Академический Документы
Профессиональный Документы
Культура Документы
Daniel Gruss
April 19, 2018
Graz University of Technology
• Daniel Gruss
• Post-Doc @ Graz University of Technology
• Twitter: @lavados
• Email: daniel.gruss@iaik.tugraz.at
Operating
Applications System Memory
Operating
Applications System Memory
Operating
Applications System Memory
Revolutionary concept!
printf("%d", i);
printf("%d", i);
h e miss
Cac
printf("%d", i);
printf("%d", i);
h e miss Req
uest
Cac
printf("%d", i);
printf("%d", i);
h e miss Req
uest
Cac
printf("%d", i);
onse
printf("%d", i); Resp
h e miss Req
uest
Cac
printf("%d", i);
i onse
printf("%d", i); Resp
h e miss Req
uest
Cac
printf("%d", i);
i onse
printf("%d", i); Resp
e hit
Cach
ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
printf("%d", i); Resp
e hit
Cach
ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
printf("%d", i); Resp
e hit
Cach
acc ess,
No DRAM
er
much fast
9 Daniel Gruss — Graz University of Technology
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flush access
access
Shared Memory
ATTACKER VICTIM
flush ca
ch e d access
ed Shared Memory
ch
access ca
Shared Memory
ATTACKER VICTIM
Shared Memory
ATTACKER VICTIM
flush access
access
Shared Memory
ATTACKER VICTIM
flush access
access
Shared Memory
ATTACKER VICTIM
Shared Memory
ATTACKER VICTIM
Shared Memory
ATTACKER VICTIM
Key
g h i j k l m n o p q r s t u v w x y z
0x7c680
0x7c6c0
0x7c700
0x7c740
0x7c780
0x7c7c0
0x7c800
Address
0x7c840
0x7c880
0x7c8c0
0x7c900
0x7c940
0x7c980
0x7c9c0
0x7ca00
0x7cb80
0x7cc40
0x7cc80
0x7ccc0
0x7cd00
LATENCY
Parallelize
ency
• Adapted code
1 *( volatile char *) 0;
2 array [84 * 4096] = 0; // unreachable
• Adapted code
1 *( volatile char *) 0;
2 array [84 * 4096] = 0; // unreachable
1 warning : Dereference of n u l l p o i n t e r
2 ∗( v o l a t i l e char ∗) 0 ;
Access time
[cycles]
400
300
Access time
[cycles]
400
300
Access time
[cycles]
400
300
Access time
[cycles]
400
300
27
K ernel A ddress I solation to have S ide channels E fficiently R emoved
Daniel Gruss — Graz University of Technology
Userspace Kernelspace
Operating
Applications System Memory
27 Daniel Gruss — Graz University of Technology
Kernel View User View
Operating
Applications System Memory Applications
context switch
27 Daniel Gruss — Graz University of Technology
Kernel Address Space Isolation www.tugraz.at
• Depends on how often you need to switch between kernel and user space
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%
index = 0;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 0;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 0;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 0;
if (index < 4)
Execute
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 1;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 1;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 1;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 1;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 2;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 2;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 2;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 2;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 3;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 3;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 3;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 3;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 4;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 4;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 4;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 4;
if (index < 4)
Execute
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 5;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 5;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 5;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 5;
if (index < 4)
Execute
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 6;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 6;
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 6;
if (index < 4)
Speculate
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 6;
if (index < 4)
Execute
el s
en e
th
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
sw
( ) swim() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
Speculate
sw
() swim() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
sw
( ) swim() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
Execute
sw
( ) swim() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
Speculate
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = bird;
a->move()
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = fish;
a->move()
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = fish;
a->move()
Speculate
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = fish;
a->move()
sw
( ) fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = fish;
a->move()
Execute
sw
() fly() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Animal* a = fish;
a->move()
sw
( ) swim() im
fly ()
Prediction
LUT[data[index] * 4096] 0
Meltdown Spectre
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
Out-of-Order Execution)
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
• has nothing to do with branch prediction Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
• has nothing to do with branch prediction Out-of-Order Execution)
• turning off speculative execution entirely • fundamentally builds on branch
has no effect on Meltdown (mis)prediction
• turning off speculative execution entirely
would work
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
• has nothing to do with branch prediction Out-of-Order Execution)
• turning off speculative execution entirely • fundamentally builds on branch
has no effect on Meltdown (mis)prediction
→ melts down the isolation provided by the • turning off speculative execution entirely
user accessible-bit would work
• has nothing to do with the
user accessible-bit
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
• has nothing to do with branch prediction Out-of-Order Execution)
• turning off speculative execution entirely • fundamentally builds on branch
has no effect on Meltdown (mis)prediction
→ melts down the isolation provided by the • turning off speculative execution entirely
user accessible-bit would work
• in theory: OoO not required, pipelining • has nothing to do with the
can be sufficient user accessible-bit
• KAISER has no effect on Spectre at all
Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
• has nothing to do with branch prediction Out-of-Order Execution)
• turning off speculative execution entirely • fundamentally builds on branch
has no effect on Meltdown (mis)prediction
→ melts down the isolation provided by the • turning off speculative execution entirely
user accessible-bit would work
• in theory: OoO not required, pipelining • has nothing to do with the
can be sufficient user accessible-bit
• mitigated by KAISER • KAISER has no effect on Spectre at all
Meltdown
Spectre
Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions
Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions
• has nothing to do with exception
• exception handling
handling
Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions
• has nothing to do with exception
• exception handling
handling or suppression
• exception suppression with TSX
Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions
• has nothing to do with exception
• exception handling
handling or suppression
• exception suppression with TSX
• exception suppression with branch
misprediction
Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions
• has nothing to do with exception
• exception handling
handling or suppression
• exception suppression with TSX
• exception suppression with branch
misprediction
A unique chance to
• rethink processor design
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
• dedicate more time into identifying problems and not solely in
mitigating known problems
Daniel Gruss
April 19, 2018
Graz University of Technology