From bottom to top: Exploiting hardware side channels in web browsers
|
|
- Candice Rodgers
- 6 years ago
- Views:
Transcription
1 From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France
2 Rennes Graz Clémentine Maurice PhD since October 2015 from Rennes, France now postdoc at TU Graz, Austria Secure Systems group + Secure Systems team: Daniel Gruss, Michael Schwarz, Peter Pessl 2
3 Introduction safe software infrastructure does not mean safe execution 3
4 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware 3
5 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level 3
6 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level like a web browser 3
7 Introduction safe software infrastructure does not mean safe execution information leaks because of the underlying hardware these vulnerabilities can also be exploited at a high level like a web browser because JavaScript is nothing more than code executing on your machine :) 3
8 Outline 1. What are micro-architectural side channels? 4
9 Outline 1. What are micro-architectural side channels? 2. How can I use DRAM to create a covert channel? 4
10 Outline 1. What are micro-architectural side channels? 2. How can I use DRAM to create a covert channel? 3. How can I do that in JavaScript?! 4
11 Sources of leakage no bug in the sense of a mistake lots of performance optimizations 5
12 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks 5
13 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks 5
14 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access 5
15 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access via shared hardware and microarchitecture 5
16 Sources of leakage no bug in the sense of a mistake lots of performance optimizations via power consumption, electromagnetic leaks targeted attacks, physical access via shared hardware and microarchitecture remote attacks 5
17 Shared hardware shared hardware memory CPU DRAM memory bus branch prediction unit arithmetic logic unit data and instruction cache 6
18 DRAM and side channels
19 DRAM organization 7
20 DRAM organization channel 0 channel 1 7
21 DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 7
22 DRAM organization back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 chip 7
23 DRAM organization bank 0 chip row 0 row 1 row 2... row row buffer 8
24 DRAM organization bank 0 chip row 0 row 1 row 2... row row buffer 64k cells 1 capacitor, 1 transitor each 8
25 DRAM row buffer DRAM internally is only capable of reading entire rows 9
26 DRAM row buffer DRAM internally is only capable of reading entire rows capacitors in cells discharge when you read the bits buffer the bits when reading them from the cells write the bits back to the cells when you re done 9
27 DRAM row buffer DRAM internally is only capable of reading entire rows capacitors in cells discharge when you read the bits buffer the bits when reading them from the cells write the bits back to the cells when you re done row buffer 9
28 How reading from DRAM works DRAM bank CPU wants to access row row buffer 10
29 How reading from DRAM works activate DRAM bank CPU wants to access row 1 row 1 activated row buffer 10
30 How reading from DRAM works DRAM bank CPU wants to access row 1 row 1 activated row 1 copied to row buffer copy row buffer 10
31 How reading from DRAM works return DRAM bank CPU wants to access row 1 row 1 activated row 1 copied to row buffer row buffer 10
32 How reading from DRAM works DRAM bank CPU wants to access row row buffer 10
33 How reading from DRAM works activate DRAM bank CPU wants to access row 2 row 2 activated row buffer 10
34 How reading from DRAM works DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer copy row buffer 10
35 How reading from DRAM works return DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer row buffer 10
36 How reading from DRAM works DRAM bank CPU wants to access row 2 row 2 activated row 2 copied to row buffer slow (row conflict) row buffer 10
37 How reading from DRAM works DRAM bank CPU wants to access row 2 again row buffer 10
38 How reading from DRAM works DRAM bank CPU wants to access row 2 again row 2 already in row buffer row buffer 10
39 How reading from DRAM works return DRAM bank CPU wants to access row 2 again row 2 already in row buffer row buffer 10
40 How reading from DRAM works DRAM bank CPU wants to access row 2 again row 2 already in row buffer fast (row hit) row buffer 10
41 How reading from DRAM works DRAM bank row buffer = cache row buffer 10
42 DRAM timing differences Cache hit Cache miss, row hit Cache miss, row conflict 10 7 Number of cases Access time [CPU cycles] 11
43 DRAM timing differences Cache hit Cache miss, row hit Cache miss, row conflict 10 7 Number of cases Access time [CPU cycles] 11
44 DRAM side channels? row buffers are caches 12
45 DRAM side channels? row buffers are caches we can observe timing differences 12
46 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? 12
47 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank 12
48 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank but DRAM mapping functions are undocumented 12
49 DRAM side channels? row buffers are caches we can observe timing differences how to exploit these timing differences? target addresses in the same channel, rank and bank but DRAM mapping functions are undocumented we reverse-engineered them! P. Pessl et al. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In: USENIX Security Symposium
50 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks 13
51 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs 13
52 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks 13
53 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs 13
54 DRAMA: DRAM Addressing attacks infer behavior from memory accesses similarly to cache attacks works across VMs, across cores, across CPUs covert channels and side-channel attacks covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs side-channel attack: one malicious process spies on benign processes e.g., spies on keystrokes 13
55 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i row buffer 14
56 DRAMA covert channel activate DRAM bank... copy sender and receiver agree on one bank receiver continuously accesses a row i row 0 0 buffer
57 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits row 0 0 buffer
58 DRAMA covert channel activate DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i copy row 0 0 buffer
59 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i row 0 0 buffer
60 DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i activate... copy case #1: sender transmits 1 sender accesses row j i next receiver access copy row buffer row 0 0 buffer
61 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #1: sender transmits 1 sender accesses row j i next receiver access copy row buffer slow row 0 0 buffer
62 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits row 0 0 buffer
63 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing row 0 0 buffer
64 DRAMA covert channel activate DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing next receiver access already in buffer row 0 0 buffer
65 DRAMA covert channel DRAM bank... sender and receiver agree on one bank receiver continuously accesses a row i case #2: sender transmits 0 sender does nothing next receiver access already in buffer fast row 0 0 buffer
66 Two applications can covertly communicate with each other But can we use that for spying?
67 DRAMA side-channel attacks DRAM bank... spy and victim share a row i row buffer 16
68 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer row 0 0 buffer
69 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer row 0 0 buffer
70 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer spy accesses row i, no copy row 0 0 buffer
71 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #1 spy accesses row j i, copy to row buffer victim accesses row i, copy to row buffer spy accesses row i, no copy fast row 0 0 buffer
72 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer row 0 0 buffer
73 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i row 0 0 buffer
74 DRAMA side-channel attacks activate DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i spy accesses row i, copy to row buffer row 0 0 buffer
75 DRAMA side-channel attacks DRAM bank... spy and victim share a row i case #2 spy accesses row j i, copy to row buffer no victim access on row i spy accesses row i, copy to row buffer slow row 0 0 buffer
76 Spying on keystrokes on the Firefox URL bar side-channel: template attack allocate a large fraction of memory to be in a row with the victim profile memory and record row-hit ratio for each address 300 Access time w w w. f a c e b o o k. c o m Time in seconds 17
77 I m sure we ll need to write a lot of C code At least we re safe with JavaScript!
78 Member Rowhammer.js?
79 DRAM covert channels in JavaScript?
80 Why JavaScript? JavaScript is code executed in a sandbox 20
81 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? 20
82 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 20
83 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 1. accessing their own memory 20
84 Why JavaScript? JavaScript is code executed in a sandbox can t do anything nasty since it is in a sandbox, right? except side channels are only doing benign operations 1. accessing their own memory 2. measuring time 20
85 Challenges with JavaScript 1. No knowledge about physical addresses 2. No instruction to flush the cache 3. No high-resolution timers 21
86 #1. No knowledge about physical addresses OS optimization: use Transparent Huge Pages (THP, 2MB pages) = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address 22
87 #1. No knowledge about physical addresses OS optimization: use Transparent Huge Pages (THP, 2MB pages) = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address which JS array indices? 22
88 #1. Obtaining the beginning of a THP Access time [ns] Array index [MB] physical pages for these THPs are mapped on-demand page fault when an allocated THP is accessed for the first time D. Gruss et al. Practical Memory Deduplication Attacks in Sandboxed JavaScript. In: ESORICS
89 #1. Choosing physical addresses we now know the last 21 bits of physical addresses enough for most systems, e.g., Sandy Bridge with DDR3 BA0 BA1 BA2 Rank Ch. 24
90 #2. No instruction to flush the cache CPU core CPU cache DRAM measure DRAM timing only non-cached accesses reach DRAM no clflush instruction evict data with other memory accesses 25
91 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
92 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
93 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
94 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
95 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
96 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
97 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
98 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
99 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses load cache set D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
100 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set it s a bit more complicated than that: replacement policy is not LRU D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
101 #2. Bypassing the CPU cache: Basic idea evicting cache line only using memory accesses cache set it s a bit more complicated than that: replacement policy is not LRU but we already solved this problem before :) D. Gruss et al. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: DIMVA
102 #3. High-resolution timers? measure small timing differences: need a high-resolution timer 27
103 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles 27
104 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles JavaScript: performance.now() has the highest resolution 27
105 #3. High-resolution timers? measure small timing differences: need a high-resolution timer native: rdtsc, timestamp in CPU cycles JavaScript: performance.now() has the highest resolution performance.now() [...] represent times as floating-point numbers with up to microsecond precision. Mozilla Developer Network 27
106 High-resolution timers in JavaScript
107 It was better before before September 2015: performance.now() had a nanosecond resolution Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS
108 It was better before before September 2015: performance.now() had a nanosecond resolution Oren et al. demonstrated cache side-channel attacks in JavaScript Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS
109 It was better before before September 2015: performance.now() had a nanosecond resolution Oren et al. demonstrated cache side-channel attacks in JavaScript fixed in Firefox 41: rounding to 5 µs Y. Oren et al. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In: CCS
110 Microsecond precision? Firefox < 41 (1 ns)
111 Microsecond precision? Edge 38 (1 µs) 1 Firefox < 41 (1 ns)
112 Microsecond precision? W3C standard (5 µs) 5 Edge 38 (1 µs) 1 Firefox < 41 (1 ns)
113 Microsecond precision? 0 0 Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) 5 5 Edge 38 (1 µs) 1 Firefox < 41 (1 ns)
114 Microsecond precision? 0 Tor (100 ms) Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) Edge 38 (1 µs) Firefox < 41 (1 ns)
115 Microsecond precision? Fuzzyfox (100 ms) Tor (100 ms) Firefox 41/Chrome/Safari (5 µs) W3C standard (5 µs) Edge 38 (1 µs) Firefox < 41 (1 ns) D. Kohlbrenner et al. Trusted Browsers for Uncertain Times. In: USENIX Security Symposium
116 We can do better! microsecond resolution is not enough M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC
117 We can do better! microsecond resolution is not enough two approaches M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC
118 We can do better! microsecond resolution is not enough two approaches 1. recover a higher resolution from the available timer M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC
119 We can do better! microsecond resolution is not enough two approaches 1. recover a higher resolution from the available timer 2. build our own high-resolution timer M. Schwarz et al. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In: FC
120 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks 31
121 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks 31
122 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks
123 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks
124 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution 31
125 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge 31
126 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge increment a variable until next clock edge 31
127 Recovering resolution: Clock interpolation measure how often we can increment a variable between two timer ticks to measure with high resolution start measurement at clock edge increment a variable until next clock edge Firefox/Chrome: 500 ns, Tor: 15 µs 31
128 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer 32
129 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer 32
130 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer f slow f fast 32
131 Recovering resolution: Edge thresholding often sufficient to just see which of two functions takes longer f slow f fast Padding Padding padding so the slow function crosses one more clock edge than the fast one 32
132 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified 33
133 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified nanosecond resolution 33
134 Recovering resolution: Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified nanosecond resolution Firefox/Tor: 2 ns, Edge: 10 ns, Chrome: 15 ns 33
135 Building a timer goal: counter that does not block main thread 34
136 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) 34
137 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible 34
138 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible timestamp = width of element 34
139 Building a timer goal: counter that does not block main thread baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation increase width of element as fast as possible timestamp = width of element but animation limited to 60 fps 16 ms resolution 34
140 Building a timer: Web worker JavaScript can spawn new threads called web worker 35
141 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing 35
142 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread 35
143 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread possibilities: postmessage, MessageChannel or BroadcastChannel 35
144 Building a timer: Web worker JavaScript can spawn new threads called web worker web worker communicate using message passing let worker count and request timestamp in main thread possibilities: postmessage, MessageChannel or BroadcastChannel microsecond resolution (even on Tor and Fuzzyfox) 35
145 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer 36
146 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data 36
147 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead 36
148 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead one dedicated worker for incrementing the shared variable 36
149 Building a timer: Web worker experimental feature to share data: SharedArrayBuffer web worker can simultaneously read/write data no message passing overhead one dedicated worker for incrementing the shared variable Firefox/Fuzzyfox: 2 ns, Chrome: 15 ns 36
150 Building a timer: Is it good enough? cache hit cache miss Number of cases Access time [SharedArrayBuffer increments] 37
151 Building a timer: Is it good enough? cache hit cache miss Number of cases Access time [SharedArrayBuffer increments] we can distinguish cache hits from cache misses (only 150 cycles difference)! 37
152 Take-away 38
153 Bonus: What else can we do with this? idea is not new: Wray (1992) we also exploited it in other contexts on ARM inside an SGX enclave J. C. Wray. An analysis of covert timing channels. In: Journal of Computer Security (1992), pp M. Lipp et al. ARMageddon: Cache Attacks on Mobile Devices. In: USENIX Security Symposium M. Schwarz et al. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In: DIMVA
154 DRAM covert channels in JavaScript!
155 Setup sender: native application in a VM 40
156 Setup sender: native application in a VM receiver: JavaScript in a web page on the host 40
157 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank 40
158 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank 40
159 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank sender transmits 0 by doing nothing and 1 by causing row conflict 40
160 Setup sender: native application in a VM receiver: JavaScript in a web page on the host sender and receiver select the same bank sender and receiver select a different row inside this bank sender transmits 0 by doing nothing and 1 by causing row conflict receiver measures access time for its row: fast 0, slow 1 40
161 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data 41
162 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble 41
163 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble data integrity checked by an error-detection code 41
164 Sending packets Data EDC S e q communication based on 11-bit packets, with 5-bit of data packet starts with a 2-bit preamble data integrity checked by an error-detection code sequence bit indicates whether it is a retransmission or a new packet 41
165 Evaluation transmission of approximately 11 bits/s 42
166 Evaluation transmission of approximately 11 bits/s can be improved using 42
167 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits 42
168 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction 42
169 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction multithreading multiple banks in parallel 42
170 Evaluation transmission of approximately 11 bits/s can be improved using fewer re-transmits error correction multithreading multiple banks in parallel native code: 596 kbit/s cross CPU and cross VM 42
171 DRAM side-channel attack
172 Conclusion
173 Conclusion information leaks because of the underlying hardware 44
174 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level 44
175 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level running arbitrary JavaScript allows building high-resolution timers 44
176 Conclusion information leaks because of the underlying hardware vulnerabilities exploitable at the browser level running arbitrary JavaScript allows building high-resolution timers hard to mitigate without reducing functionality 44
177 Thank you!
178 From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
More informationRowhammer.js: Root privileges for web apps?
Rowhammer.js: Root privileges for web apps? Daniel Gruss (@lavados) 1, Clémentine Maurice (@BloodyTangerine) 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1 Rennes Graz Clémentine
More informationJavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
More informationRowhammer.js: A Remote Software- Induced Fault Attack in Javascript
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript Daniel Gruss, Clementine Maurice and Stefan Mangard Graz University of Technology, Austria Rowhammer bug (I) Different DRAM cells can
More informationÉvolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
More informationPractical Keystroke Timing Attacks in Sandboxed JavaScript
Practical Keystroke Timing Attacks in Sandboxed JavaScript M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, S. Mangard Sep 11, 2017 ESORICS 17 Graz University of Technology Motivation Keystroke timing
More informationHello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer
More informationARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationarxiv: v2 [cs.cr] 30 Nov 2015
Reverse Engineering Intel DRAM Addressing and Exploitation - Work in Progress - arxiv:1511.08756v2 [cs.cr] 30 Nov 2015 Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz and Stefan Mangard
More informationFlush+Flush: A Stealthier Last-Level Cache Attack
Flush+Flush: A Stealthier Last-Level Cache Attack Daniel Gruss Graz University of Technology, Austria daniel.gruss@iaik.tugraz.at Clémentine Maurice Technicolor, Rennes, France Eurecom, Sophia-Antipolis,
More informationarxiv: v3 [cs.cr] 5 Apr 2016
Flush+Flush: A Fast and Stealthy Cache Attack Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04594v3 [cs.cr] 5 Apr 2016 Abstract. Research
More informationTrusted Browsers for Uncertain Times
Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego Building a browser that can provably mitigate timing attacks Trusted Browsers for Uncertain Times Time and web browsers
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks
Malware Guard Extension: Using SGX to Conceal Cache Attacks Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria Abstract. In modern
More informationWhen Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins
When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins Michael Schwarz, Moritz Lipp michael.schwarz@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at Abstract In our talk, we show that despite all
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya 1 and Debdeep Mukhopadhyay 1 Department of Computer Science and Engineering Indian Institute of Technology,
More informationMicro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
More informationOn Feasibility and Performance of Rowhammmer Attack
On Feasibility and Performance of Rowhammmer Attack Varnavas Papaioannou A dissertation submitted in partial fulfillment of the requirements for the degree of MSc Information Security of University College
More informationSecure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks
: Defending Against Cache-Based Side Channel Attacks Mengjia Yan, Bhargava Gopireddy, Thomas Shull, Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu Presented by Mengjia
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks (Extended Version)
Malware Guard Extension: Using SGX to Conceal Cache Attacks (Exted Version) Michael Schwarz Graz University of Technology Email: michael.schwarz@iaik.tugraz.at Samuel Weiser Graz University of Technology
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationDRAM Disturbance Errors
http://www.ddrdetective.com/ http://users.ece.cmu.edu/~yoonguk/ Flipping Bits in Memory Without Accessing Them An Experimental Study of DRAM Disturbance Errors Yoongu Kim Ross Daly, Jeremie Kim, Chris
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory / DRAM SRAM = Static RAM SRAM vs. DRAM As long as power is present, data is retained DRAM = Dynamic RAM If you don t do anything, you lose the data SRAM: 6T per bit
More informationLocking Down the Processor via the Rowhammer Attack
SGX-BOMB: Locking Down the Processor via the Rowhammer Attack Yeongjin Jang*, Jaehyuk Lee, Sangho Lee, and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the
More informationarxiv: v2 [cs.cr] 19 Jun 2016
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04897v2 [cs.cr] 19 Jun
More informationMultilevel Memories. Joel Emer Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology
1 Multilevel Memories Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Based on the material prepared by Krste Asanovic and Arvind CPU-Memory Bottleneck 6.823
More informationThe Memory Hierarchy. Cache, Main Memory, and Virtual Memory (Part 2)
The Memory Hierarchy Cache, Main Memory, and Virtual Memory (Part 2) Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University Cache Line Replacement The cache
More informationEvaluating STT-RAM as an Energy-Efficient Main Memory Alternative
Evaluating STT-RAM as an Energy-Efficient Main Memory Alternative Emre Kültürsay *, Mahmut Kandemir *, Anand Sivasubramaniam *, and Onur Mutlu * Pennsylvania State University Carnegie Mellon University
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur CHES 2016 August 19, 2016 Objective
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationLecture 14: Cache Innovations and DRAM. Today: cache access basics and innovations, DRAM (Sections )
Lecture 14: Cache Innovations and DRAM Today: cache access basics and innovations, DRAM (Sections 5.1-5.3) 1 Reducing Miss Rate Large block size reduces compulsory misses, reduces miss penalty in case
More informationMemory Hierarchy Computing Systems & Performance MSc Informatics Eng. Memory Hierarchy (most slides are borrowed)
Computing Systems & Performance Memory Hierarchy MSc Informatics Eng. 2011/12 A.J.Proença Memory Hierarchy (most slides are borrowed) AJProença, Computer Systems & Performance, MEI, UMinho, 2011/12 1 2
More informationComputer Systems Architecture I. CSE 560M Lecture 18 Guest Lecturer: Shakir James
Computer Systems Architecture I CSE 560M Lecture 18 Guest Lecturer: Shakir James Plan for Today Announcements No class meeting on Monday, meet in project groups Project demos < 2 weeks, Nov 23 rd Questions
More informationMemory Hierarchy Computing Systems & Performance MSc Informatics Eng. Memory Hierarchy (most slides are borrowed)
Computing Systems & Performance Memory Hierarchy MSc Informatics Eng. 2012/13 A.J.Proença Memory Hierarchy (most slides are borrowed) AJProença, Computer Systems & Performance, MEI, UMinho, 2012/13 1 2
More informationVirtual Memory Wrap Up
Virtual Memory Wrap Up CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan Administrivia
More informationAutoLock: Why Cache Attacks on ARM Are Harder Than You Think
AutoLock: Why Cache Attacks on ARM Are Harder Than You Think Marc Green W, Leandro Rodrigues-Lima F, Andreas Zankl F, Gorka Irazoqui W, Johann Heyszl F, and Thomas Eisenbarth W August 18 th 2017 USENIX
More informationSoftware-based Microarchitectural Attacks
Software-based Microarchitectural Attacks Daniel Gruss January 23, 2019 Graz University of Technology Frame Rate of Slide Deck: 11 fps 1 Daniel Gruss Graz University of Technology 1337 4242 Revolutionary
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationScotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage
Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage Kevin Leach 1, Fengwei Zhang 2, and Westley Weimer 1 1 University of Michigan, 2 Wayne State University
More informationLecture 24: Memory, VM, Multiproc
Lecture 24: Memory, VM, Multiproc Today s topics: Security wrap-up Off-chip Memory Virtual memory Multiprocessors, cache coherence 1 Spectre: Variant 1 x is controlled by attacker Thanks to bpred, x can
More informationChapter 5B. Large and Fast: Exploiting Memory Hierarchy
Chapter 5B Large and Fast: Exploiting Memory Hierarchy One Transistor Dynamic RAM 1-T DRAM Cell word access transistor V REF TiN top electrode (V REF ) Ta 2 O 5 dielectric bit Storage capacitor (FET gate,
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory / DRAM SRAM = Static RAM SRAM vs. DRAM As long as power is present, data is retained DRAM = Dynamic RAM If you don t do anything, you lose the data SRAM: 6T per bit
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationThe Last Mile An Empirical Study of Timing Channels on sel4
The Last Mile An Empirical Study of Timing on David Cock Qian Ge Toby Murray Gernot Heiser 4 November 2014 NICTA Funding and Supporting Members and Partners Outline The Last Mile Copyright NICTA 2014 David
More informationDefense against the AnC Attack on BOOM Rui Hou, Xiaoxin Li, Wei Song, Dan Meng
Defense against the AnC Attack on BOOM Rui Hou, Xiaoxin Li, Wei Song, Dan Meng 单击此处编辑母版标题样式 Outline Security vulnerabilities due to resource sharing AnC attack Solution RCL PTE-isolation Security vulnerabilities
More informationPAGE REPLACEMENT. Operating Systems 2015 Spring by Euiseong Seo
PAGE REPLACEMENT Operating Systems 2015 Spring by Euiseong Seo Today s Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced
More informationEmbedded processors. Timo Töyry Department of Computer Science and Engineering Aalto University, School of Science timo.toyry(at)aalto.
Embedded processors Timo Töyry Department of Computer Science and Engineering Aalto University, School of Science timo.toyry(at)aalto.fi Comparing processors Evaluating processors Taxonomy of processors
More informationCPU issues address (and data for write) Memory returns data (or acknowledgment for write)
The Main Memory Unit CPU and memory unit interface Address Data Control CPU Memory CPU issues address (and data for write) Memory returns data (or acknowledgment for write) Memories: Design Objectives
More informationVirtual Memory III. Jo, Heeseung
Virtual Memory III Jo, Heeseung Today's Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced virtual memory techniques Shared
More informationCache Memory COE 403. Computer Architecture Prof. Muhamed Mudawar. Computer Engineering Department King Fahd University of Petroleum and Minerals
Cache Memory COE 403 Computer Architecture Prof. Muhamed Mudawar Computer Engineering Department King Fahd University of Petroleum and Minerals Presentation Outline The Need for Cache Memory The Basics
More informationCSE Memory Hierarchy Design Ch. 5 (Hennessy and Patterson)
CSE 4201 Memory Hierarchy Design Ch. 5 (Hennessy and Patterson) Memory Hierarchy We need huge amount of cheap and fast memory Memory is either fast or cheap; never both. Do as politicians do: fake it Give
More information15-740/ Computer Architecture Lecture 19: Main Memory. Prof. Onur Mutlu Carnegie Mellon University
15-740/18-740 Computer Architecture Lecture 19: Main Memory Prof. Onur Mutlu Carnegie Mellon University Last Time Multi-core issues in caching OS-based cache partitioning (using page coloring) Handling
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationHY225 Lecture 12: DRAM and Virtual Memory
HY225 Lecture 12: DRAM and irtual Memory Dimitrios S. Nikolopoulos University of Crete and FORTH-ICS May 16, 2011 Dimitrios S. Nikolopoulos Lecture 12: DRAM and irtual Memory 1 / 36 DRAM Fundamentals Random-access
More informationChapter 5. Large and Fast: Exploiting Memory Hierarchy
Chapter 5 Large and Fast: Exploiting Memory Hierarchy Principle of Locality Programs access a small proportion of their address space at any time Temporal locality Items accessed recently are likely to
More informationChapter 5 Large and Fast: Exploiting Memory Hierarchy (Part 1)
Department of Electr rical Eng ineering, Chapter 5 Large and Fast: Exploiting Memory Hierarchy (Part 1) 王振傑 (Chen-Chieh Wang) ccwang@mail.ee.ncku.edu.tw ncku edu Depar rtment of Electr rical Engineering,
More informationComputer Architecture A Quantitative Approach, Fifth Edition. Chapter 2. Memory Hierarchy Design. Copyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more
More informationCSE 153 Design of Operating Systems
CSE 153 Design of Operating Systems Winter 18 Lecture 18/19: Page Replacement Memory Management Memory management systems Physical and virtual addressing; address translation Techniques: Partitioning,
More informationCS 152 Computer Architecture and Engineering. Lecture 7 - Memory Hierarchy-II
CS 152 Computer Architecture and Engineering Lecture 7 - Memory Hierarchy-II Krste Asanovic Electrical Engineering and Computer Sciences University of California at Berkeley http://www.eecs.berkeley.edu/~krste
More informationECE 485/585 Midterm Exam
ECE 485/585 Midterm Exam Time allowed: 100 minutes Total Points: 65 Points Scored: Name: Problem No. 1 (12 points) For each of the following statements, indicate whether the statement is TRUE or FALSE:
More informationCopyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more
More informationSandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
More informationAdapted from David Patterson s slides on graduate computer architecture
Mei Yang Adapted from David Patterson s slides on graduate computer architecture Introduction Ten Advanced Optimizations of Cache Performance Memory Technology and Optimizations Virtual Memory and Virtual
More informationSpring 2018 :: CSE 502. Main Memory & DRAM. Nima Honarmand
Main Memory & DRAM Nima Honarmand Main Memory Big Picture 1) Last-level cache sends its memory requests to a Memory Controller Over a system bus of other types of interconnect 2) Memory controller translates
More information1/19/2009. Data Locality. Exploiting Locality: Caches
Spring 2009 Prof. Hyesoon Kim Thanks to Prof. Loh & Prof. Prvulovic Data Locality Temporal: if data item needed now, it is likely to be needed again in near future Spatial: if data item needed now, nearby
More informationMemory Defenses. The Elevation from Obscurity to Headlines. Rajeev Balasubramonian School of Computing, University of Utah
Memory Defenses The Elevation from Obscurity to Headlines Rajeev Balasubramonian School of Computing, University of Utah Image sources: pinterest, gizmodo 2 Spectre Overview Victim Code x is controlled
More informationCS162 Operating Systems and Systems Programming Lecture 11 Page Allocation and Replacement"
CS162 Operating Systems and Systems Programming Lecture 11 Page Allocation and Replacement" October 3, 2012 Ion Stoica http://inst.eecs.berkeley.edu/~cs162 Lecture 9 Followup: Inverted Page Table" With
More informationLecture 15: DRAM Main Memory Systems. Today: DRAM basics and innovations (Section 2.3)
Lecture 15: DRAM Main Memory Systems Today: DRAM basics and innovations (Section 2.3) 1 Memory Architecture Processor Memory Controller Address/Cmd Bank Row Buffer DIMM Data DIMM: a PCB with DRAM chips
More informationCS356: Discussion #9 Memory Hierarchy and Caches. Marco Paolieri Illustrations from CS:APP3e textbook
CS356: Discussion #9 Memory Hierarchy and Caches Marco Paolieri (paolieri@usc.edu) Illustrations from CS:APP3e textbook The Memory Hierarchy So far... We modeled the memory system as an abstract array
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationCS 33. Architecture and Optimization (3) CS33 Intro to Computer Systems XVI 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
CS 33 Architecture and Optimization (3) CS33 Intro to Computer Systems XVI 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Hyper Threading Instruction Control Instruction Control Retirement Unit
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationCopyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology
More information18-447: Computer Architecture Lecture 25: Main Memory. Prof. Onur Mutlu Carnegie Mellon University Spring 2013, 4/3/2013
18-447: Computer Architecture Lecture 25: Main Memory Prof. Onur Mutlu Carnegie Mellon University Spring 2013, 4/3/2013 Reminder: Homework 5 (Today) Due April 3 (Wednesday!) Topics: Vector processing,
More informationComputer Architecture. A Quantitative Approach, Fifth Edition. Chapter 2. Memory Hierarchy Design. Copyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Programmers want unlimited amounts of memory with low latency Fast memory technology is more expensive per
More informationCache memory. Lecture 4. Principles, structure, mapping
Cache memory Lecture 4 Principles, structure, mapping Computer memory overview Computer memory overview By analyzing memory hierarchy from top to bottom, the following conclusions can be done: a. Cost
More informationChapter 6 Caches. Computer System. Alpha Chip Photo. Topics. Memory Hierarchy Locality of Reference SRAM Caches Direct Mapped Associative
Chapter 6 s Topics Memory Hierarchy Locality of Reference SRAM s Direct Mapped Associative Computer System Processor interrupt On-chip cache s s Memory-I/O bus bus Net cache Row cache Disk cache Memory
More informationSAE5C Computer Organization and Architecture. Unit : I - V
SAE5C Computer Organization and Architecture Unit : I - V UNIT-I Evolution of Pentium and Power PC Evolution of Computer Components functions Interconnection Bus Basics of PCI Memory:Characteristics,Hierarchy
More informationCOMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface. 5 th. Edition. Chapter 5. Large and Fast: Exploiting Memory Hierarchy
COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface 5 th Edition Chapter 5 Large and Fast: Exploiting Memory Hierarchy Principle of Locality Programs access a small proportion of their address
More informationWhen Good Protections Go Bad: Exploiting Anti-DoS Measures to Accelerate Rowhammer Attacks
When Good Protections Go Bad: Exploiting Anti-DoS Measures to Accelerate Rowhammer Attacks Misiker Tadesse Aga Zelalem Birhanu Aweke Todd Austin misiker@umich.edu zaweke@umich.edu austin@umich.edu University
More informationMemory Systems IRAM. Principle of IRAM
Memory Systems 165 other devices of the module will be in the Standby state (which is the primary state of all RDRAM devices) or another state with low-power consumption. The RDRAM devices provide several
More informationMeltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
More informationPage 1. Goals for Today" TLB organization" CS162 Operating Systems and Systems Programming Lecture 11. Page Allocation and Replacement"
Goals for Today" CS162 Operating Systems and Systems Programming Lecture 11 Page Allocation and Replacement" Finish discussion on TLBs! Page Replacement Policies! FIFO, LRU! Clock Algorithm!! Working Set/Thrashing!
More informationANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin University
More informationDedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
2016 IEEE Symposium on Security and Privacy Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Kaveh Razavi Vrije Universiteit
More informationVirtual Memory III. CSE 351 Autumn Instructor: Justin Hsia
Virtual Memory III CSE 351 Autumn 2016 Instructor: Justin Hsia Teaching Assistants: Chris Ma Hunter Zahn John Kaltenbach Kevin Bi Sachin Mehta Suraj Bhat Thomas Neuman Waylon Huang Xi Liu Yufang Sun https://xkcd.com/720/
More informationLecture 12: Demand Paging
Lecture 1: Demand Paging CSE 10: Principles of Operating Systems Alex C. Snoeren HW 3 Due 11/9 Complete Address Translation We started this topic with the high-level problem of translating virtual addresses
More informationMemory Technology. Chapter 5. Principle of Locality. Chapter 5 Large and Fast: Exploiting Memory Hierarchy 1
COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Interface Chapter 5 Large and Fast: Exploiting Memory Hierarchy 5 th Edition Memory Technology Static RAM (SRAM) 0.5ns 2.5ns, $2000 $5000 per GB Dynamic
More informationDonn Morrison Department of Computer Science. TDT4255 Memory hierarchies
TDT4255 Lecture 10: Memory hierarchies Donn Morrison Department of Computer Science 2 Outline Chapter 5 - Memory hierarchies (5.1-5.5) Temporal and spacial locality Hits and misses Direct-mapped, set associative,
More informationCJAG: Cache-based Jamming Agreement
CJAG: Cache-based Jamming Agreement Establishing a covert channel between co-located VMs Michael Schwarz and Manuel Weber Graz University of Technology, Austria Abstract. Cache-based covert channels are
More informationCache Side Channel Attacks on Intel SGX
Cache Side Channel Attacks on Intel SGX Princeton University Technical Report CE-L2017-001 January 2017 Zecheng He Ruby B. Lee {zechengh, rblee}@princeton.edu Department of Electrical Engineering Princeton
More informationMemory. Lecture 22 CS301
Memory Lecture 22 CS301 Administrative Daily Review of today s lecture w Due tomorrow (11/13) at 8am HW #8 due today at 5pm Program #2 due Friday, 11/16 at 11:59pm Test #2 Wednesday Pipelined Machine Fetch
More informationSpring 2016 :: CSE 502 Computer Architecture. Caches. Nima Honarmand
Caches Nima Honarmand Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required by all of the running applications
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory Hierarchy & Caches Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required
More informationChapter 5. Large and Fast: Exploiting Memory Hierarchy
Chapter 5 Large and Fast: Exploiting Memory Hierarchy Memory Technology Static RAM (SRAM) 0.5ns 2.5ns, $2000 $5000 per GB Dynamic RAM (DRAM) 50ns 70ns, $20 $75 per GB Magnetic disk 5ms 20ms, $0.20 $2 per
More informationAn introduction to SDRAM and memory controllers. 5kk73
An introduction to SDRAM and memory controllers 5kk73 Presentation Outline (part 1) Introduction to SDRAM Basic SDRAM operation Memory efficiency SDRAM controller architecture Conclusions Followed by part
More informationEN1640: Design of Computing Systems Topic 06: Memory System
EN164: Design of Computing Systems Topic 6: Memory System Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering Brown University Spring
More informationVIRTUAL MEMORY READING: CHAPTER 9
VIRTUAL MEMORY READING: CHAPTER 9 9 MEMORY HIERARCHY Core! Processor! Core! Caching! Main! Memory! (DRAM)!! Caching!! Secondary Storage (SSD)!!!! Secondary Storage (Disk)! L cache exclusive to a single
More information