Rowhammer.js: Root privileges for web apps?
|
|
- Rodger Jenkins
- 6 years ago
- Views:
Transcription
1 Rowhammer.js: Root privileges for web apps? Daniel Gruss 1, Clémentine Maurice 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1
2 Rennes Graz Clémentine Maurice PhD since October from Rennes, France Daniel Gruss PhD student from Graz, Austria Both of us started to work independently on cache attacks 2
3 Bit flips! The timeline 2014 June 2015 March April June July 3
4 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June July 3
5 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush April June July 3
6 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush June July 3
7 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel July 3
8 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel First bit flips without clflush on Ivy Bridge and Haswell a few days later! July 3
9 Bit flips! The timeline 2014 June Kim et al. paper Flipping bits in memory without accessing them at ISCA 14 = Rowhammer with clflush, originally viewed as a reliability issue 2015 March April June Mark Seaborn and Halvar Flake build exploits using Rowhammer with clflush Daniel starts working on Rowhammer without clflush Clémentine visits TU Graz to work on it with Daniel First bit flips without clflush on Ivy Bridge and Haswell a few days later! July Bit flips in JavaScript! 3
10 DRAM organization example 4
11 DRAM organization example channel 0 channel 1 4
12 DRAM organization example back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 4
13 DRAM organization example back of DIMM: rank 1 channel 0 front of DIMM: rank 0 channel 1 chip 4
14 DRAM organization example chip bank 0 row 0 row 1 row 2... row row buffer bits in cells in rows access: activate row, copy to row buffer cells leak refresh necessary cells leak faster upon proximate accesses 5
15 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank row buffer 6
16 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6
17 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6
18 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6
19 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank activate copy row buffer 6
20 Rowhammer It s like breaking into an apartment by repeatedly slamming a neighbor s door until the vibrations open the door you were after Motherboard Vice DRAM bank bit flips in row 2! row buffer 6
21 Impact of the CPU cache CPU core CPU cache DRAM only non-cached accesses reach DRAM original attacks use clflush instruction flush line from cache next access will be served from DRAM 7
22 Cache background core 0 core 1 core 2 core 3 L1 and L2 are private L1 L1 L1 L1 last-level cache: L2 LLC slice 0 L2 LLC slice 1 L2 LLC slice 2 L2 LLC slice 3 ring bus divided in slices shared across cores inclusive 8
23 Rowhammer (with clflush) DRAM bank cache set 1 cache set 2 9
24 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9
25 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9
26 Rowhammer (with clflush) DRAM bank cache set 1 cache set 2 9
27 Rowhammer (with clflush) DRAM bank cache set 1 reload cache set 2 9
28 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9
29 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9
30 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9
31 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9
32 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9
33 Rowhammer (with clflush) DRAM bank cache set 1 clflush clflush cache set 2 9
34 Rowhammer (with clflush) DRAM bank cache set 1 reload reload cache set 2 9
35 Rowhammer (with clflush) DRAM bank cache set 1 clflush wait for it... clflush cache set 2 9
36 Rowhammer (with clflush) DRAM bank cache set 1 reload reload bit flip! cache set 2 9
37 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... 10
38 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... measure timing (cache hit vs. miss) run on shared libraries to spy on other processes 10
39 Wait a second, Flush+Reload? Flush+Reload a cache attack exactly what we just did, but... measure timing (cache hit vs. miss) run on shared libraries to spy on other processes automated attacks [Gruss et al., 2015c] crypto keys, keylogging, cross VM attacks,... 10
40 Rowhammer without clflush? idea: avoid clflush to be independent of specific instructions no clflush in JavaScript 11
41 Rowhammer without clflush? idea: avoid clflush to be independent of specific instructions no clflush in JavaScript our approach: use regular memory accesses for eviction techniques from cache attacks! 11
42 Rowhammer without clflush DRAM bank cache set 1 cache set 2 12
43 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
44 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
45 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
46 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
47 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
48 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
49 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
50 Rowhammer without clflush DRAM bank cache set 1 load load cache set 2 12
51 Rowhammer without clflush DRAM bank cache set 1 reload reload cache set 2 12
52 Rowhammer without clflush DRAM bank cache set 1 repeat! cache set 2 12
53 Rowhammer without clflush DRAM bank cache set 1 reload reload wait for it... cache set 2 12
54 Rowhammer without clflush DRAM bank cache set 1 bit flip! cache set 2 12
55 Rowhammer.js: the challenges 1. How to get physical addresses in JS? 2. Which physical addresses to access? 3. In which order to access them? 4. How to get accurate timing in JS? 13
56 Rowhammer.js: the challenges 1. How to get physical addresses in JS? 2. Which physical addresses to access? 3. In which order to access them? 4. How to get accurate timing in JS? 13
57 #1.1: Physical addresses and DRAM fixed map: physical addresses DRAM cells undocumented for Intel reverse-engineering by [Seaborn, 2015b] for Sandy Bridge and by us [Pessl et al., 2015] for Sandy, Ivy, Haswell, Skylake,... 14
58 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address 15
59 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address = last 21 bits (2MB) of JS array indices [Gruss et al., 2015a] 15
60 #1.2: Physical addresses and JavaScript OS optimization: use 2MB pages = last 21 bits (2MB) of physical address = last 21 bits (2MB) of virtual address = last 21 bits (2MB) of JS array indices [Gruss et al., 2015a] several DRAM rows per 2MB page several congruent addresses per 2MB page use timing for cross-page information 15
61 #2.1: Which physical addresses to access? LRU eviction : assume that cache uses LRU replacement accessing n addresses from the same cache set to evict an n-way set [Percival, 2005, Liu et al., 2015, Oren et al., 2015, Maurice et al., 2015b] eviction from last level from whole hierarchy (it s inclusive!) 16
62 #2.2: Which addresses map to the same set? physical address 35 tag H 2 set 11 6 offset 0 function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] line slice 0 slice 1 slice 2 slice 3 17
63 #2.2: Which addresses map to the same set? physical address tag set offset 30 H 11 2 line slice 0 slice 1 slice 2 slice 3 0 function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] hash function basically an XOR of address bits 17
64 #2.2: Which addresses map to the same set? function H that maps slices is undocumented reverse-engineered by [Maurice et al., 2015a, Inci et al., 2015, Yarom et al., 2015] hash function basically an XOR of address bits 17
65 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set 18
66 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set LRU replacement policy: oldest entry first 18
67 #3.1: Replacement policy on older CPUs LRU eviction memory accesses cache set LRU replacement policy: oldest entry first timestamps for every cache line 18
68 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
69 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
70 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
71 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
72 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
73 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
74 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
75 #3.1: Replacement policy on older CPUs LRU eviction memory accesses load cache set LRU replacement policy: oldest entry first timestamps for every cache line access updates timestamp 18
76 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement 19
77 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
78 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
79 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
80 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
81 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
82 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
83 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
84 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses load cache set no LRU replacement 19
85 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement only 75% success rate on Haswell 19
86 #3.2: Replacement policy on recent CPUs LRU eviction memory accesses cache set no LRU replacement only 75% success rate on Haswell more accesses higher success rate, but too slow 19
87 #3.3: Cache eviction strategy Address a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 Time Figure: Fast and effective on Haswell. Eviction rate >99.97%. 20
88 #4: How to get accurate timing in JavaScript? native code: rdtsc JavaScript: window.performance.now() 21
89 #4: How to get accurate timing in JavaScript? native code: rdtsc JavaScript: window.performance.now() recent patch: time rounded to 5 microseconds still works - we measure millions of accesses 21
90 Evaluation on Haswell 10 6 clflush Evict (Native) Evict (JavaScript) Bit flips Refresh interval in µs (BIOS configuration) Figure: Number of bit flips within 15 minutes. [Gruss et al., 2015b] 22
91 Exploits? Idea: port root exploit by [Seaborn, 2015a] to JavaScript page table spraying needs shared memory not available in JavaScript 23
92 Exploits? Idea: port root exploit by [Seaborn, 2015a] to JavaScript page table spraying needs shared memory not available in JavaScript zero pages are deduplicated shared memory accessible from JavaScript 23
93 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 24
94 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 3. put page table there page table spraying with shared pages 4. trigger bitflip again 24
95 Physical memory access exploit in native code 1. find exploitable bitflip (address bit) 2. release bitflip page 3. put page table there page table spraying with shared pages 4. trigger bitflip again 5. page table mapped instead of shared page? 6. modify page table to access arbitrary memory 24
96 Physical memory access exploit in JavaScript 1. find exploitable bitflip (address + writable bit) 2. release bitflip page 3. put page table there page table spraying with zero pages 4. trigger bitflip again 5. page table mapped instead of zero page? 6. modify page table to access arbitrary memory 25
97 Code execution as root 1. search for /bin/sh binary pages, modify page: add shellcode 26
98 Code execution as root 1. search for /bin/sh binary pages, modify page: add shellcode 3. wait until root executes shellcode 26
99 Countermeasures patch hardware: dynamic row refreshing patch BIOS: increase refresh rate 27
100 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate 27
101 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... 27
102 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? 27
103 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? 27
104 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? patch OS: life is not perfect that s ok! 27
105 Countermeasures patch hardware: dynamic row refreshing what about legacy hardware? patch BIOS: increase refresh rate might not be sufficient for all machines [Kim et al., 2014] need a BIOS update... Who does that? patch OS: life is not perfect that s ok! idea: we don t care about self-destructive processes same-privilege physical memory pools 27
106 Conclusions cache eviction fast enough to replace clflush independent of programming language and available instructions hardware-fault attack induced in JavaScript remote attacks through websites 28
107 Not there yet, but... 29
108 Rowhammer.js: Root privileges for web apps? Daniel Gruss 1, Clémentine Maurice 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 30
109 [Gruss et al., 2015a] Gruss, D., Bidner, D., and Mangard, S. (2015a). Practical memory deduplication attacks in sandboxed javascript. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS 15). [Gruss et al., 2015b] Gruss, D., Maurice, C., and Mangard, S. (2015b). Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. arxiv: v1. [Gruss et al., 2015c] Gruss, D., Spreitzer, R., and Mangard, S. (2015c). Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium (USENIX Security 15). [Inci et al., 2015] Inci, M. S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., and Sunar, B. (2015). Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Cryptology eprint Archive, Report 2015/
110 [Kim et al., 2014] Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J. H., Lee, D., Wilkerson, C., Lai, K., and Mutlu, O. (2014). Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ACM/IEEE International Symposium on Computer Architecture (ISCA 14). [Liu et al., 2015] Liu, F., Yarom, Y., Ge, Q., Heiser, G., and Lee, R. B. (2015). Last-Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security and Privacy (S&P 15). [Maurice et al., 2015a] Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., and Francillon, A. (2015a). Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). [Maurice et al., 2015b] Maurice, C., Neumann, C., Heen, O., and Francillon, A. (2015b). C5: Cross-Cores Cache Covert Channel. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 15). 32
111 [Oren et al., 2015] Oren, Y., Kemerlis, V. P., Sethumadhavan, S., and Keromytis, A. D. (2015). The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In ACM Conference on Computer and Communications Security (CCS 15). [Percival, 2005] Percival, C. (2005). Cache Missing for Fun and Profit. URL: [Pessl et al., 2015] Pessl, P., Gruss, D., Maurice, C., Schwarz, M., and Mangard, S. (2015). Reverse Engineering Intel DRAM Addressing and Exploitation. arxiv: [Seaborn, 2015a] Seaborn, M. (2015a). Exploiting the DRAM rowhammer bug to gain kernel privileges. 33
112 [Seaborn, 2015b] Seaborn, M. (2015b). How physical addresses map to rows and banks in DRAM. [Yarom et al., 2015] Yarom, Y., Ge, Q., Liu, F., Lee, R. B., and Heiser, G. (2015). Mapping the Intel Last-Level Cache. Cryptology eprint Archive, Report 2015/
113 The research leading to these results has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No (HECTOR). Furthermore, this work has been supported by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number (SeCoS). The joint research has been supported by CRYPTACUS COST action. 35
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript Daniel Gruss, Clementine Maurice and Stefan Mangard Graz University of Technology, Austria Rowhammer bug (I) Different DRAM cells can
More informationFrom bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
More informationarxiv: v2 [cs.cr] 30 Nov 2015
Reverse Engineering Intel DRAM Addressing and Exploitation - Work in Progress - arxiv:1511.08756v2 [cs.cr] 30 Nov 2015 Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz and Stefan Mangard
More informationÉvolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur CHES 2016 August 19, 2016 Objective
More informationCJAG: Cache-based Jamming Agreement
CJAG: Cache-based Jamming Agreement Establishing a covert channel between co-located VMs Michael Schwarz and Manuel Weber Graz University of Technology, Austria Abstract. Cache-based covert channels are
More informationHello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer
More informationARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
More informationAutoLock: Why Cache Attacks on ARM Are Harder Than You Think
AutoLock: Why Cache Attacks on ARM Are Harder Than You Think Marc Green W, Leandro Rodrigues-Lima F, Andreas Zankl F, Gorka Irazoqui W, Johann Heyszl F, and Thomas Eisenbarth W August 18 th 2017 USENIX
More informationFlush+Flush: A Stealthier Last-Level Cache Attack
Flush+Flush: A Stealthier Last-Level Cache Attack Daniel Gruss Graz University of Technology, Austria daniel.gruss@iaik.tugraz.at Clémentine Maurice Technicolor, Rennes, France Eurecom, Sophia-Antipolis,
More informationFantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
More informationarxiv: v3 [cs.cr] 5 Apr 2016
Flush+Flush: A Fast and Stealthy Cache Attack Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04594v3 [cs.cr] 5 Apr 2016 Abstract. Research
More informationWhen Good Protections Go Bad: Exploiting Anti-DoS Measures to Accelerate Rowhammer Attacks
When Good Protections Go Bad: Exploiting Anti-DoS Measures to Accelerate Rowhammer Attacks Misiker Tadesse Aga Zelalem Birhanu Aweke Todd Austin misiker@umich.edu zaweke@umich.edu austin@umich.edu University
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya 1 and Debdeep Mukhopadhyay 1 Department of Computer Science and Engineering Indian Institute of Technology,
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
More informationOn Feasibility and Performance of Rowhammmer Attack
On Feasibility and Performance of Rowhammmer Attack Varnavas Papaioannou A dissertation submitted in partial fulfillment of the requirements for the degree of MSc Information Security of University College
More informationDRAM Disturbance Errors
http://www.ddrdetective.com/ http://users.ece.cmu.edu/~yoonguk/ Flipping Bits in Memory Without Accessing Them An Experimental Study of DRAM Disturbance Errors Yoongu Kim Ross Daly, Jeremie Kim, Chris
More informationarxiv: v2 [cs.cr] 19 Jun 2016
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04897v2 [cs.cr] 19 Jun
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationBit Flips in Memory Rowhammer Attacks and Defenses
Bit Flips in Memory Rowhammer Attacks and Defenses Memory Corruption Attacks Software code injection return-oriented programming Data Code Hardware Memory Corruption Attacks Software code injection return-oriented
More informationPractical Keystroke Timing Attacks in Sandboxed JavaScript
Practical Keystroke Timing Attacks in Sandboxed JavaScript M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, S. Mangard Sep 11, 2017 ESORICS 17 Graz University of Technology Motivation Keystroke timing
More informationC5: Cross-Cores Cache Covert Channel
C5: Cross-Cores Cache Covert Channel Clémentine Maurice 1, Christoph Neumann 1, Olivier Heen 1, and Aurélien Francillon 2 1 Technicolor, Rennes, France, 2 Eurecom, Sophia-Antipolis, France {clementine.maurice,christoph.neumann,olivier.heen}@technicolor.com
More informationWhen Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins
When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins Michael Schwarz, Moritz Lipp michael.schwarz@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at Abstract In our talk, we show that despite all
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks
Malware Guard Extension: Using SGX to Conceal Cache Attacks Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria Abstract. In modern
More informationNonblocking Memory Refresh. Kate Nguyen, Kehan Lyu, Xianze Meng, Vilas Sridharan, Xun Jian
Nonblocking Memory Refresh Kate Nguyen, Kehan Lyu, Xianze Meng, Vilas Sridharan, Xun Jian Latency (ns) History of DRAM 2 Refresh Latency Bus Cycle Time Min. Read Latency 512 550 16 13.5 0.5 0.75 1968 DRAM
More informationSecure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks
: Defending Against Cache-Based Side Channel Attacks Mengjia Yan, Bhargava Gopireddy, Thomas Shull, Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu Presented by Mengjia
More informationLocking Down the Processor via the Rowhammer Attack
SGX-BOMB: Locking Down the Processor via the Rowhammer Attack Yeongjin Jang*, Jaehyuk Lee, Sangho Lee, and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the
More informationCache Side Channel Attacks on Intel SGX
Cache Side Channel Attacks on Intel SGX Princeton University Technical Report CE-L2017-001 January 2017 Zecheng He Ruby B. Lee {zechengh, rblee}@princeton.edu Department of Electrical Engineering Princeton
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks (Extended Version)
Malware Guard Extension: Using SGX to Conceal Cache Attacks (Exted Version) Michael Schwarz Graz University of Technology Email: michael.schwarz@iaik.tugraz.at Samuel Weiser Graz University of Technology
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationRevAnC: A Framework for Reverse Engineering Hardware Page Table Caches
RevAnC: A Framework for Reverse Engineering Hardware Page Table Caches Stephan van Schaik stephan@synkhronix.com Kaveh Razavi kaveh@cs.vu.nl Ben Gras beng@cs.vu.nl ABSTRACT Herbert Bos herbertb@cs.vu.nl
More informationCache Attacks and Rowhammer on ARM
Moritz Lipp, BSc Cache Attacks and Rowhammer on ARM MASTER S THESIS to achieve the university degree of Diplom-Ingenieur Master s degree programme: Computer Science submitted to Graz University of Technology
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationPRIME+ABORT: A Timer-Free High-Precision L3 Cache Attack using Intel TSX
PRIME+ABORT: A Timer-Free High-Precision L3 Cache Attack using Intel TSX Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean Tullsen University of California, San Diego {cdisselk, dkohlbre}@cs.ucsd.edu,
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationHY225 Lecture 12: DRAM and Virtual Memory
HY225 Lecture 12: DRAM and irtual Memory Dimitrios S. Nikolopoulos University of Crete and FORTH-ICS May 16, 2011 Dimitrios S. Nikolopoulos Lecture 12: DRAM and irtual Memory 1 / 36 DRAM Fundamentals Random-access
More informationRapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree
Rapid Detection of RowHammer Attacks using Dynamic Skewed Hash Tree SARU VIG SIEW-KEI LAM N A N YA N G T E C H N O LO G I C A L U N I V E R S I T Y, S I N G A P O R E SARANI BHAT TACHARYA DEBDEEP MUKHOPADHYA
More informationComputer Architecture Lecture 21: Main Memory. Prof. Onur Mutlu Carnegie Mellon University Spring 2015, 3/23/2015
18-447 Computer Architecture Lecture 21: Main Memory Prof. Onur Mutlu Carnegie Mellon University Spring 2015, 3/23/2015 Assignment Reminders Lab 6: Due April 3 C-level simulation of caches and branch prediction
More informationJavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
More informationANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Rui Qiao, Reetuparna Das, Matthew Hicks, Yossi Oren, and Todd Austin University
More informationVirtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1
Virtual Memory Patterson & Hennessey Chapter 5 ELEC 5200/6200 1 Virtual Memory Use main memory as a cache for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs
More information15-740/ Computer Architecture Lecture 19: Main Memory. Prof. Onur Mutlu Carnegie Mellon University
15-740/18-740 Computer Architecture Lecture 19: Main Memory Prof. Onur Mutlu Carnegie Mellon University Last Time Multi-core issues in caching OS-based cache partitioning (using page coloring) Handling
More informationThe Last Mile An Empirical Study of Timing Channels on sel4
The Last Mile An Empirical Study of Timing on David Cock Qian Ge Toby Murray Gernot Heiser 4 November 2014 NICTA Funding and Supporting Members and Partners Outline The Last Mile Copyright NICTA 2014 David
More informationComputer Systems Architecture I. CSE 560M Lecture 18 Guest Lecturer: Shakir James
Computer Systems Architecture I CSE 560M Lecture 18 Guest Lecturer: Shakir James Plan for Today Announcements No class meeting on Monday, meet in project groups Project demos < 2 weeks, Nov 23 rd Questions
More informationVirtual Memory III. CSE 351 Autumn Instructor: Justin Hsia
Virtual Memory III CSE 351 Autumn 2016 Instructor: Justin Hsia Teaching Assistants: Chris Ma Hunter Zahn John Kaltenbach Kevin Bi Sachin Mehta Suraj Bhat Thomas Neuman Waylon Huang Xi Liu Yufang Sun https://xkcd.com/720/
More informationand data combined) is equal to 7% of the number of instructions. Miss Rate with Second- Level Cache, Direct- Mapped Speed
5.3 By convention, a cache is named according to the amount of data it contains (i.e., a 4 KiB cache can hold 4 KiB of data); however, caches also require SRAM to store metadata such as tags and valid
More informationHexPADS: a platform to detect stealth attacks
HexPADS: a platform to detect stealth attacks Mathias Payer Purdue University Abstract. Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate
More informationVirtual Memory III. CSE 351 Autumn Instructor: Justin Hsia
Virtual Memory III CSE 351 Autumn 218 Instructor: Justin Hsia Teaching Assistants: Akshat Aggarwal An Wang Andrew Hu Brian Dai Britt Henderson James Shin Kevin Bi Kory Watson Riley Germundson Sophie Tian
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationDedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
2016 IEEE Symposium on Security and Privacy Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman Vrije Universiteit Amsterdam erik@minemu.org Kaveh Razavi Vrije Universiteit
More informationVirtual Memory Wrap Up
Virtual Memory Wrap Up CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan Administrivia
More informationWait a minute! A fast, Cross-VM attack on AES
Wait a minute! A fast, Cross-VM attack on AES Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar Worcester Polytechnic Institute, Worcester, MA, USA {girazoki,msinci,teisenbarth,sunar}@wpi.edu
More informationSoftware Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University
Software Solutions to Micro-architectural Side Channels Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University Introduction Research interests Computer system security
More informationAttack TrustZone with Rowhammer. Pierre Carru - eshard 2017/04
Attack TrustZone with Rowhammer Pierre Carru - eshard 2017/04 1 Presentation Summary 1. Rowhammer ~10 min 2. TrustZone ~10 min 3. Attack ~10 min 2 Context - Existing Rowhammer Attacks Implementations Intel
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationTerra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)
Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006) Trusted Computing Hardware What can you do if you have
More informationComputer Science 146. Computer Architecture
Computer Architecture Spring 2004 Harvard University Instructor: Prof. dbrooks@eecs.harvard.edu Lecture 18: Virtual Memory Lecture Outline Review of Main Memory Virtual Memory Simple Interleaving Cycle
More informationExploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
More informationLecture 24: Memory, VM, Multiproc
Lecture 24: Memory, VM, Multiproc Today s topics: Security wrap-up Off-chip Memory Virtual memory Multiprocessors, cache coherence 1 Spectre: Variant 1 x is controlled by attacker Thanks to bpred, x can
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationTruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices
TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices Ning Zhang, Kun Sun, Deborah Shands Wenjing Lou, Y. Thomas Hou Virginia Polytechnic Institute and State University, VA
More informationSide-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks
Side-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks by Ahmad Moghimi A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationPageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on. Blaise-Pascal Tine Sudhakar Yalamanchili
PageVault: Securing Off-Chip Memory Using Page-Based Authen?ca?on Blaise-Pascal Tine Sudhakar Yalamanchili Outline Background: Memory Security Motivation Proposed Solution Implementation Evaluation Conclusion
More informationFast and Secure Implementation of Modular Exponentiation for Mitigating Fine-Grained Cache Attacks
applied sciences Article Fast and Secure Implementation of Modular Exponentiation for Mitigating Fine-Grained Cache Attacks Youngjoo Shin School of Computer and Information Engineering, Kwangwoon University,
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationS$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES
2015 IEEE Symposium on Security and Privacy S$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES Gorka Irazoqui Worcester Polytechnic Institute Worcester,USA
More informationNIGHTs-WATCH. A Cache-Based Side-Channel Intrusion Detector using Hardware Performance Counters
NIGHTs-WATCH A Cache-Based Side-Channel Intrusion Detector using Hardware Performance Counters Maria Mushtaq, Ayaz Akram, Khurram Bhatti, Maham Chaudhry, Vianney Lapotre, Guy Gogniat Contact: khurram.bhatti@itu.edu.pk
More informationComputer Architecture
Computer Architecture Lecture 1: Introduction and Basics Dr. Ahmed Sallam Suez Canal University Spring 2016 Based on original slides by Prof. Onur Mutlu I Hope You Are Here for This Programming How does
More informationarxiv: v1 [cs.cr] 3 Jan 2018
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
More informationSystems Programming and Computer Architecture ( ) Timothy Roscoe
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 AS 2016 Caches 1 16: Caches Computer Architecture
More informationA Faster and More Realistic Flush+Reload Attack on AES
A Faster and More Realistic Flush+Reload Attack on AES Berk Gülmezoğlu, Mehmet Sinan İnci, Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar Worcester Polytechnic Institute, Worcester, MA, USA {bgulmezoglu,msinci,girazoki,teisenbarth,sunar}@wpi.edu
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory / DRAM SRAM = Static RAM SRAM vs. DRAM As long as power is present, data is retained DRAM = Dynamic RAM If you don t do anything, you lose the data SRAM: 6T per bit
More informationCS 333 Introduction to Operating Systems. Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University
CS 333 Introduction to Operating Systems Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University Virtual addresses Virtual memory addresses (what the process uses) Page
More informationCovert Timing Channels Exploiting Non-Uniform Memory Access based Architectures
Covert Timing Channels Exploiting Non-Uniform Memory Access based Architectures Fan Yao, Guru Venkataramani and Miloš Doroslovački Department of Electrical and Computer Engineering The George Washington
More informationSystem-centric Solutions to
System-centric Solutions to Micro-architectural and System-level Side Channels Yinqian Zhang, Ph.D. The Ohio State University Micro-architectural and System-level Side Channels Micro-architectural side
More informationThe Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications
The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications Yossef Oren Vasileios P. Kemerlis Simha Sethumadhavan Angelos D. Keromytis Columbia University Department of Computer
More informationCache Attacks Enable Bulk Key Recovery on the Cloud (Extended Version)
Cache Attacks Enable Bulk Key Recovery on the Cloud (Extended Version) Mehmet Sinan İnci, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar Worcester Polytechnic Institute, Worcester, MA,
More information3 things that Rowhammer taught me. and their implications for future security research
3 things that Rowhammer taught me and their implications for future security research Who am I? Reverse engineer since 1997, vuln development since 1999 Started reverse-engineering company zynamics in
More informationThe Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationAutomated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features Michael Schwarz 1, Daniel Gruss 1, Moritz Lipp 1, Clémentine Maurice 2, Thomas Schuster 1, Anders Fogh
More informationChapter 5 (Part II) Large and Fast: Exploiting Memory Hierarchy. Baback Izadi Division of Engineering Programs
Chapter 5 (Part II) Baback Izadi Division of Engineering Programs bai@engr.newpaltz.edu Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple
More informationCS356: Discussion #9 Memory Hierarchy and Caches. Marco Paolieri Illustrations from CS:APP3e textbook
CS356: Discussion #9 Memory Hierarchy and Caches Marco Paolieri (paolieri@usc.edu) Illustrations from CS:APP3e textbook The Memory Hierarchy So far... We modeled the memory system as an abstract array
More informationProtection. Disclaimer: some slides are adopted from book authors slides with permission 1
Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Today Protection Security 2 Examples of OS Protection Memory protection Between user processes Between user and
More informationCross Processor Cache Attacks
Cross Processor Cache Attacks Gorka Irazoqui Worcester Polytechnic Institute girazoki@wpi.edu Thomas Eisenbarth Worcester Polytechnic Institute teisenbarth@wpi.edu Berk Sunar Worcester Polytechnic Institute
More informationChapter 5 B. Large and Fast: Exploiting Memory Hierarchy
Chapter 5 B Large and Fast: Exploiting Memory Hierarchy Dependability 5.5 Dependable Memory Hierarchy Chapter 6 Storage and Other I/O Topics 2 Dependability Service accomplishment Service delivered as
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory Hierarchy & Caches Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required
More informationConstant-Time Callees with Variable-Time Callers. Cesar Pereida Garcı a Billy Bob Brumley Tampere University of Technology Finland
Constant-Time Callees with Variable-Time Callers Cesar Pereida Garcı a Billy Bob Brumley Tampere University of Technology Finland Outline Enabling Cache-Timing Attacks Motivation Brief History of Cache-Timing
More informationMultilevel Memories. Joel Emer Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology
1 Multilevel Memories Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Based on the material prepared by Krste Asanovic and Arvind CPU-Memory Bottleneck 6.823
More informationVirtual Memory. Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University
Virtual Memory Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University Precise Definition of Virtual Memory Virtual memory is a mechanism for translating logical
More informationSGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 3b SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees Slide deck extracted from Kamran s tutorial on SGX and Chenglu s security analysis
More informationCOMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy
COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:
More informationCS 152 Computer Architecture and Engineering. Lecture 7 - Memory Hierarchy-II
CS 152 Computer Architecture and Engineering Lecture 7 - Memory Hierarchy-II Krste Asanovic Electrical Engineering and Computer Sciences University of California at Berkeley http://www.eecs.berkeley.edu/~krste
More informationVirtual Memory: From Address Translation to Demand Paging
Constructive Computer Architecture Virtual Memory: From Address Translation to Demand Paging Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology November 12, 2014
More informationMemory Hierarchies. Instructor: Dmitri A. Gusev. Fall Lecture 10, October 8, CS 502: Computers and Communications Technology
Memory Hierarchies Instructor: Dmitri A. Gusev Fall 2007 CS 502: Computers and Communications Technology Lecture 10, October 8, 2007 Memories SRAM: value is stored on a pair of inverting gates very fast
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory / DRAM SRAM = Static RAM SRAM vs. DRAM As long as power is present, data is retained DRAM = Dynamic RAM If you don t do anything, you lose the data SRAM: 6T per bit
More informationChapter Seven. Memories: Review. Exploiting Memory Hierarchy CACHE MEMORY AND VIRTUAL MEMORY
Chapter Seven CACHE MEMORY AND VIRTUAL MEMORY 1 Memories: Review SRAM: value is stored on a pair of inverting gates very fast but takes up more space than DRAM (4 to 6 transistors) DRAM: value is stored
More informationVirtual Memory: From Address Translation to Demand Paging
Constructive Computer Architecture Virtual Memory: From Address Translation to Demand Paging Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology November 9, 2015
More informationRow Buffer Locality Aware Caching Policies for Hybrid Memories. HanBin Yoon Justin Meza Rachata Ausavarungnirun Rachael Harding Onur Mutlu
Row Buffer Locality Aware Caching Policies for Hybrid Memories HanBin Yoon Justin Meza Rachata Ausavarungnirun Rachael Harding Onur Mutlu Executive Summary Different memory technologies have different
More information