a classic locked room mystery eve was in the false branch
play

A classic locked-room mystery. Eve was in the false branch of a - PowerPoint PPT Presentation

Dec 05, 2022 •40 likes •370 views

A classic locked-room mystery. Eve was in the false branch of a conditional the whole time, how could she do it ? Creative Commons Attribution-ShareAlike 4.0 Mozilla Research | DePaul University | U. California San Diego 3 January 2018 The

  1. A classic locked-room mystery. Eve was in the false branch of a conditional the whole time, how could she do it ? Creative Commons Attribution-ShareAlike 4.0 Mozilla Research | DePaul University | U. California San Diego

  2. 3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions

  3. 3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions

  4. 3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions

  5. Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Attacks bypass run-time security checks. Results Experiments Can bypass array bounds checks, Conclusions and read whole process memory. Can be exploited from JS, so evil.ad.com can read your bank.com data. Attacks speculative evaluation hardware optimization.

  6. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1

  7. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution where W y 1 might happen first: Results Experiments Conclusions R x 1 W x 2 W y 1

  8. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1 Shared-memory concurrency leaks the abstraction

  9. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1 Shared-memory concurrency leaks the abstraction Resulted in entire research area: weak memory models (e.g. Pugh et al. ; C11)

  10. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions

  11. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W z 1 might happen before W y 1: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions

  12. Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W y 2 might happen, then get rolled back: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2 W z 1

  13. Optimizations in hardware and compilers The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W z 1 might happen first: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2

  14. Optimizations in hardware and compilers The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2 No language-level model for this! As weak memory models are to OOO, so what is to speculation?

  15. Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false Simplified Spectre Results Experiments Conclusions

  16. Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false, e.g. Simplified Spectre Results R y 1 W x 2 Experiments Conclusions R SECRET 1 W x 1 is an execution of if y { if canRead ( SECRET ) { x := SECRET } else { x := 2 } } .

  17. Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false, e.g. Simplified Spectre Results R y 1 W x 2 Experiments Conclusions R SECRET 1 W x 1 is an execution of if y { if canRead ( SECRET ) { x := SECRET } else { x := 2 } } . Attacker goal: learn if SECRET is 0 or 1.

  18. Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, A very simplified Spectre attack: Alan Jeffrey, James Riely if canRead ( SECRET ) { a [ SECRET ] := 1 } Introduction else if touched ( a [ 0 ]) { x := 0 } Spectre else if touched ( a [ 1 ]) { x := 1 } Optimizations Simplified Spectre with execution Results Experiments Conclusions R SECRET 1 W a [ 1 ] 1 magic ! W x 1 Information flow from SECRET to x , if there’s an implementation of “magic”.

  19. Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, A very simplified Spectre attack: Alan Jeffrey, James Riely if canRead ( SECRET ) { a [ SECRET ] := 1 } Introduction else if touched ( a [ 0 ]) { x := 0 } Spectre else if touched ( a [ 1 ]) { x := 1 } Optimizations Simplified Spectre with execution Results Experiments Conclusions R SECRET 1 W a [ 1 ] 1 magic ! W x 1 Information flow from SECRET to x , if there’s an implementation of “magic”. Narrator : there was one.

  20. Results The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Formalization of pretty pictures as partially ordered multisets (Gisher, 1988). Spectre Optimizations Compositional semantics based on weak memory models (e.g. C11). Simplified Spectre Results Examples modeling Spectre, Spectre mitigations, Experiments PRIME+ABORT attack on transactional memory. . . Conclusions

  21. Results The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Formalization of pretty pictures as partially ordered multisets (Gisher, 1988). Spectre Optimizations Compositional semantics based on weak memory models (e.g. C11). Simplified Spectre Results Examples modeling Spectre, Spectre mitigations, Experiments PRIME+ABORT attack on transactional memory. . . Conclusions and a new family of attacks on compiler optimizations.

  22. Modeling an attack on compiler optimizations The Code That Never Ran An attacker running two threads (initially x = y = 0): Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, y := x || if ( y == 0 ) { x := 1 } James Riely else if ( canRead ( SECRET )) { x := SECRET } Introduction else { x := 1; z := 1 } Spectre Optimizations If SECRET is 1, there is an execution: Simplified Spectre R x 1 W x 1 Results Experiments Conclusions W y 1 R y 1 W z 1 If SECRET is 2, there is no execution (due to cyclic dependency): R x 1 W x 1 W x 2 W y 1 R y 1 W z 1

  23. Implementing attacks on compiler optimizations The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre and Prime+Abort are implemented. Spectre Optimizations Can we implement the attacks on compiler optimizations? Simplified Spectre Results Experiments Conclusions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Mystery of God 1. Who is this God? 2. Where is this God 3. What does He want from me

The Mystery of God 1. Who is this God? 2. Where is this God 3. What does He want from me

The Mystery of God 1. Who is this God? 2. Where is this God 3. What does He want from me Renaissance Who Am I? Goodness Gracious You Are Special The Mystery Of Gods Grace Ephesians 2:110 You were dead through the trespasses and

351 views • 19 slides
Abstraction Example boolean b = mystery(); if(b) { x = 1; y = 3; } else { x = 3; y = 4; }

Abstraction Example boolean b = mystery(); if(b) { x = 1; y = 3; } else { x = 3; y = 4; }

Abstraction Example boolean b = mystery(); if(b) { x = 1; y = 3; } else { x = 3; y = 4; } z = x + y; Abstraction Example boolean b = mystery(); < b is true or false; > if(b) { x = 1; y = 3; } else { x = 3; y = 4; } z = x +

508 views • 31 slides
TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4 Room 5 Room

TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4 Room 5 Room

Presentation Schedules (Updated on 03/12/2016. Subject to change. Kindly refer to the schedules on display at the ISCEE 2016 venue for updated versions, if any.) TIME Room 1 Room 2 Room 3 Room 4 Room 5 Room 6 Room 1 Room 2 Room 3 Room 4

625 views • 26 slides
locked and nearly-locked islands by W. Choi, K.E.J. Olofsson, R. Sweeney, F. Volpe, and M.

locked and nearly-locked islands by W. Choi, K.E.J. Olofsson, R. Sweeney, F. Volpe, and M.

Simulated dynamics and feed-back control of locked and nearly-locked islands by W. Choi, K.E.J. Olofsson, R. Sweeney, F. Volpe, and M. Okabayashi Presented at the APS-DPP Meeting, Savannah, Georgia Nov. 15, 2015 Choi/APS-DPP/Nov. 2015 1

350 views • 18 slides
Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208

Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208

2015 IOP Conference Presentation Schedule, v6 Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 206 ROOM 207 ROOM 208 SESSION A Marina Milner-Bolotin Annie Vallance Ashenafi Alemu

470 views • 3 slides
Classic ML Where is ML used? CS 5860 - Introduction to Formal Methods What is Classic ML? ML

Classic ML Where is ML used? CS 5860 - Introduction to Formal Methods What is Classic ML? ML

Classic ML an EventML Where does ML come from? Classic ML Where is ML used? CS 5860 - Introduction to Formal Methods What is Classic ML? ML types Vincent Rahli Nuprl team Polymorphism Recursion Cornell University Typing rules September

125 views • 11 slides
Parashat Ha'Azinu Deuteronomy 32:1 - 32:52 October 12 th , 2019 The Mystery Letter The Mystery

Parashat Ha'Azinu Deuteronomy 32:1 - 32:52 October 12 th , 2019 The Mystery Letter The Mystery

Parashat Ha'Azinu Deuteronomy 32:1 - 32:52 October 12 th , 2019 The Mystery Letter The Mystery Letter There are a couple of points to note about this portion of Torah 1. The Mystery Letter, the Hebrew letter hey: 1. Written twice as

279 views • 25 slides
SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan

SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan

2016 IOP Conference Presentation Schedule, v1 Page 1 SESSION ROOM 201 ROOM 202 ROOM 203 ROOM 204 ROOM 204A ROOM 207 ROOM 208 SESSION A Susan Grossman Chantalle Fuchs Jovana Durica Natalie LeBlanc Sokyee A. Low Mashael Alharbi

315 views • 3 slides
Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018

Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018

Security vs Means of Escape Locked out Locked in Origin Fire Consultants, October 9, 2018 CONTENTS Introduction Regulatory regime Compliance Schedule Handbook Acceptable Solutions Verification Method Alternative Solutions

593 views • 31 slides
Writing a Writer Richard P. Gabriel Only mystery enables us to live Only mystery Federico

Writing a Writer Richard P. Gabriel Only mystery enables us to live Only mystery Federico

Writing a Writer Richard P. Gabriel Only mystery enables us to live Only mystery Federico Garcia Lorca deep in the dark the power of snow walking in the deepness InkWell, December 2014 revise Frosts Stopping by Woods

1.49k views • 134 slides
PASSION FOR CLASSIC Welcome to Como Classic Boats, Lake Comos premier classic wooden boat

PASSION FOR CLASSIC Welcome to Como Classic Boats, Lake Comos premier classic wooden boat

MENAGGIO VARENNA BELLAGIO TREMEZZO PASSION FOR CLASSIC Welcome to Como Classic Boats, Lake Comos premier classic wooden boat rental company with driver. Located and operated in Laglio, next to George Clooneys villa and LEZZENO to the

234 views • 8 slides
Escape the Room! You were on your way home when you realised that you had left your homework in

Escape the Room! You were on your way home when you realised that you had left your homework in

Escape the Room! You were on your way home when you realised that you had left your homework in your tray. You run back into class to get it and hear a loud bang. You have accidentally been locked in your classroom and you could be here all

539 views • 15 slides
Escape the Room! You have been helping your teacher to tidy up the sports equipment after a P.E.

Escape the Room! You have been helping your teacher to tidy up the sports equipment after a P.E.

Escape the Room! You have been helping your teacher to tidy up the sports equipment after a P.E. lesson. You hear a loud bang and turn around to find that you have been accidentally locked in the school hall! Solve the clues and puzzles hidden

397 views • 16 slides
Neuroethical implications of clinicians attitudes toward the Locked-in Syndrome Personhood and

Neuroethical implications of clinicians attitudes toward the Locked-in Syndrome Personhood and

Neuroethical implications of clinicians attitudes toward the Locked-in Syndrome Personhood and the Locked-In Syndrome Catalan Institution for Research and Advanced Studies 18 November 2016 Barcelona, SPAIN Athena Demertzi, PhD Institut du

576 views • 19 slides
The Anatomy of a Mystery Presented by: BC Deeks & Sharon Wildwind Presentation Sponsored by:

The Anatomy of a Mystery Presented by: BC Deeks & Sharon Wildwind Presentation Sponsored by:

Studying the Bones of Successful Mystery Fiction The Anatomy of a Mystery Presented by: BC Deeks & Sharon Wildwind Presentation Sponsored by: Calgary Crime Writers Association The Anatomy of a Mystery This presentation to 2015 When Words

306 views • 14 slides
LUND 27. February 2003 P . Z. Skands p.1/27 THE MYSTERY OF SS433 THE MYSTERY OF

LUND 27. February 2003 P . Z. Skands p.1/27 THE MYSTERY OF SS433 THE MYSTERY OF

LUND 27. February 2003 P . Z. Skands p.1/27 THE MYSTERY OF SS433 THE MYSTERY OF SS433 LUND 27. February 2003 P . Z. Skands p.1/27 THE MYSTERY OF SS433 THE MYSTERY OF SS433 Stephenson & Sanduleak catalogue object

570 views • 42 slides
Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani

Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani

Parametric Verification of Concurrent Programs under the TSO Weak Memory Model Ahmed Bouajjani Paris Diderot University Based on joint work with Parosh A. Abdulla Mohamed Faouzi Atig T. Phong Ngo Uppsala University Sebastian

897 views • 77 slides
Memory Consistency Models Virendra Singh Computer Architecture & Dependable Systems Lab.

Memory Consistency Models Virendra Singh Computer Architecture & Dependable Systems Lab.

Memory Consistency Models Virendra Singh Computer Architecture & Dependable Systems Lab. Dept. of Electrical Engineering Indian Institute of Technology Bombay Courtesy: Sarita Adve University of Illinois at Urbana-Champaign CS-683:

2.14k views • 71 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides
A CHR-Based Solver for Weak Memory Behaviors CSTVA 2016 Allan Blanchard 1 , 2 Nikolai Kosmatov

A CHR-Based Solver for Weak Memory Behaviors CSTVA 2016 Allan Blanchard 1 , 2 Nikolai Kosmatov

A CHR-Based Solver for Weak Memory Behaviors CSTVA 2016 Allan Blanchard 1 , 2 Nikolai Kosmatov 1 eric Loulergue 2 Fr ed 1 CEA LIST - Software Reliability Laboratory 2 Univ Orl eans, INSA Centre Val de Loire, LIFO Sequential Consistency

767 views • 43 slides
Concurrency and Memory Models Filip Sieczkowski Why concurrency? Moores law Every two

Concurrency and Memory Models Filip Sieczkowski Why concurrency? Moores law Every two

Concurrency and Memory Models Filip Sieczkowski Why concurrency? Moores law Every two years, the number of transistors in a dense integrated circuit doubles The keystone of microprocessor industry Physical limitations Finite

374 views • 20 slides
Distributed Memory and Cache Consistency Distributed Memory and Cache Consistency (some slides

Distributed Memory and Cache Consistency Distributed Memory and Cache Consistency (some slides

Distributed Memory and Cache Consistency Distributed Memory and Cache Consistency (some slides courtesy of Alvin Lebeck) Software DSM 101 Software DSM 101 Software-based distributed shared memory (DSM) provides an illusion of shared memory on

414 views • 12 slides
COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors Multiple threads use shared memory (address space) SysV Shared Memory or Threads in software Communication implicit via loads

548 views • 40 slides
Programming a multicore architecture without coherency and atomic operations Jochem Rutgers ,

Programming a multicore architecture without coherency and atomic operations Jochem Rutgers ,

Programming a multicore architecture without coherency and atomic operations Jochem Rutgers , Marco Bekooij, Gerard Smit 2014-02-15 1 / 13 Parallel render example One master thread: data = read_3d_model_from_file(); 1 go = 1; 2 while

693 views • 34 slides

More recommend