Who am I? Moritz Lipp PhD Graz University of
|
|
|
- Aubrey Tucker
- 5 years ago
- Views:
Transcription
1
2 Who am I? Moritz Lipp PhD Graz University of moritz.lipp@iaik.tugraz.at 1 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
3 Who am I? Michael Schwarz PhD Graz University of michael.schwarz@iaik.tugraz.at 2 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
4 Who am I? Daniel Gruss Graz University of daniel.gruss@iaik.tugraz.at 3 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
5 Team Anders Fogh Daniel Genkin Werner Haas Mike Hamburg Jann Horn Paul Kocher Stefan Mangard Thomas Prescher Yuval Yarom 4 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
6 Let s Read Kernel Memory from User Space!
7 Virtual Memory Kernel Addresses Non-canonical Addresses Virtual Address Space User Addresses 5 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
8 Building the Code Find something human readable, e.g., the Linux version # sudo grep linux_banner /proc/kallsyms ffffffff81a000e0 R linux_banner 6 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
9 Building the Code char data = *(char*) 0xffffffff81a000e0; printf("%c\n", data); 7 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
10 Building the Code Compile and run 8 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
11 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader 8 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
12 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible 8 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
13 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible Any invalid access throws an exception segmentation fault 8 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
14 Building the Code Just catch the segmentation fault! 9 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
15 Building the Code Just catch the segmentation fault! We can simply install a signal handler 9 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
16 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue 9 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
17 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value 9 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
18
19 Building the Code Still no kernel memory 10 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
20 Building the Code Still no kernel memory Privilege checks seem to work 10 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
21 Building the Code Still no kernel memory Privilege checks seem to work Maybe it is not that straight forward 10 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
22 Building the Code Still no kernel memory Privilege checks seem to work Maybe it is not that straight forward Back to the drawing board 10 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
23 Operating Systems 101
24 Memory Isolation Userspace Kernelspace Kernel is isolated from user space Applications Operating System Memory 11 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
25 Memory Isolation Userspace Kernelspace Kernel is isolated from user space This isolation is a combination of hardware and software Applications Operating System Memory 11 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
26 Memory Isolation Userspace Applications Kernelspace Operating System Memory Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel 11 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
27 Paging CPU support virtual address spaces to isolate processes 12 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
28 Paging CPU support virtual address spaces to isolate processes Physical memory is organized in page frames 12 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
29 Paging CPU support virtual address spaces to isolate processes Physical memory is organized in page frames Virtual memory pages are mapped to page frames using page tables 12 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
30 Address Translation on x86-64 CR3 PML4 PML4E 0 PML4E 1 #PML4I PML4E 511 PDPT PDPTE 0 PDPTE 1 #PDPTI PDPTE 511 Page Directory PDE 0 PDE 1 PDE #PDI PDE 511 PML4I (9 b) PDPTI (9 b) PDI (9 b) PTI (9 b) Offset (12 b) 48-bit virtual address Page Table PTE 0 PTE 1 PTE #PTI PTE KiB Page Byte 0 Byte 1 Offset Byte Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
31 Address Translation on x86-64 CR3 PML4 PML4E 0 PML4E 1 #PML4I PML4E 511 PDPT PDPTE 0 PDPTE 1 #PDPTI PDPTE 511 Page Directory PDE 0 PDE 1 PDE #PDI PDE 511 PML4I (9 b) PDPTI (9 b) PDI (9 b) PTI (9 b) Offset (12 b) 48-bit virtual address Page Table PTE 0 PTE 1 PTE #PTI PTE KiB Page Byte 0 Byte 1 Offset Byte Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
32 Page Table Entry P RW US WT UC R D S G Ignored Physical Page Number Ignored X User/Supervisor bit defines in which privilege level the page can be accessed 14 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
33 Direct-physical map 0 max Physical memory User Kernel Kernel is typically mapped into every address space 15 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
34 Direct-physical map 0 max Physical memory User Kernel Kernel is typically mapped into every address space Entire physical memory is mapped in the kernel 15 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
35 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
36 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
37 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
38 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
39 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
40 Loading an address 16 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
41 Side-channel Attacks
42 Side-channel Attacks Safe software infrastructure does not mean safe execution 17 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
43 Side-channel Attacks Safe software infrastructure does not mean safe execution Information leaks because of the underlying hardware 17 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
44 Side-channel Attacks Safe software infrastructure does not mean safe execution Information leaks because of the underlying hardware Exploit unintentional information leakage by side-effects 17 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
45 Side-channel Attacks Safe software infrastructure does not mean safe execution Information leaks because of the underlying hardware Exploit unintentional information leakage by side-effects Power consumption Execution time CPU caches 17 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
46 Caches and Cache Attacks
47 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
48 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
49 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
50 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
51 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
52 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
53 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
54 CPU Cache 18 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
55 Memory Access Latency 10 4 Number of accesses Cache hit Cache miss ,000 1,100 1,200 Measured access time (CPU cycles) 19 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
56 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
57 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
58 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
59 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
60 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
61 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
62 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
63 Flush+Reload 20 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
64 Microarchitecture
65 Architecture and Microarchitecture Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ) 21 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
66 Architecture and Microarchitecture Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ) Serves as the interface between hardware and software 21 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
67 Architecture and Microarchitecture Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ) Serves as the interface between hardware and software Microarchitecture is an actual implementation of the ISA 21 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
68 Architecture and Microarchitecture Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ) Serves as the interface between hardware and software Microarchitecture is an actual implementation of the ISA 21 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
69 In-Order Execution IF ID EX MEM WB IF ID EX MEM WB Instructions are... fetched (IF) from the L1 Instruction Cache IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB 22 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
70 In-Order Execution IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB Instructions are... fetched (IF) from the L1 Instruction Cache decoded (ID) IF ID EX MEM WB IF ID EX MEM WB 22 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
71 In-Order Execution IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB Instructions are... fetched (IF) from the L1 Instruction Cache decoded (ID) executed (EX) by execution units IF ID EX MEM WB 22 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
72 In-Order Execution IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB Instructions are... fetched (IF) from the L1 Instruction Cache decoded (ID) executed (EX) by execution units Memory access is performed (MEM) 22 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
73 In-Order Execution IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB IF ID EX MEM WB Instructions are... fetched (IF) from the L1 Instruction Cache decoded (ID) executed (EX) by execution units Memory access is performed (MEM) Architectural register file is updated (WB) 22 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
74 In-Order Execution Instructions are executed in-order 23 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
75 In-Order Execution Instructions are executed in-order Pipeline stalls when stages are not ready 23 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
76 In-Order Execution Instructions are executed in-order Pipeline stalls when stages are not ready If data is not cached, we need to wait 23 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
77 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; printf("area %d x %d = %d\n", width, height, area); 24 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
78 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; printf("area %d x %d = %d\n", width, height, area); 24 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
79 Out-of-Order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop CDB Execution Engine MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are fetched and decoded in the front-end Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 25 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
80 Out-of-Order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop CDB Execution Engine MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are fetched and decoded in the front-end dispatched to the backend Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 25 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
81 Out-of-Order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop CDB Execution Engine MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are fetched and decoded in the front-end dispatched to the backend processed by individual execution units Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 25 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
82 Out-of-Order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop MUX Instructions are executed out-of-order Allocation Queue µop µop µop µop CDB Reorder buffer µop µop µop µop µop µop µop µop Execution Engine Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
83 Out-of-Order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop MUX Allocation Queue µop µop µop µop Instructions are executed out-of-order wait until their dependencies are ready CDB Reorder buffer µop µop µop µop µop µop µop µop Execution Engine Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
84 Out-of-Order Execution L1 Instruction Cache ITLB Frontend CDB Execution Engine Branch Instruction Fetch & PreDecode Predictor Instruction Queue µop Cache 4-Way Decode µops µop µop µop µop MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are executed out-of-order wait until their dependencies are ready Later instructions might execute prior earlier instructions Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
85 Out-of-Order Execution L1 Instruction Cache ITLB Frontend CDB Execution Engine Branch Instruction Fetch & PreDecode Predictor Instruction Queue µop Cache 4-Way Decode µops µop µop µop µop MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are executed out-of-order wait until their dependencies are ready Later instructions might execute prior earlier instructions retire in-order Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
86 Out-of-Order Execution L1 Instruction Cache ITLB Frontend CDB Execution Engine Branch Instruction Fetch & PreDecode Predictor Instruction Queue µop Cache 4-Way Decode µops µop µop µop µop MUX Allocation Queue µop µop µop µop Reorder buffer µop µop µop µop µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Execution Units Instructions are executed out-of-order wait until their dependencies are ready Later instructions might execute prior earlier instructions retire in-order State becomes architecturally visible Memory Subsystem Load Buffer L1 Data Cache Store Buffer DTLB STLB L2 Cache 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
87 Out-of-Order Execution L1 Instruction Cache ITLB Frontend CDB Execution Engine Memory Subsystem ALU, AES,... Branch Predictor µop Cache Reorder buffer µop µop µop µop µop µop µop µop ALU, FMA,... ALU, Vect,... Execution Units Scheduler µop µop µop µop µop µop µop µop Load Buffer µops L1 Data Cache Store Buffer Allocation Queue µop µop µop µop ALU, Branch DTLB Instruction Fetch & PreDecode MUX Instruction Queue Load data 4-Way Decode µop µop µop µop Load data STLB Store data L2 Cache AGU Instructions are executed out-of-order wait until their dependencies are ready Later instructions might execute prior earlier instructions retire in-order State becomes architecturally visible Exceptions are checked during retirement 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
88 Out-of-Order Execution L1 Instruction Cache ITLB Frontend CDB Execution Engine Memory Subsystem ALU, AES,... Branch Predictor µop Cache Reorder buffer µop µop µop µop µop µop µop µop ALU, FMA,... ALU, Vect,... Execution Units Scheduler µop µop µop µop µop µop µop µop Load Buffer µops L1 Data Cache Store Buffer Allocation Queue µop µop µop µop ALU, Branch DTLB Instruction Fetch & PreDecode MUX Instruction Queue Load data 4-Way Decode µop µop µop µop Load data STLB Store data L2 Cache AGU Instructions are executed out-of-order wait until their dependencies are ready Later instructions might execute prior earlier instructions retire in-order State becomes architecturally visible Exceptions are checked during retirement Flush pipeline and recover state 26 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
89 The state does not become architecturally visible but
90 The state does not become architecturally visible but
91 Building the Code New code *(volatile char*) 0; array[84 * 4096] = 0; 27 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
92 Building the Code New code *(volatile char*) 0; array[84 * 4096] = 0; volatile because compiler was not happy warning : statement with no e f f e c t [ Wunused value ] * ( char * ) 0 ; 27 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
93 Building the Code New code *(volatile char*) 0; array[84 * 4096] = 0; volatile because compiler was not happy warning : statement with no e f f e c t [ Wunused value ] * ( char * ) 0 ; Static code analyzer is still not happy warning : Dereference of n u l l pointer * ( v o l a t i l e char * ) 0 ; 27 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
94 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page 28 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
95 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed 28 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
96 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed Exception was only thrown afterwards 28 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
97 Building the Code Out-of-order instructions leave microarchitectural traces 29 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
98 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache 29 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
99 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions 29 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
100 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions We can indirectly observe the execution of transient instructions 29 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
101 Building the Code 30 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
102 Building the Code 30 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
103 Building the Code Add another layer of indirection to test char data = *(char*) 0xffffffff81a000e0; array[data * 4096] = 0; 31 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
104 Building the Code Add another layer of indirection to test char data = *(char*) 0xffffffff81a000e0; array[data * 4096] = 0; Then check whether any part of array is cached 31 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
105 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data 32 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
106 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data Permission check is in some cases not fast enough 32 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
107
108 Meltdown Using out-of-order execution, we can read data at any address 33 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
109 Meltdown Using out-of-order execution, we can read data at any address Index of cache hit reveals data 33 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
110 Meltdown Using out-of-order execution, we can read data at any address Index of cache hit reveals data Permission check is in some cases not fast enough 33 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
111 Meltdown Using out-of-order execution, we can read data at any address Index of cache hit reveals data Permission check is in some cases not fast enough Entire physical memory is typically accessible through kernel space 33 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
112
113 Demo
114 Details: Exception Handling Basic Meltdown code leads to a crash (segfault) 34 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
115 Details: Exception Handling Basic Meltdown code leads to a crash (segfault) How to prevent the crash? 34 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
116 Details: Exception Handling Basic Meltdown code leads to a crash (segfault) How to prevent the crash? Fault Handling Fault Suppression Fault Prevention 34 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
117 Meltdown with Fault Suppression Intel TSX to suppress exceptions instead of signal handler if(xbegin() == XBEGIN_STARTED) { char secret = *(char*) 0xffffffff81a000e0; array[secret * 4096] = 0; xend(); } for (size_t i = 0; i < 256; i++) { if (flush_and_reload(array + i * 4096) == CACHE_HIT) { printf("%c\n", i); } } 35 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
118 Meltdown with Fault Prevention Speculative execution to prevent exceptions int speculate = rand() % 2; size_t address = (0xffffffff81a000e0 * speculate) + ((size_t)&zero * (1 - speculate)); if(!speculate) { char secret = *(char*) address; array[secret * 4096] = 0; } for (size_t i = 0; i < 256; i++) { if (flush_and_reload(array + i * 4096) == CACHE_HIT) { printf("%c\n", i); } } 36 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
119 Make it faster Improve the performance with a NULL pointer dereference 37 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
120 Make it faster Improve the performance with a NULL pointer dereference if(xbegin() == XBEGIN_STARTED) { *(volatile char*) 0; char secret = *(char*) 0xffffffff81a000e0; array[secret * 4096] = 0; xend(); } 37 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
121
122
123 Uncached memory Assumed that one can only read data stored in the L1 with Meltdown 38 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
124 Uncached memory Assumed that one can only read data stored in the L1 with Meltdown Experiment where a thread flushes the value constantly and a thread on a different core reloads the value 38 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
125 Uncached memory Assumed that one can only read data stored in the L1 with Meltdown Experiment where a thread flushes the value constantly and a thread on a different core reloads the value Target data is not in the L1 cache of the attacking core 38 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
126 Uncached memory Assumed that one can only read data stored in the L1 with Meltdown Experiment where a thread flushes the value constantly and a thread on a different core reloads the value Target data is not in the L1 cache of the attacking core We can still leak the data at a lower reading rate 38 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
127 Uncached memory Assumed that one can only read data stored in the L1 with Meltdown Experiment where a thread flushes the value constantly and a thread on a different core reloads the value Target data is not in the L1 cache of the attacking core We can still leak the data at a lower reading rate Meltdown might implicitly cache the data 38 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
128 Uncachable memory Mark pages in page tables as UC (uncachable) 39 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
129 Uncachable memory Mark pages in page tables as UC (uncachable) Every read or write operation will go to main memory 39 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
130 Uncachable memory Mark pages in page tables as UC (uncachable) Every read or write operation will go to main memory If the attacker can trigger a legitimate load (system call, ) on the same CPU core, the data still can be leaked 39 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
131 Uncachable memory Mark pages in page tables as UC (uncachable) Every read or write operation will go to main memory If the attacker can trigger a legitimate load (system call, ) on the same CPU core, the data still can be leaked Meltdown might read the data from one of the fill buffers 39 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
132 Uncachable memory Mark pages in page tables as UC (uncachable) Every read or write operation will go to main memory If the attacker can trigger a legitimate load (system call, ) on the same CPU core, the data still can be leaked Meltdown might read the data from one of the fill buffers as they are shared between threads running on the same core 39 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
133 So you can dump the entire memory.
134 So you can dump the entire memory. But it takes ages?
135 Practical attacks Dumping the entire physical memory takes some time 40 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
136 Practical attacks Dumping the entire physical memory takes some time Not very practical in most scenarios 40 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
137 Practical attacks Dumping the entire physical memory takes some time Not very practical in most scenarios Can we mount more targeted attacks? 40 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
138 VeraCrypt Open-source utility for disk encryption 41 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
139 VeraCrypt Open-source utility for disk encryption Fork of TrueCrypt 41 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
140 VeraCrypt Open-source utility for disk encryption Fork of TrueCrypt Cryptographic keys are stored in RAM 41 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
141 VeraCrypt Open-source utility for disk encryption Fork of TrueCrypt Cryptographic keys are stored in RAM With Meltdown, we can extract the keys from DRAM 41 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
142 Demo
143 Breaking KASLR De-randomize KASLR to access internal kernel structures 42 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
144 Breaking KASLR De-randomize KASLR to access internal kernel structures Locate a known value inside the kernel, e.g., Linux banner 42 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
145 Breaking KASLR De-randomize KASLR to access internal kernel structures Locate a known value inside the kernel, e.g., Linux banner Start at the default address according to the symbol table of the running kernel 42 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
146 Breaking KASLR De-randomize KASLR to access internal kernel structures Locate a known value inside the kernel, e.g., Linux banner Start at the default address according to the symbol table of the running kernel Linux KASLR has an entropy of 6 bits only 64 possible randomization offsets 42 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
147 Breaking KASLR De-randomize KASLR to access internal kernel structures Locate a known value inside the kernel, e.g., Linux banner Start at the default address according to the symbol table of the running kernel Linux KASLR has an entropy of 6 bits only 64 possible randomization offsets Difference between the found address and the non-randomized base address is the randomization offset 42 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
148 Locating the victim process Linux manages all processes in a linked list 43 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
149 Locating the victim process Linux manages all processes in a linked list Head of the list is stored at init_task structure 43 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
150 Locating the victim process Linux manages all processes in a linked list Head of the list is stored at init_task structure At a fixed offset that varies only among kernel builds 43 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
151 Locating the victim process Linux manages all processes in a linked list Head of the list is stored at init_task structure At a fixed offset that varies only among kernel builds Each task list structure contains a pointer to the next task and PID of the task name of the task Root of the multi-level page table 43 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
152 Dumping memory content Resolve physical address using paging structures 44 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
153 Dumping memory content Resolve physical address using paging structures Read the content using the direct-physical map 44 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
154 Dumping memory content Resolve physical address using paging structures Read the content using the direct-physical map Enumerate all mapped pages and dump entire process memory 44 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
155 Dumping memory content Resolve physical address using paging structures Read the content using the direct-physical map Enumerate all mapped pages and dump entire process memory Location of the key known, we can just dump the key directly 44 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
156 Final steps aeskeyfind to extract AES keys from the memory dump 45 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
157 Final steps aeskeyfind to extract AES keys from the memory dump pytruecrypt to decrypt disk image using the extracted key 45 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
158 Final steps aeskeyfind to extract AES keys from the memory dump pytruecrypt to decrypt disk image using the extracted key Affects every application that stores its secret in DRAM 45 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
159 Who is affected?
160 Affected by Meltdown Intel: Almost every CPU 46 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
161 Affected by Meltdown Intel: Almost every CPU AMD: Seems not to be affected 46 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
162 Affected by Meltdown Intel: Almost every CPU AMD: Seems not to be affected ARM: Only the Cortex-A75 46 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
163 Affected by Meltdown Intel: Almost every CPU AMD: Seems not to be affected ARM: Only the Cortex-A75 IBM: System Z, Power Architecture, POWER8 and POWER9 46 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
164 Affected by Meltdown Intel: Almost every CPU AMD: Seems not to be affected ARM: Only the Cortex-A75 IBM: System Z, Power Architecture, POWER8 and POWER9 Apple: All Mac and ios devices 46 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
165 Affected by Meltdown But there are other CPU manufacturers as well 47 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
166 Samsung Galaxy S7 Samsung Galaxy S7 Exynos Mongoose M1 CPU Architecture 48 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
167 Samsung Galaxy S7 Samsung Galaxy S7 Exynos Mongoose M1 CPU Architecture Custom CPU core in the Exynos 8 Octa (8890) 48 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
168 Samsung Galaxy S7 Samsung Galaxy S7 Exynos Mongoose M1 CPU Architecture Custom CPU core in the Exynos 8 Octa (8890) Perceptron Branch Prediction 48 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
169 Samsung Galaxy S7 Samsung Galaxy S7 Exynos Mongoose M1 CPU Architecture Custom CPU core in the Exynos 8 Octa (8890) Perceptron Branch Prediction Full Out-of-Order Instruction Execution 48 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
170 Samsung Galaxy S7 Samsung Galaxy S7 Exynos Mongoose M1 CPU Architecture Custom CPU core in the Exynos 8 Octa (8890) Perceptron Branch Prediction Full Out-of-Order Instruction Execution Full Out-of-Order loads and stores 48 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
171 Demo
172 Samsung Galaxy S7 Samsung Galaxy S7 Luckily they already fixed it 49 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
173 Samsung Galaxy S7 Samsung Galaxy S7 Luckily they already fixed it With their latest update 49 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
174 Samsung Galaxy S7 Samsung Galaxy S7 Luckily they already fixed it With their latest update on July 10, Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
175 Affected by Meltdown But there are other CPU manufacturers as well which are affected Need to evaluate the attack on other CPUs as well Notify the users and custom ROM developers, e.g., LineageOS 50 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
176 But wait, what about privileged registers?
177 Variant 3a ARM found a closely related Meltdown variant 51 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
178 Variant 3a ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level 51 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
179 Variant 3a ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable 51 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
180 Variant 3a ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable Impact: breaking KASLR and pointer authentication 51 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
181 Demo
182 Variant 3a Intel is affected too (May 21, 2018) 52 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
183 Variant 3a Intel is affected too (May 21, 2018) Almost every CPU (Core i3/i5/i7, 2nd-8th Intel Core, Xeon, Atom, Pentium, ) 52 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
184 Variant 3a Intel is affected too (May 21, 2018) Almost every CPU (Core i3/i5/i7, 2nd-8th Intel Core, Xeon, Atom, Pentium, ) Rogue System Register Read (RSRE) (CVE ) 52 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
185 Is Meltdown (or Spectre) a side-channel attack? 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
186 Is Meltdown (or Spectre) a side-channel attack? 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
187 Is Meltdown (or Spectre) a side-channel attack? No. 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
188 Is Meltdown (or Spectre) a side-channel attack? No. We read the data directly 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
189 Is Meltdown (or Spectre) a side-channel attack? No. We read the data directly We use a side channel internally for transmission 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
190 Is Meltdown (or Spectre) a side-channel attack? No. We read the data directly We use a side channel internally for transmission does not make the entire thing a side-channel attack 53 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
191 Is Meltdown a variant of Spectre? Is it speculative execution? 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
192 Is Meltdown a variant of Spectre? Is it speculative execution? 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
193 Is Meltdown a variant of Spectre? Is it speculative execution? No. 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
194 Is Meltdown a variant of Spectre? Is it speculative execution? No. Often heard: Meltdown is speculating beyond faulting instructions 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
195 Is Meltdown a variant of Spectre? Is it speculative execution? No. Often heard: Meltdown is speculating beyond faulting instructions That s not speculative execution 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
196 Is Meltdown a variant of Spectre? Is it speculative execution? No. Often heard: Meltdown is speculating beyond faulting instructions That s not speculative execution Speculating beyond faulting instructions - not even the actual problem 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
197 Is Meltdown a variant of Spectre? Is it speculative execution? No. Often heard: Meltdown is speculating beyond faulting instructions That s not speculative execution Speculating beyond faulting instructions - not even the actual problem AMD does that - but is not affected! 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
198 Is Meltdown a variant of Spectre? Is it speculative execution? No. Often heard: Meltdown is speculating beyond faulting instructions That s not speculative execution Speculating beyond faulting instructions - not even the actual problem AMD does that - but is not affected! Actual problem: fetching & using real values for instructions after faulting ones 54 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
199 How can this all be fixed?
200 Meltdown Mitigation Problem is rooted in hardware 55 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
201 Meltdown Mitigation Problem is rooted in hardware Race condition between the memory fetch and corresponding permission check Serialize both of them 55 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
202 Meltdown Mitigation Problem is rooted in hardware Race condition between the memory fetch and corresponding permission check Serialize both of them Hard split of user space and kernel space New bit in control register 55 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
203 Meltdown Mitigation Problem is rooted in hardware Race condition between the memory fetch and corresponding permission check Serialize both of them Hard split of user space and kernel space New bit in control register Fix the hardware long-term solution 55 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
204 Meltdown Mitigation Problem is rooted in hardware Race condition between the memory fetch and corresponding permission check Serialize both of them Hard split of user space and kernel space New bit in control register Fix the hardware long-term solution Can we fix it in software? 55 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
205 Meltdown Mitigation Kernel addresses in user space are a problem 56 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
206 Meltdown Mitigation Kernel addresses in user space are a problem Why don t we take the kernel addresses Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
207 Meltdown Mitigation...and remove them if not needed? 57 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
208 Meltdown Mitigation...and remove them if not needed? User accessible check in hardware is not reliable 57 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
209 Meltdown Mitigation Unmap the kernel in user space 58 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
210 Meltdown Mitigation Unmap the kernel in user space Kernel addresses are then no longer present 58 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
211 Meltdown Mitigation Unmap the kernel in user space Kernel addresses are then no longer present Memory which is not mapped cannot be accessed at all 58 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
212 KAISER Userspace Kernelspace Applications Operating System Memory 59 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
213 KAISER Kernel View User View Userspace Kernelspace Userspace Kernelspace Applications Operating System Memory Applications context switch 60 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
214 KAISER We published KAISER in May Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
215 KAISER We published KAISER in May 2017 as a countermeasure against other side-channel attacks 61 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
216 KAISER We published KAISER in May 2017 as a countermeasure against other side-channel attacks Inadvertently defeats Meltdown as well 61 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
217 KAISER We published KAISER in May 2017 as a countermeasure against other side-channel attacks Inadvertently defeats Meltdown as well PoC implementation for the Linux kernel 61 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
218 KAISER Hardware interrupt while running in user mode Kernel needs to deal with interrupt but does not exist anymore in address space Traps, NMI, system calls, Must map some kernel code in user space 62 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
219 KAISER Need to update CR3 in order to switch to other address space 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
220 KAISER Need to update CR3 in order to switch to other address space How can we do this efficiently? 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
221 KAISER Need to update CR3 in order to switch to other address space How can we do this efficiently? Instead of one PGD, two PGDs are allocated 8k in size and 8k aligned 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
222 KAISER Need to update CR3 in order to switch to other address space How can we do this efficiently? Instead of one PGD, two PGDs are allocated 8k in size and 8k aligned Trick: Just flip bit 12 in the pointer to swap between both halves CR3 Pair CR3 + 0x1000 CR3 User Kernel PGD User PGD Kernel CR3[12] = 1 CR3[12] = 0 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
223 KAISER Need to update CR3 in order to switch to other address space How can we do this efficiently? Instead of one PGD, two PGDs are allocated 8k in size and 8k aligned Trick: Just flip bit 12 in the pointer to swap between both halves CR3 Pair CR3 + 0x1000 CR3 User Kernel PGD User PGD Kernel CR3[12] = 1 CR3[12] = 0 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
224 KAISER Need to update CR3 in order to switch to other address space How can we do this efficiently? Instead of one PGD, two PGDs are allocated 8k in size and 8k aligned Trick: Just flip bit 12 in the pointer to swap between both halves CR3 Pair CR3 + 0x1000 CR3 User Kernel PGD User PGD Kernel CR3[12] = 1 CR3[12] = 0 63 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
225 Kernel Page-table Isolation Intel and others improved KAISER 64 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
226 Kernel Page-table Isolation Intel and others improved KAISER Merged it into upstream as KPTI (Kernel Page-table Isolation) 64 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
227 Kernel Page-table Isolation Intel and others improved KAISER Merged it into upstream as KPTI (Kernel Page-table Isolation) Kernel patches are available for arm64 as well 64 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
228 Apple Apple released updates in ios 11.2, macos and tvos 11.2 to mitigate Meltdown Boot option: -no-shared-cr3 Unmaps the user space while running in kernel mode But not vice versa 65 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
229 KVA Shadow Kernel Virtual Address (KVA) Shadow Meltdown Mitigation for Microsoft Windows 66 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
230 Implementing Introducing such a fundamental change to the operating system is extremely challenging Our PoC implementation contained many bugs as well 67 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
231 Total Meltdown Discovered by Ulf Frisk in the security update CVE Modified the PML4 entry of 0x1ed to allow to access page from user-mode On Windows 7 and Server 2018 R2: Self-Referencing Entry Allows to read and modify entire physical memory 68 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
232 What now?
233 Future More attacks exploiting performance optimizations in hardware New variants are disclosed frequently 69 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
234 A unique chance A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) 70 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
235 Proof-of-Concept You can find our proof-of-concept implementation on: 71 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology
Performance is awesome!
Acknowledgements I Background music for the choir song kindly provided by Kerbo-Kev. Cooking photos kindly provided by Becca Lee (ladyfaceblog). Santa Clause images by http://www.thevectorart.com/ Some
Spectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
arxiv: v1 [cs.cr] 3 Jan 2018
![arxiv: v1 [cs.cr] 3 Jan 2018](/thumbs/77/75781083.jpg "arxiv: v1 [cs.cr] 3 Jan 2018")
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
Meltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
Meltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? May 8, 2018 Meltdown and Spectre: Whoever thought that was a good idea? May 8,
Software-based Microarchitectural Attacks
Software-based Microarchitectural Attacks Daniel Gruss January 23, 2019 Graz University of Technology Frame Rate of Slide Deck: 11 fps 1 Daniel Gruss Graz University of Technology 1337 4242 Revolutionary
The Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
CSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
Software Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University
Software Solutions to Micro-architectural Side Channels Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University Introduction Research interests Computer system security
Spectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
Meltdown, Spectre, and Security Boundaries in LEON/GRLIB. Technical note Doc. No GRLIB-TN-0014 Issue 1.1
Template: GQMS-TPLT-1-1-0 Meltdown, Spectre, and Security Boundaries in LEON/GRLIB Technical note 2018-03-15 Doc. No Issue 1.1 Date: 2018-03-15 Page: 2 of 8 CHANGE RECORD Issue Date Section / Page Description
Meltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
Meltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
ARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
Micro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
Meltdown Attack Lab. 1 Introduction. SEED Labs Meltdown Attack Lab 1
SEED Labs Meltdown Attack Lab 1 Meltdown Attack Lab Copyright 2018 Wenliang Du, Syracuse University. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS INTRODUCTION Speculative execution is a basic principle of all modern processor designs and is critical to support high performance
Spectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
Exploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
Meltdown and Spectre: Complexity and the death of security
Meltdown and Spectre: Complexity and the death of security May 8, 2018 Meltdown and Spectre: Wait, my computer does what? January 24, 2018 Meltdown and Spectre: Whoever thought that was a good idea? January
Lecture 21: Virtual Memory. Spring 2018 Jason Tang
Lecture 21: Virtual Memory Spring 2018 Jason Tang 1 Topics Virtual addressing Page tables Translation lookaside buffer 2 Computer Organization Computer Processor Memory Devices Control Datapath Input Output
Intel Analysis of Speculative Execution Side Channels
Intel Analysis of Speculative Execution Side Channels White Paper Revision 1.0 January 2018 Document Number: 336983-001 Intel technologies features and benefits depend on system configuration and may require
White Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents
White Paper How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet Programs that do a lot of I/O are likely to be the worst hit by the patches designed to fix the Meltdown
15-740/ Computer Architecture Lecture 22: Superscalar Processing (II) Prof. Onur Mutlu Carnegie Mellon University
15-740/18-740 Computer Architecture Lecture 22: Superscalar Processing (II) Prof. Onur Mutlu Carnegie Mellon University Announcements Project Milestone 2 Due Today Homework 4 Out today Due November 15
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2015 Lecture 23
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 205 Lecture 23 LAST TIME: VIRTUAL MEMORY! Began to focus on how to virtualize memory! Instead of directly addressing physical memory, introduce a level of
Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features Michael Schwarz 1, Daniel Gruss 1, Moritz Lipp 1, Clémentine Maurice 2, Thomas Schuster 1, Anders Fogh
Virtual Memory. CS 351: Systems Programming Michael Saelee
Virtual Memory CS 351: Systems Programming Michael Saelee registers cache (SRAM) main memory (DRAM) local hard disk drive (HDD/SSD) remote storage (networked drive / cloud) previously: SRAM
From bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 23
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 208 Lecture 23 LAST TIME: VIRTUAL MEMORY Began to focus on how to virtualize memory Instead of directly addressing physical memory, introduce a level of indirection
COMPUTER ORGANIZATION AND DESI
COMPUTER ORGANIZATION AND DESIGN 5 Edition th The Hardware/Software Interface Chapter 4 The Processor 4.1 Introduction Introduction CPU performance factors Instruction count Determined by ISA and compiler
Version:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
CS 2410 Mid term (fall 2015) Indicate which of the following statements is true and which is false.
CS 2410 Mid term (fall 2015) Name: Question 1 (10 points) Indicate which of the following statements is true and which is false. (1) SMT architectures reduces the thread context switch time by saving in
EN164: Design of Computing Systems Topic 06.b: Superscalar Processor Design
EN164: Design of Computing Systems Topic 06.b: Superscalar Processor Design Professor Sherief Reda http://scale.engin.brown.edu Electrical Sciences and Computer Engineering School of Engineering Brown
Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
VIRTUAL MEMORY II. Jo, Heeseung
VIRTUAL MEMORY II Jo, Heeseung TODAY'S TOPICS How to reduce the size of page tables? How to reduce the time for address translation? 2 PAGE TABLES Space overhead of page tables The size of the page table
Static, multiple-issue (superscaler) pipelines
Static, multiple-issue (superscaler) pipelines Start more than one instruction in the same cycle Instruction Register file EX + MEM + WB PC Instruction Register file EX + MEM + WB 79 A static two-issue
Hardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
Micro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
Influential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
Pentium/Linux Memory System March 17, 2005
15-213 The course that gives CMU its Zip! Topics Pentium/Linux Memory System March 17, 2005 P6 address translation x86-64 extensions Linux memory management Linux page fault handling Memory mapping 17-linuxmem.ppt
CS 318 Principles of Operating Systems
CS 318 Principles of Operating Systems Fall 2018 Lecture 10: Virtual Memory II Ryan Huang Slides adapted from Geoff Voelker s lectures Administrivia Next Tuesday project hacking day No class My office
Advanced d Instruction Level Parallelism. Computer Systems Laboratory Sungkyunkwan University
Advanced d Instruction ti Level Parallelism Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu ILP Instruction-Level Parallelism (ILP) Pipelining:
PROCESS VIRTUAL MEMORY PART 2. CS124 Operating Systems Winter , Lecture 19
PROCESS VIRTUAL MEMORY PART 2 CS24 Operating Systems Winter 25-26, Lecture 9 2 Virtual Memory Abstraction Last time, officially introduced concept of virtual memory Programs use virtual addresses to refer
Address Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Address Translation Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to reduce the size of page tables? How to reduce the time for
Memory Models. Registers
Memory Models Most machines have a single linear address space at the ISA level, extending from address 0 up to some maximum, often 2 32 1 bytes or 2 64 1 bytes. Some machines have separate address spaces
Review: Hardware user/kernel boundary
Review: Hardware user/kernel boundary applic. applic. applic. user lib lib lib kernel syscall pg fault syscall FS VM sockets disk disk NIC context switch TCP retransmits,... device interrupts Processor
Processors, Performance, and Profiling
Processors, Performance, and Profiling Architecture 101: 5-Stage Pipeline Fetch Decode Execute Memory Write-Back Registers PC FP ALU Memory Architecture 101 1. Fetch instruction from memory. 2. Decode
Chapter 8: Memory-Management Strategies
Chapter 8: Memory-Management Strategies Chapter 8: Memory Management Strategies Background Swapping Contiguous Memory Allocation Segmentation Paging Structure of the Page Table Example: The Intel 32 and
JavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
Multi-level Translation. CS 537 Lecture 9 Paging. Example two-level page table. Multi-level Translation Analysis
Multi-level Translation CS 57 Lecture 9 Paging Michael Swift Problem: what if you have a sparse address space e.g. out of GB, you use MB spread out need one PTE per page in virtual address space bit AS
Memory System Case Studies Oct. 13, 2008
Topics 15-213 Memory System Case Studies Oct. 13, 2008 P6 address translation x86-64 extensions Linux memory management Linux page fault handling Memory mapping Class15+.ppt Intel P6 (Bob Colwell s Chip,
CSE 451 Autumn Final Solutions mean 77.53, median 79, stdev 12.03
CSE 451 Autumn 2016 Final Solutions 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100 mean 77.53, median 79, stdev 12.03 I. Warm-up (a) (15 points) Circle true or false for each statement (no need to justify
CSE Memory Hierarchy Design Ch. 5 (Hennessy and Patterson)
CSE 4201 Memory Hierarchy Design Ch. 5 (Hennessy and Patterson) Memory Hierarchy We need huge amount of cheap and fast memory Memory is either fast or cheap; never both. Do as politicians do: fake it Give
Limitations of Scalar Pipelines
Limitations of Scalar Pipelines Superscalar Organization Modern Processor Design: Fundamentals of Superscalar Processors Scalar upper bound on throughput IPC = 1 Inefficient unified pipeline
Cache Optimisation. sometime he thought that there must be a better way
Cache sometime he thought that there must be a better way 2 Cache 1. Reduce miss rate a) Increase block size b) Increase cache size c) Higher associativity d) compiler optimisation e) Parallelism f) prefetching
Categorizing container escape methodologies in multi-tenant environments
Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor:
IF1 --> IF2 ID1 ID2 EX1 EX2 ME1 ME2 WB. add $10, $2, $3 IF1 IF2 ID1 ID2 EX1 EX2 ME1 ME2 WB sub $4, $10, $6 IF1 IF2 ID1 ID2 --> EX1 EX2 ME1 ME2 WB
EE 4720 Homework 4 Solution Due: 22 April 2002 To solve Problem 3 and the next assignment a paper has to be read. Do not leave the reading to the last minute, however try attempting the first problem below
Understanding the Design of Virtual Memory. Zhiqiang Lin
CS 6V8-05: System Security and Malicious Code Analysis Understanding the Design of Virtual Memory Zhiqiang Lin Department of Computer Science University of Texas at Dallas February 27 th, 202 Outline Basic
Photo David Wright STEVEN R. BAGLEY PIPELINES AND ILP
Photo David Wright https://www.flickr.com/photos/dhwright/3312563248 STEVEN R. BAGLEY PIPELINES AND ILP INTRODUCTION Been considering what makes the CPU run at a particular speed Spent the last two weeks
Systems Programming and Computer Architecture ( ) Timothy Roscoe
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-6-) Timothy Roscoe Herbstsemester 26 AS 26 Virtual Memory 8: Virtual Memory Computer Architecture
CHAPTER 8 - MEMORY MANAGEMENT STRATEGIES
CHAPTER 8 - MEMORY MANAGEMENT STRATEGIES OBJECTIVES Detailed description of various ways of organizing memory hardware Various memory-management techniques, including paging and segmentation To provide
William Stallings Computer Organization and Architecture. Chapter 11 CPU Structure and Function
William Stallings Computer Organization and Architecture Chapter 11 CPU Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Registers
Learning Outcomes. An understanding of page-based virtual memory in depth. Including the R3000 s support for virtual memory.
Virtual Memory 1 Learning Outcomes An understanding of page-based virtual memory in depth. Including the R3000 s support for virtual memory. 2 Memory Management Unit (or TLB) The position and function
Microarchitecture Security Roundtable
Microarchitecture Security Roundtable Background, discussion points, and agenda Table of Contents Table of Contents Purpose of this Roundtable Schedule Attendees Agenda Background Reading Meltdown and
Memory management. Last modified: Adaptation of Silberschatz, Galvin, Gagne slides for the textbook Applied Operating Systems Concepts
Memory management Last modified: 26.04.2016 1 Contents Background Logical and physical address spaces; address binding Overlaying, swapping Contiguous Memory Allocation Segmentation Paging Structure of
Chapter 8: Main Memory
Chapter 8: Main Memory Chapter 8: Memory Management Background Swapping Contiguous Memory Allocation Segmentation Paging Structure of the Page Table Example: The Intel 32 and 64-bit Architectures Example:
16 Sharing Main Memory Segmentation and Paging
Operating Systems 64 16 Sharing Main Memory Segmentation and Paging Readings for this topic: Anderson/Dahlin Chapter 8 9; Siberschatz/Galvin Chapter 8 9 Simple uniprogramming with a single segment per
Practical Keystroke Timing Attacks in Sandboxed JavaScript
Practical Keystroke Timing Attacks in Sandboxed JavaScript M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, S. Mangard Sep 11, 2017 ESORICS 17 Graz University of Technology Motivation Keystroke timing
Reorder Buffer Implementation (Pentium Pro) Reorder Buffer Implementation (Pentium Pro)
Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers) physical register file that is the same size as the architectural registers
Learning Outcomes. An understanding of page-based virtual memory in depth. Including the R3000 s support for virtual memory.
Virtual Memory Learning Outcomes An understanding of page-based virtual memory in depth. Including the R000 s support for virtual memory. Memory Management Unit (or TLB) The position and function of the
AutoLock: Why Cache Attacks on ARM Are Harder Than You Think
AutoLock: Why Cache Attacks on ARM Are Harder Than You Think Marc Green W, Leandro Rodrigues-Lima F, Andreas Zankl F, Gorka Irazoqui W, Johann Heyszl F, and Thomas Eisenbarth W August 18 th 2017 USENIX
Chapter 8: Main Memory. Operating System Concepts 9 th Edition
Chapter 8: Main Memory Silberschatz, Galvin and Gagne 2013 Chapter 8: Memory Management Background Swapping Contiguous Memory Allocation Segmentation Paging Structure of the Page Table Example: The Intel
Complex Pipelines and Branch Prediction
Complex Pipelines and Branch Prediction Daniel Sanchez Computer Science & Artificial Intelligence Lab M.I.T. L22-1 Processor Performance Time Program Instructions Program Cycles Instruction CPI Time Cycle
CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 24
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 24 LAST TIME Extended virtual memory concept to be a cache of memory stored on disk DRAM becomes L4 cache of data stored on L5 disk Extend page
INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
CSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 10: Paging Geoffrey M. Voelker Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient
CS162 Operating Systems and Systems Programming Lecture 14. Caching (Finished), Demand Paging
CS162 Operating Systems and Systems Programming Lecture 14 Caching (Finished), Demand Paging October 11 th, 2017 Neeraja J. Yadwadkar http://cs162.eecs.berkeley.edu Recall: Caching Concept Cache: a repository
arxiv: v2 [cs.cr] 16 Jun 2018
![arxiv: v2 [cs.cr] 16 Jun 2018](/thumbs/92/110990756.jpg "arxiv: v2 [cs.cr] 16 Jun 2018")
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation Khaled N. Khasawneh Department of Computer Science and Engineering University of California, Riverside Email: kkhas1@ucr.edu
6x86 PROCESSOR Superscalar, Superpipelined, Sixth-generation, x86 Compatible CPU
1-6x86 PROCESSOR Superscalar, Superpipelined, Sixth-generation, x86 Compatible CPU Product Overview Introduction 1. ARCHITECTURE OVERVIEW The Cyrix 6x86 CPU is a leader in the sixth generation of high
Microarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 18, 2005 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
Pentium IV-XEON. Computer architectures M
Pentium IV-XEON Computer architectures M 1 Pentium IV block scheme 4 32 bytes parallel Four access ports to the EU 2 Pentium IV block scheme Address Generation Unit BTB Branch Target Buffer I-TLB Instruction
Memory Hierarchy Computing Systems & Performance MSc Informatics Eng. Memory Hierarchy (most slides are borrowed)
Computing Systems & Performance Memory Hierarchy MSc Informatics Eng. 2011/12 A.J.Proença Memory Hierarchy (most slides are borrowed) AJProença, Computer Systems & Performance, MEI, UMinho, 2011/12 1 2
Recall: Paging. Recall: Paging. Recall: Paging. CS162 Operating Systems and Systems Programming Lecture 13. Address Translation, Caching
CS162 Operating Systems and Systems Programming Lecture 13 Address Translation, Caching March 7 th, 218 Profs. Anthony D. Joseph & Jonathan Ragan-Kelley http//cs162.eecs.berkeley.edu Recall Paging Page
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design. Todd Austin University of Michigan
Secure Systems 2.0: Revisiting and Rethinking the Challenges of Secure System Design Todd Austin University of Michigan The Security Arms Race Question: Why are systems never safe? We deploy our designs
Memory Hierarchy Computing Systems & Performance MSc Informatics Eng. Memory Hierarchy (most slides are borrowed)
Computing Systems & Performance Memory Hierarchy MSc Informatics Eng. 2012/13 A.J.Proença Memory Hierarchy (most slides are borrowed) AJProença, Computer Systems & Performance, MEI, UMinho, 2012/13 1 2
TDT Coarse-Grained Multithreading. Review on ILP. Multi-threaded execution. Contents. Fine-Grained Multithreading
Review on ILP TDT 4260 Chap 5 TLP & Hierarchy What is ILP? Let the compiler find the ILP Advantages? Disadvantages? Let the HW find the ILP Advantages? Disadvantages? Contents Multi-threading Chap 3.5
Administrivia. Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But us:
Administrivia Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But email us: - How much is done & left? - How much longer do you need? Attend section Friday at
EITF20: Computer Architecture Part4.1.1: Cache - 2
EITF20: Computer Architecture Part4.1.1: Cache - 2 Liang Liu liang.liu@eit.lth.se 1 Outline Reiteration Cache performance optimization Bandwidth increase Reduce hit time Reduce miss penalty Reduce miss
Recall: Address Space Map. 13: Memory Management. Let s be reasonable. Processes Address Space. Send it to disk. Freeing up System Memory
Recall: Address Space Map 13: Memory Management Biggest Virtual Address Stack (Space for local variables etc. For each nested procedure call) Sometimes Reserved for OS Stack Pointer Last Modified: 6/21/2004
14 May 2012 Virtual Memory. Definition: A process is an instance of a running program
Virtual Memory (VM) Overview and motivation VM as tool for caching VM as tool for memory management VM as tool for memory protection Address translation 4 May 22 Virtual Memory Processes Definition: A
CIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2015
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2015 Previous class What is logical address? Who use it? Describes a location in the logical address space Compiler and CPU
Computer Architecture Lecture 12: Out-of-Order Execution (Dynamic Instruction Scheduling)
18-447 Computer Architecture Lecture 12: Out-of-Order Execution (Dynamic Instruction Scheduling) Prof. Onur Mutlu Carnegie Mellon University Spring 2015, 2/13/2015 Agenda for Today & Next Few Lectures
CIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2017 Previous class What is logical address? Who use it? Describes a location in the logical memory address space Compiler
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow