling Static Branch Prediction Software Pipelining

Several Common Compiler Strategies. Instruction scheduling Loop unrolling Static Branch Prediction Software Pipelining Several Common Compiler Strategies Instruction scheduling Loop unrolling Static Branch Prediction Software Pipelining Basic Instruction Scheduling Reschedule the order of the instructions to reduce the

More information

CS / ECE 6810 Midterm Exam - Oct 21st 2008

CS / ECE 6810 Midterm Exam - Oct 21st 2008 Name and ID: CS / ECE 6810 Midterm Exam - Oct 21st 2008 Notes: This is an open notes and open book exam. If necessary, make reasonable assumptions and clearly state them. The only clarifications you may

More information

CS152 Computer Architecture and Engineering CS252 Graduate Computer Architecture. VLIW, Vector, and Multithreaded Machines

CS152 Computer Architecture and Engineering CS252 Graduate Computer Architecture. VLIW, Vector, and Multithreaded Machines CS152 Computer Architecture and Engineering CS252 Graduate Computer Architecture VLIW, Vector, and Multithreaded Machines Assigned 3/24/2019 Problem Set #4 Due 4/5/2019 http://inst.eecs.berkeley.edu/~cs152/sp19

More information

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego. CSE 237B Fall 2009 Virtualization, Security and RTOS Rajesh Gupta Computer Science and Engineering University of California, San Diego. Overview What is virtualization? Types of virtualization and VMs

More information

Pipelining to Superscalar

Pipelining to Superscalar Pipelining to Superscalar ECE/CS 752 Fall 207 Prof. Mikko H. Lipasti University of Wisconsin-Madison Pipelining to Superscalar Forecast Limits of pipelining The case for superscalar Instruction-level parallel

More information

Computer Architecture

Computer Architecture Computer Architecture Lecture 3: ISA Tradeoffs Dr. Ahmed Sallam Suez Canal University Spring 2015 Based on original slides by Prof. Onur Mutlu Design Point A set of design considerations and their importance

More information

Optimizing Models of an FPGA Embedded System. Adam Donlin Xilinx Research Labs September 2004

Optimizing Models of an FPGA Embedded System. Adam Donlin Xilinx Research Labs September 2004 Optimizing Models of an FPGA Embedded System Adam Donlin Xilinx Research Labs September 24 Outline Target System Architecture Model Optimizations and Simulation Impact Port Datatypes Threads and Methods

More information

Lecture 8 Dynamic Branch Prediction, Superscalar and VLIW. Computer Architectures S

Lecture 8 Dynamic Branch Prediction, Superscalar and VLIW. Computer Architectures S Lecture 8 Dynamic Branch Prediction, Superscalar and VLIW Computer Architectures 521480S Dynamic Branch Prediction Performance = ƒ(accuracy, cost of misprediction) Branch History Table (BHT) is simplest

More information

Simplified and Effective Serial and Parallel Performance Optimization

Simplified and Effective Serial and Parallel Performance Optimization HPC Code Modernization Workshop at LRZ Simplified and Effective Serial and Parallel Performance Optimization Performance tuning Using Intel VTune Performance Profiler Performance Tuning Methodology Goal:

More information

Secure Software Development: Theory and Practice

Secure Software Development: Theory and Practice Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing

More information

A Software Solution for Hardware Vulnerabilities

A Software Solution for Hardware Vulnerabilities A Software Solution for Hardware Vulnerabilities Komail Dharsee University of Rochester Ethan Johnson University of Rochester John Criswell University of Rochester 1 / 22 Hardware Bugs! AMD recently shipped

More information

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer CFIXX: Object Type Integrity Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer Control-Flow Hijacking Attacks C / C++ are ubiquitous and insecure Browsers: Chrome, Firefox, Internet Explorer Servers:

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

Pipelining, Branch Prediction, Trends

Pipelining, Branch Prediction, Trends Pipelining, Branch Prediction, Trends 10.1-10.4 Topics 10.1 Quantitative Analyses of Program Execution 10.2 From CISC to RISC 10.3 Pipelining the Datapath Branch Prediction, Delay Slots 10.4 Overlapping

More information

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni. Lecture Notes for 04/04/06 UNTRUSTED CODE Fatima Zarinni. Last class we started to talk about the different System Solutions for Stack Overflow. We are going to continue the subject. Stages of Stack Overflow

More information

Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction

Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction ISA Support Needed By CPU Reduction of Control Hazards (Branch) Stalls with Dynamic Branch Prediction So far we have dealt with control hazards in instruction pipelines by: 1 2 3 4 Assuming that the branch

More information

ILP concepts (2.1) Basic compiler techniques (2.2) Reducing branch costs with prediction (2.3) Dynamic scheduling (2.4 and 2.5)

ILP concepts (2.1) Basic compiler techniques (2.2) Reducing branch costs with prediction (2.3) Dynamic scheduling (2.4 and 2.5) Instruction-Level Parallelism and its Exploitation: PART 1 ILP concepts (2.1) Basic compiler techniques (2.2) Reducing branch costs with prediction (2.3) Dynamic scheduling (2.4 and 2.5) Project and Case

More information

A Fault Tolerant Superscalar Processor

A Fault Tolerant Superscalar Processor A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level Fault Check Regimen in a Superscalar Processor by V. Reddy and E. Rotenberg (2008)] P R E S E N T E D B Y NAN Z

More information

18-600: Recitation #4 Exploits

18-600: Recitation #4 Exploits 18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:

More information

Buffer overflow prevention, and other attacks

Buffer overflow prevention, and other attacks Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks

More information

CS450/650 Notes Winter 2013 A Morton. Superscalar Pipelines

CS450/650 Notes Winter 2013 A Morton. Superscalar Pipelines CS450/650 Notes Winter 2013 A Morton Superscalar Pipelines 1 Scalar Pipeline Limitations (Shen + Lipasti 4.1) 1. Bounded Performance P = 1 T = IC CPI 1 cycletime = IPC frequency IC IPC = instructions per

More information

EN164: Design of Computing Systems Topic 08: Parallel Processor Design (introduction)

EN164: Design of Computing Systems Topic 08: Parallel Processor Design (introduction) EN164: Design of Computing Systems Topic 08: Parallel Processor Design (introduction) Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering

More information

Instruction-Level Parallelism and Its Exploitation

Instruction-Level Parallelism and Its Exploitation Chapter 2 Instruction-Level Parallelism and Its Exploitation 1 Overview Instruction level parallelism Dynamic Scheduling Techniques es Scoreboarding Tomasulo s s Algorithm Reducing Branch Cost with Dynamic

More information

Computer Architecture s Changing Definition

Computer Architecture s Changing Definition Computer Architecture s Changing Definition 1950s Computer Architecture Computer Arithmetic 1960s Operating system support, especially memory management 1970s to mid 1980s Computer Architecture Instruction

More information

CPI IPC. 1 - One At Best 1 - One At best. Multiple issue processors: VLIW (Very Long Instruction Word) Speculative Tomasulo Processor

CPI IPC. 1 - One At Best 1 - One At best. Multiple issue processors: VLIW (Very Long Instruction Word) Speculative Tomasulo Processor Single-Issue Processor (AKA Scalar Processor) CPI IPC 1 - One At Best 1 - One At best 1 From Single-Issue to: AKS Scalar Processors CPI < 1? How? Multiple issue processors: VLIW (Very Long Instruction

More information

PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on. Blaise-Pascal Tine Sudhakar Yalamanchili

PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on. Blaise-Pascal Tine Sudhakar Yalamanchili PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on Blaise-Pascal Tine Sudhakar Yalamanchili Outline Background: Memory Security Motivation Proposed Solution Implementation Evaluation Conclusion

More information

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction

More information

Testudo: Heavyweight Security Analysis via Statistical Sampling

Testudo: Heavyweight Security Analysis via Statistical Sampling Testudo: Heavyweight Security Analysis via Statistical Sampling Joseph L. Greathouse Ilya Wagner David A. Ramos Gautam Bhatnagar Todd Austin Valeria Bertacco Seth Pettie Advanced Computer Architecture

More information

Instruction Level Parallelism

Instruction Level Parallelism Instruction Level Parallelism The potential overlap among instruction execution is called Instruction Level Parallelism (ILP) since instructions can be executed in parallel. There are mainly two approaches

More information

Spectre and Meltdown: Data leaks during speculative execution

Spectre and Meltdown: Data leaks during speculative execution Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval

More information

CS 361S - Network Security and Privacy Spring Homework #2

CS 361S - Network Security and Privacy Spring Homework #2 CS 361S - Network Security and Privacy Spring 2014 Homework #2 Due: 11am CDT (in class), April 17, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating (e.g.,

More information

Performance analysis basics

Performance analysis basics Performance analysis basics Christian Iwainsky Iwainsky@rz.rwth-aachen.de 25.3.2010 1 Overview 1. Motivation 2. Performance analysis basics 3. Measurement Techniques 2 Why bother with performance analysis

More information

BEng (Hons.) Telecommunications. BSc (Hons.) Computer Science with Network Security

BEng (Hons.) Telecommunications. BSc (Hons.) Computer Science with Network Security BEng (Hons.) Telecommunications BSc (Hons.) Computer Science with Network Security Cohorts: BTEL/15B/FT BCNS/16B/FT Examinations for 2016-2017 / Semester 2 Resit Examinations for BTEL/13B/FT & BTEL/15B/FT

More information

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases

More information

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures

More information

Maximum Security with Minimum Impact : Going Beyond Next Gen

Maximum Security with Minimum Impact : Going Beyond Next Gen SESSION ID: SP03-W10 Maximum Security with Minimum Impact : Going Beyond Next Gen Wendy Moore Director, User Protection Trend Micro @WMBOTT Hyper-competitive Cloud Rapid adoption Social Global Mobile IoT

More information

TDT 4260 lecture 7 spring semester 2015

TDT 4260 lecture 7 spring semester 2015 1 TDT 4260 lecture 7 spring semester 2015 Lasse Natvig, The CARD group Dept. of computer & information science NTNU 2 Lecture overview Repetition Superscalar processor (out-of-order) Dependencies/forwarding

More information

Memory Safety for Low- Level Software/Hardware Interactions

Memory Safety for Low- Level Software/Hardware Interactions Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,

More information

Wrong Path Events and Their Application to Early Misprediction Detection and Recovery

Wrong Path Events and Their Application to Early Misprediction Detection and Recovery Wrong Path Events and Their Application to Early Misprediction Detection and Recovery David N. Armstrong Hyesoon Kim Onur Mutlu Yale N. Patt University of Texas at Austin Motivation Branch predictors are

More information

CS654 Advanced Computer Architecture. Lec 2 - Introduction

CS654 Advanced Computer Architecture. Lec 2 - Introduction CS654 Advanced Computer Architecture Lec 2 - Introduction Peter Kemper Adapted from the slides of EECS 252 by Prof. David Patterson Electrical Engineering and Computer Sciences University of California,

More information

Performance Characterization, Prediction, and Optimization for Heterogeneous Systems with Multi-Level Memory Interference

Performance Characterization, Prediction, and Optimization for Heterogeneous Systems with Multi-Level Memory Interference The 2017 IEEE International Symposium on Workload Characterization Performance Characterization, Prediction, and Optimization for Heterogeneous Systems with Multi-Level Memory Interference Shin-Ying Lee

More information

18-600: Recitation #4 Exploits (Attack Lab)

18-600: Recitation #4 Exploits (Attack Lab) 18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback