Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
|
|
- Cassandra Francis
- 5 years ago
- Views:
Transcription
1 Leak Cauldron on the Dark Land: Understanding Memor Side-Channel Hazards in SGX 1,4 Wenhao Wang, 2 Guoxing Chen, 1 Xiaorui Pan, 2 Yinqian Zhang, 1 XiaoFeng Wang, 3 Vincent Bindschaedler, 1 Haixu Tang and 3 Carl A. Gunter 1 Indiana Universit Bloomington 2 The Ohio State Universit 3 Universit of Illinois Urbana-Champaign 4 Institute of Information Engineering
2 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor
3 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor
4 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor
5 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor
6 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data Memor management PRM Enclave Page Cache (EPC) Application address space Phsical memor
7 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data page tables Memor management PRM Enclave Page Cache (EPC) Controlled-channel attacks: OS controls page tables and set traps b making pages inaccessible! Application address space Phsical memor
8 Defenses against page-fault attacks T-SGX Images taken from the authors slides
9 Defenses against page-fault attacks DEJA VU Timed Execution Trustworth Reference Clock CFG 1 t 1 2 t 2 3 t 3 User Space Kernel Privileged Code Images taken from the authors slides
10 Defenses against page-fault attacks Deterministic multiplexing Enclave s Staging Page Images taken from the authors slides
11 Defenses against page-fault attacks T-SGX DEJA VU Deterministic multiplexing CFG Timed Execution 1 Trustworth Reference Clock t 1 User Space 2 3 t 2 t 3 Enclave s Staging Page Kernel Privileged Code Images taken from the authors slides
12 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors.
13 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors. Reducing AEXs induced b page level attacks. A new tpe of attacks.
14 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors. Reducing AEXs induced b page level attacks. A new tpe of attacks. Achieving finer-grained (than 4 KB) spatial granularit. Cache-DRAM attack.
15 1. Understanding Attack Surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor
16 1. Understanding Attack Surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor
17 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
18 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
19 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
20 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
21 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
22 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
23 Can we make the attack stealth b reducing AEXs induced b the attack?
24 2. Sneak Page Monitoring Attacks (Vector 4) V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
25 2. Sneak Page Monitoring Attacks (Vector 4) V4. Updates of accessed flags. enclave pages OS page tables SGX hardware
26 2. Sneak Page Monitoring Attacks (Vector 4) V4. Updates of accessed flags. OS enclave pages page tables SGX hardware Whenever the processor uses a paging-structure entr as part of linearaddress translation, it sets the accessed flag in that entr (if it is not alread set).
27 2. Sneak Page Monitoring Attacks (Vector 4) Basic accessed flags monitoring attack: B-SPM OS enclave pages page tables SGX hardware wait A = 1? n Page Accessed. A = 0.
28 2. Sneak Page Monitoring Attacks (Vector 4) Basic accessed flags monitoring attack: B-SPM OS enclave pages page tables SGX hardware IPIs wait A = 1? n Page Accessed. A = 0.
29 2. Sneak Page Monitoring Attacks Basic accessed flags monitoring attack: B-SPM Evaluate on Hunspell. Slowdown is brought down from for page fault attack to 5.1 for B-SPM attack.
30 2. Sneak Page Monitoring Attacks What about if the pages that frequentl accessed are to be observed? BB0 condition = true? BB1 Path_A Path_B1 BB2 page Path_B2 BB3
31 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM α BB1 BB0 Path_A condition = true? Path_B1 BB2 Measure the time between two monitored pages page Path_B2 BB3 β
32 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM α BB0 condition = true? α 1 β 1 t 1 BB1 Path_A Path_B1 BB2 α 2 β 2 t 2 α 3 β 3 t 3 page Path_B2 BB3 α 4 β 4 t 4 β
33 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM Evaluate on FreeTpe. Slowdown is brought down from 252 for page fault attack to 0.16 for T-SPM attack.
34 2. Sneak Page Monitoring Attacks Can the side effect be further reduced?
35 2. Sneak Page Monitoring Attacks V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4/5. Updates of accessed/dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.
36 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk
37 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk
38 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk TLB priming
39 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6
40 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6 Attacks Page fault attack 71,000 B-SPM attack 33,000 T-SPM attack 1,300 Number of AEXs * HT-SPM is designed to reduce AEXs for data pages, and is not presented in the comparison.
41 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6 Attacks Page fault attack 71,000 B-SPM attack 33,000 T-SPM attack 1,300 Number of AEXs * HT-SPM is designed to reduce AEXs for data pages, and is not presented in the comparison.
42 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B
43 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B DRAMA attack The program needs to have a large memor footprint, otherwise the memor reference will mostl hit the cache.
44 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B DRAMA attack The program needs to have a large memor footprint, otherwise the memor reference will mostl hit the cache. Cache-DRAM attack: finer-grained attack with less noise.
45 3. Achieving fine-grained spatial granularit Cache-DRAM attack 64 B granularit DRAM rows are onl shared among enclaves. No high resolution timer inside the enclaves. Victim enclave cache priming Cache probing Sstem software Row buffer Sping enclave Core 1 Core 2 Core n LLC Memor bus Address translation and timing support DRAM d p p
46 3. Achieving fine-grained spatial granularit Cache-DRAM attack 64 B granularit DRAM rows are onl shared among enclaves. No high resolution timer inside the enclaves. Evaluation on a conditional branch in Gap % detection, <1% false detection. DRAM Victim enclave d cache priming Cache probing Sstem software Memor bus Row buffer p Sping enclave Core 1 Core 2 Core n LLC p Address translation and timing support
47 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.
48 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.
49 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.
50 Conclusions We identified 8 attack vectors in SGX memor management.
51 Looking again at the attack surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor
52 Conclusions We identified 8 attack vectors in SGX memor management. There can be more.
53 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses
54 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave.
55 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit.
56 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit. Attack vectors can be combined to be more effective TLB flushing + SPM, Cache + DRAM, Page monitoring + timing Others?
57 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit. Attack vectors can be combined to be more effective TLB flushing + SPM, Cache + DRAM, Page monitoring + timing Others? Defenses?
58 Thanks! An questions?
59 Backup Slides
60 Characterizing memor vectors Spatial granularit The smallest unit of information directl observable to the adversar. Temporal observabilit The abilit for the adversar to measure the timing signals generated during the execution of the target program. Side effects Observable anomalies caused b an attack, which could be emploed to detect the attack, such as AEX.
61 Intel Software Guard Extensions Life ccle of an enclave thread Enclave Initialization (ECREATE/EINIT) EENTER non-enclave mode ERESUME AEX enclave mode EEXIT Enclave Destro (EREMOVE)
62 Related work on Securit 17 Vector 3, 4
63 1. Understanding Attack Surfaces mov (%rax), %rbx
64 1. Understanding Attack Surfaces mov (%rax), %rbx virtual page number %rax 7FFFF0014E20480 F0014E20 %rbx 480 page offset
65 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit?
66 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit? EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)
67 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit? Page fault allocate EPC page n EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)
68 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 hit caches? TLB hit? Page fault allocate EPC page n EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)
69 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 Cache fill from phsical memor hit caches? n TLB hit? Page fault allocate EPC page n EPC page? page table entries (PTE) n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationRacing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18
Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races CS 563 Young Li 10/31/18 Intel Software Guard extensions (SGX) and Hyper-Threading What is Intel SGX? Set of
More informationarxiv: v2 [cs.cr] 30 Aug 2017
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX Wenhao Wang 1, Guoxing Chen 3, Xiaorui Pan 2, Yinqian Zhang 3, XiaoFeng Wang 2, Vincent Bindschaedler 4, Haixu Tang 2,
More informationThe Security Challenges & Issues From SGX Practice
The Security Challenges & Issues From SGX Practice Xiaoning Li Chief Security Architect Alibaba Cloud 为了无法计算的价值 Agenda Secure Computing Introduction Intel SGX Applications and Challenges Secure Computing
More informationSoftware Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University
Software Solutions to Micro-architectural Side Channels Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University Introduction Research interests Computer system security
More informationRacing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races
Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races Guoxing Chen, Wenhao Wang, Tianyu Chen, Sanchuan Chen, Yinqian Zhang, XiaoFeng Wang, Ten-Hwang Lai, Dongdai
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationSGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 3b SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees Slide deck extracted from Kamran s tutorial on SGX and Chenglu s security analysis
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationVirtual Memory: From Address Translation to Demand Paging
Constructive Computer Architecture Virtual Memory: From Address Translation to Demand Paging Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology November 12, 2014
More informationLecture 21: Virtual Memory. Spring 2018 Jason Tang
Lecture 21: Virtual Memory Spring 2018 Jason Tang 1 Topics Virtual addressing Page tables Translation lookaside buffer 2 Computer Organization Computer Processor Memory Devices Control Datapath Input Output
More informationCOS 318: Operating Systems. Virtual Memory and Address Translation
COS 318: Operating Systems Virtual Memory and Address Translation Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Today s Topics
More informationHY225 Lecture 12: DRAM and Virtual Memory
HY225 Lecture 12: DRAM and irtual Memory Dimitrios S. Nikolopoulos University of Crete and FORTH-ICS May 16, 2011 Dimitrios S. Nikolopoulos Lecture 12: DRAM and irtual Memory 1 / 36 DRAM Fundamentals Random-access
More informationVirtual to physical address translation
Virtual to physical address translation Virtual memory with paging Page table per process Page table entry includes present bit frame number modify bit flags for protection and sharing. Page tables can
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationModern Virtual Memory Systems. Modern Virtual Memory Systems
6.823, L12--1 Modern Virtual Systems Asanovic Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 6.823, L12--2 Modern Virtual Systems illusion of a large, private, uniform store Protection
More informationComputer Architecture Lecture 13: Virtual Memory II
18-447 Computer Architecture Lecture 13: Virtual Memory II Lecturer: Rachata Ausavarungnirun Carnegie Mellon University Spring 2014, 2/17/2014 (with material from Onur Mutlu, Justin Meza and Yoongu Kim)
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationMemory: Page Table Structure. CSSE 332 Operating Systems Rose-Hulman Institute of Technology
Memory: Page Table Structure CSSE 332 Operating Systems Rose-Hulman Institute of Technology General address transla+on CPU virtual address data cache MMU Physical address Global memory Memory management
More informationVirtual Memory: From Address Translation to Demand Paging
Constructive Computer Architecture Virtual Memory: From Address Translation to Demand Paging Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology November 9, 2015
More informationThe Virtual Memory Abstraction. Memory Management. Address spaces: Physical and Virtual. Address Translation
The Virtual Memory Abstraction Memory Management Physical Memory Unprotected address space Limited size Shared physical frames Easy to share data Virtual Memory Programs are isolated Arbitrary size All
More informationCaching and Demand-Paged Virtual Memory
Caching and Demand-Paged Virtual Memory Definitions Cache Copy of data that is faster to access than the original Hit: if cache has copy Miss: if cache does not have copy Cache block Unit of cache storage
More informationCS 333 Introduction to Operating Systems. Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University
CS 333 Introduction to Operating Systems Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University Virtual addresses Virtual memory addresses (what the process uses) Page
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationLearning to Play Well With Others
Virtual Memory 1 Learning to Play Well With Others (Physical) Memory 0x10000 (64KB) 0x00000 Learning to Play Well With Others malloc(0x20000) (Physical) Memory 0x10000 (64KB) 0x00000 Learning to Play Well
More informationCIS Operating Systems Memory Management Cache and Demand Paging. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems Memory Management Cache and Demand Paging Professor Qiang Zeng Spring 2018 Process switch Upon process switch what is updated in order to assist address translation? Contiguous
More informationAddress Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Address Translation Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to reduce the size of page tables? How to reduce the time for
More informationCIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2017 Previous class What is logical address? Who use it? Describes a location in the logical memory address space Compiler
More informationVirtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1
Virtual Memory Patterson & Hennessey Chapter 5 ELEC 5200/6200 1 Virtual Memory Use main memory as a cache for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationTo accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
More informationCPS104 Computer Organization and Programming Lecture 16: Virtual Memory. Robert Wagner
CPS104 Computer Organization and Programming Lecture 16: Virtual Memory Robert Wagner cps 104 VM.1 RW Fall 2000 Outline of Today s Lecture Virtual Memory. Paged virtual memory. Virtual to Physical translation:
More informationCIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2015
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2015 Previous class What is logical address? Who use it? Describes a location in the logical address space Compiler and CPU
More informationVirtual Memory. Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University
Virtual Memory Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University Precise Definition of Virtual Memory Virtual memory is a mechanism for translating logical
More informationSide-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks
Side-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks by Ahmad Moghimi A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationVIRTUAL MEMORY II. Jo, Heeseung
VIRTUAL MEMORY II Jo, Heeseung TODAY'S TOPICS How to reduce the size of page tables? How to reduce the time for address translation? 2 PAGE TABLES Space overhead of page tables The size of the page table
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks
Malware Guard Extension: Using SGX to Conceal Cache Attacks Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria Abstract. In modern
More informationChapter 5 (Part II) Large and Fast: Exploiting Memory Hierarchy. Baback Izadi Division of Engineering Programs
Chapter 5 (Part II) Baback Izadi Division of Engineering Programs bai@engr.newpaltz.edu Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple
More informationSRM-Buffer: An OS Buffer Management SRM-Buffer: An OS Buffer Management Technique toprevent Last Level Cache from Thrashing in Multicores
SRM-Buffer: An OS Buffer Management SRM-Buffer: An OS Buffer Management Technique toprevent Last Level Cache from Thrashing in Multicores Xiaoning Ding The Ohio State University dingxn@cse.ohiostate.edu
More informationChapter 8. Virtual Memory
Operating System Chapter 8. Virtual Memory Lynn Choi School of Electrical Engineering Motivated by Memory Hierarchy Principles of Locality Speed vs. size vs. cost tradeoff Locality principle Spatial Locality:
More informationCS 5523 Operating Systems: Memory Management (SGG-8)
CS 5523 Operating Systems: Memory Management (SGG-8) Instructor: Dr Tongping Liu Thank Dr Dakai Zhu, Dr Palden Lama, and Dr Tim Richards (UMASS) for providing their slides Outline Simple memory management:
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationMemory Management! How the hardware and OS give application pgms:" The illusion of a large contiguous address space" Protection against each other"
Memory Management! Goals of this Lecture! Help you learn about:" The memory hierarchy" Spatial and temporal locality of reference" Caching, at multiple levels" Virtual memory" and thereby " How the hardware
More informationBasic Memory Management
Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester 10/15/14 CSC 2/456 1 Basic Memory Management Program must be brought into memory and placed within a process for it
More informationEmbedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi
Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi Lecture - 13 Virtual memory and memory management unit In the last class, we had discussed
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 21 Main Memory Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 FAQ Why not increase page size
More informationVirtual Memory. Samira Khan Apr 27, 2017
Virtual Memory Samira Khan Apr 27, 27 Virtual Memory Idea: Give the programmer the illusion of a large address space while having a small physical memory So that the programmer does not worry about managing
More informationInferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim, Georgia Institute of Technology; Marcus Peinado, Microsoft
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 24
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 24 LAST TIME Extended virtual memory concept to be a cache of memory stored on disk DRAM becomes L4 cache of data stored on L5 disk Extend page
More informationMemory Management! Goals of this Lecture!
Memory Management! Goals of this Lecture! Help you learn about:" The memory hierarchy" Why it works: locality of reference" Caching, at multiple levels" Virtual memory" and thereby " How the hardware and
More informationCPS 104 Computer Organization and Programming Lecture 20: Virtual Memory
CPS 104 Computer Organization and Programming Lecture 20: Virtual Nov. 10, 1999 Dietolf (Dee) Ramm http://www.cs.duke.edu/~dr/cps104.html CPS 104 Lecture 20.1 Outline of Today s Lecture O Virtual. 6 Paged
More informationCS399 New Beginnings. Jonathan Walpole
CS399 New Beginnings Jonathan Walpole Virtual Memory (1) Page Tables When and why do we access a page table? - On every instruction to translate virtual to physical addresses? Page Tables When and why
More informationARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
More informationVirtual Memory. CSCI 315 Operating Systems Design Department of Computer Science
Virtual Memory CSCI 315 Operating Systems Design Department of Computer Science Notice: The slides for this lecture have been largely based on those from an earlier edition of the course text Operating
More informationChapter 5 B. Large and Fast: Exploiting Memory Hierarchy
Chapter 5 B Large and Fast: Exploiting Memory Hierarchy Dependability 5.5 Dependable Memory Hierarchy Chapter 6 Storage and Other I/O Topics 2 Dependability Service accomplishment Service delivered as
More informationTelling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution
Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution Jo Van Bulck, imec-distrinet, KU Leuven; Nico Weichbrodt and Rüdiger Kapitza, IBR DS, TU Braunschweig;
More informationChapter 6: Demand Paging
ADRIAN PERRIG & TORSTEN HOEFLER ( 5-006-00 ) Networks and Operating Systems Chapter 6: Demand Paging Source: http://redmine.replicant.us/projects/replicant/wiki/samsunggalaxybackdoor If you miss a key
More informationIntel Software Guard Extensions (Intel SGX) SGX2
Intel Software Guard Extensions (Intel SGX) SGX2 Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie- Hurd, Carlos Rozas, Mark Shanahan, Bin (Cedric) Xing June 18,
More informationLecture 14: Cache & Virtual Memory
CS 422/522 Design & Implementation of Operating Systems Lecture 14: Cache & Virtual Memory Zhong Shao Dept. of Computer Science Yale University Acknowledgement: some slides are taken from previous versions
More informationReview: Hardware user/kernel boundary
Review: Hardware user/kernel boundary applic. applic. applic. user lib lib lib kernel syscall pg fault syscall FS VM sockets disk disk NIC context switch TCP retransmits,... device interrupts Processor
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 02 Lecture 06 Virtual Memory Hello. In this video, we
More informationIntel SGX Virtualization
Sean Christopherson Intel Intel SGX Virtualization KVM Forum 2018 Traditional VM Landscape App s secrets accessible by any privileged entity, e.g. VMM and OS App App App or a malicious app that has exploited
More informationMemory Management. Goals of this Lecture. Motivation for Memory Hierarchy
Memory Management Goals of this Lecture Help you learn about: The memory hierarchy Spatial and temporal locality of reference Caching, at multiple levels Virtual memory and thereby How the hardware and
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 23
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 208 Lecture 23 LAST TIME: VIRTUAL MEMORY Began to focus on how to virtualize memory Instead of directly addressing physical memory, introduce a level of indirection
More informationChapter 8 Memory Management
Chapter 8 Memory Management Da-Wei Chang CSIE.NCKU Source: Abraham Silberschatz, Peter B. Galvin, and Greg Gagne, "Operating System Concepts", 9th Edition, Wiley. 1 Outline Background Swapping Contiguous
More informationBasic Memory Management. Basic Memory Management. Address Binding. Running a user program. Operating Systems 10/14/2018 CSC 256/456 1
Basic Memory Management Program must be brought into memory and placed within a process for it to be run Basic Memory Management CS 256/456 Dept. of Computer Science, University of Rochester Mono-programming
More informationCIS Operating Systems Memory Management Address Translation for Paging. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems Memory Management Address Translation for Paging Professor Qiang Zeng Spring 2018 Previous class What is logical address? Who use it? Describes a location in the logical memory
More informationSecure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks
: Defending Against Cache-Based Side Channel Attacks Mengjia Yan, Bhargava Gopireddy, Thomas Shull, Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu Presented by Mengjia
More informationMain Memory (Part II)
Main Memory (Part II) Amir H. Payberah amir@sics.se Amirkabir University of Technology (Tehran Polytechnic) Amir H. Payberah (Tehran Polytechnic) Main Memory 1393/8/17 1 / 50 Reminder Amir H. Payberah
More information18-447: Computer Architecture Lecture 18: Virtual Memory III. Yoongu Kim Carnegie Mellon University Spring 2013, 3/1
18-447: Computer Architecture Lecture 18: Virtual Memory III Yoongu Kim Carnegie Mellon University Spring 2013, 3/1 Upcoming Schedule Today: Lab 3 Due Today: Lecture/Recitation Monday (3/4): Lecture Q&A
More informationChapter 8: Virtual Memory. Operating System Concepts
Chapter 8: Virtual Memory Silberschatz, Galvin and Gagne 2009 Chapter 8: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2015 Lecture 23
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 205 Lecture 23 LAST TIME: VIRTUAL MEMORY! Began to focus on how to virtualize memory! Instead of directly addressing physical memory, introduce a level of
More informationa process may be swapped in and out of main memory such that it occupies different regions
Virtual Memory Characteristics of Paging and Segmentation A process may be broken up into pieces (pages or segments) that do not need to be located contiguously in main memory Memory references are dynamically
More informationChapter 9: Virtual-Memory
Chapter 9: Virtual-Memory Management Chapter 9: Virtual-Memory Management Background Demand Paging Page Replacement Allocation of Frames Thrashing Other Considerations Silberschatz, Galvin and Gagne 2013
More informationStructure of Computer Systems
222 Structure of Computer Systems Figure 4.64 shows how a page directory can be used to map linear addresses to 4-MB pages. The entries in the page directory point to page tables, and the entries in a
More informationChapter 6 Memory 11/3/2015. Chapter 6 Objectives. 6.2 Types of Memory. 6.1 Introduction
Chapter 6 Objectives Chapter 6 Memory Master the concepts of hierarchical memory organization. Understand how each level of memory contributes to system performance, and how the performance is measured.
More informationMemory management, part 2: outline. Operating Systems, 2017, Danny Hendler and Amnon Meisels
Memory management, part 2: outline 1 Page Replacement Algorithms Page fault forces choice o which page must be removed to make room for incoming page? Modified page must first be saved o unmodified just
More informationVirtual Memory 2. To do. q Handling bigger address spaces q Speeding translation
Virtual Memory 2 To do q Handling bigger address spaces q Speeding translation Considerations with page tables Two key issues with page tables Mapping must be fast Done on every memory reference, at least
More informationWhen Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins
When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins Michael Schwarz, Moritz Lipp michael.schwarz@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at Abstract In our talk, we show that despite all
More informationLearning to Play Well With Others
Virtual Memory 1 Learning to Play Well With Others (Physical) Memory 0x10000 (64KB) Stack Heap 0x00000 Learning to Play Well With Others malloc(0x20000) (Physical) Memory 0x10000 (64KB) Stack Heap 0x00000
More informationCS/CoE 1541 Exam 2 (Spring 2019).
CS/CoE 1541 Exam 2 (Spring 2019) Name: Question 1 (5+5+5=15 points): Show the content of each of the caches shown below after the two memory references 35, 44 Use the notation [tag, M(address),] to describe
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 23 Virtual memory Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 FAQ Is a page replaces when
More informationFrom bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
More informationSanctum: Minimal HW Extensions for Strong SW Isolation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 7a Sanctum: Minimal HW Extensions for Strong SW Isolation Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical &
More informationChapter 7: Main Memory. Operating System Concepts Essentials 8 th Edition
Chapter 7: Main Memory Operating System Concepts Essentials 8 th Edition Silberschatz, Galvin and Gagne 2011 Chapter 7: Memory Management Background Swapping Contiguous Memory Allocation Paging Structure
More informationCS 152 Computer Architecture and Engineering. Lecture 11 - Virtual Memory and Caches
CS 152 Computer Architecture and Engineering Lecture 11 - Virtual Memory and Caches Krste Asanovic Electrical Engineering and Computer Sciences University of California at Berkeley http://www.eecs.berkeley.edu/~krste
More informationADRIAN PERRIG & TORSTEN HOEFLER Networks and Operating Systems ( ) Chapter 6: Demand Paging
ADRIAN PERRIG & TORSTEN HOEFLER Networks and Operating Systems (5-006-00) Chapter 6: Demand Paging http://redmine.replicant.us/projects/replicant/wiki/samsunggalaxybackdoor (0) # Inverted page table One
More informationRandom-Access Memory (RAM) Systemprogrammering 2007 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics
Systemprogrammering 27 Föreläsning 4 Topics The memory hierarchy Motivations for VM Address translation Accelerating translation with TLBs Random-Access (RAM) Key features RAM is packaged as a chip. Basic
More informationCSE 120. Translation Lookaside Buffer (TLB) Implemented in Hardware. July 18, Day 5 Memory. Instructor: Neil Rhodes. Software TLB Management
CSE 120 July 18, 2006 Day 5 Memory Instructor: Neil Rhodes Translation Lookaside Buffer (TLB) Implemented in Hardware Cache to map virtual page numbers to page frame Associative memory: HW looks up in
More informationCS3600 SYSTEMS AND NETWORKS
CS3600 SYSTEMS AND NETWORKS SPRING 2013 Lecture 13: Paging Prof. Alan Mislove (amislove@ccs.neu.edu) Paging Physical address space of a process can be noncontiguous; process is allocated physical memory
More informationCS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1
CS 537: Introduction to Operating Systems Fall 2015: Midterm Exam #1 This exam is closed book, closed notes. All cell phones must be turned off. No calculators may be used. You have two hours to complete
More informationECE 7650 Scalable and Secure Internet Services and Architecture ---- A Systems Perspective. Part I: Operating system overview: Memory Management
ECE 7650 Scalable and Secure Internet Services and Architecture ---- A Systems Perspective Part I: Operating system overview: Memory Management 1 Hardware background The role of primary memory Program
More informationAddress Translation. Tore Larsen Material developed by: Kai Li, Princeton University
Address Translation Tore Larsen Material developed by: Kai Li, Princeton University Topics Virtual memory Virtualization Protection Address translation Base and bound Segmentation Paging Translation look-ahead
More informationVirtual Memory 2. Today. Handling bigger address spaces Speeding translation
Virtual Memory 2 Today Handling bigger address spaces Speeding translation Considerations with page tables Two key issues with page tables Mapping must be fast Done on every memory reference, at least
More informationChapter 8 Main Memory
COP 4610: Introduction to Operating Systems (Spring 2014) Chapter 8 Main Memory Zhi Wang Florida State University Contents Background Swapping Contiguous memory allocation Paging Segmentation OS examples
More informationMemory Hierarchy. Goal: Fast, unlimited storage at a reasonable cost per bit.
Memory Hierarchy Goal: Fast, unlimited storage at a reasonable cost per bit. Recall the von Neumann bottleneck - single, relatively slow path between the CPU and main memory. Fast: When you need something
More informationRandom-Access Memory (RAM) Systemprogrammering 2009 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics! The memory hierarchy
Systemprogrammering 29 Föreläsning 4 Topics! The memory hierarchy! Motivations for VM! Address translation! Accelerating translation with TLBs Random-Access (RAM) Key features! RAM is packaged as a chip.!
More informationVirtual Memory. Today. Segmentation Paging A good, if common example
Virtual Memory Today Segmentation Paging A good, if common example Virtual memory system Goals Transparency Programs should not know that memory is virtualized; the OS +HW multiplex memory among processes
More informationMemory management. Requirements. Relocation: program loading. Terms. Relocation. Protection. Sharing. Logical organization. Physical organization
Requirements Relocation Memory management ability to change process image position Protection ability to avoid unwanted memory accesses Sharing ability to share memory portions among processes Logical
More information