an open source risc v microarchitecture
play

an Open Source RISC-V Microarchitecture CARRV 2019 June 22 nd , 2019 - PowerPoint PPT Presentation

Jun 25, 2023 •376 likes •709 views

Replicating and Mitigating Spectre Attacks on an Open Source RISC-V Microarchitecture CARRV 2019 June 22 nd , 2019 - Phoenix, Arizona Abraham Gonzalez , Ben Korpan, Jerry Zhao , Ed Younis Krste Asanovi University of California, Berkeley

  1. Replicating and Mitigating Spectre Attacks on an Open Source RISC-V Microarchitecture CARRV 2019 – June 22 nd , 2019 - Phoenix, Arizona Abraham Gonzalez , Ben Korpan, Jerry Zhao , Ed Younis Krste Asanović University of California, Berkeley

  2. Outline • Motivation • Open-source Approach to Hardware • BOOM: Berkeley Out-of-Order Machine • Replicating Spectre Attacks on BOOM • Implementing a Speculation Buffer • Comparisons • Implementation • Conclusion

  3. Motivation 3

  4. Exploits Everywhere 4

  5. Why are Spectre-style attacks hard? Leakage Mechanisms Attack Scenarios • Conditional branch • User process attacks kernel • Indirect jump • User process attacks user space • Return instructions • Intra-process sandbox escape • Speculative store bypass • User process attacks enclaves • Data speculation Spectre • Remote timing attacks • ... • ... Variations Target CPUs Covert Channels • ARM • Changes in cache state • Intel • Power consumption • AMD • Resource contention (FPUs, buffers) • RISC-V • ... • … 5 Taken from “Panel On the Implications of the Meltdown & Spectre Design Flaws”, ISCA 2018

  6. Mitigation Approaches InvisiSpec/SafeSpec: Blocking unsafe loads from altering the data cache DAWG: Partition data cache between security domains StealthMem/CATalyst: Hide visibility of a secure memory region Context-based fencing: Dynamically stop speculation in secure code Compiler-inserted fencing: Statically analyze program for Spectre- vulnerable snippets Lots of interesting approaches, but how to compare them? Use them together? M. Yan, et. al. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In MICRO. K. N. Khasawneh, et. al. 2018. Safespec: Banishing the spectre of a meltdown with leakage-free speculation. Archived. V. Kiriansky, et. al. 2018. DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors. In MICRO. T. Kim, et. al. 2012. STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud. In USENIX. F. Liu, et. al. 2016. CATalyst: Defeating last-level cache side channel attacks in cloud computing. In HPCA. M. Taram, et. Al. 2019. Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization. In ASPLOS. Microsoft. 2018. Microsoft’s compiler -level Spectre fix shows how hard this problem will be to solve. In Ars Technica. 6

  7. Open-source Approach to Hardware 7

  8. Open-source HW + Agile Design Tools + Fast Simulation/Emulation = Security? Large proliferation of open-source software stacks, cores, and simulation/design infrastructure 8

  9. The Open-source RISC-V Approach Security benefits from open-source work 1. Think of new security mitigation/exploit 2. Use open-source RTL to start implementation 3. Quickly iterate through design development with easy, fast, and free tooling 4. Open-source work and have others scrutinize or use your work 9

  10. Modern Microarchitectures Commercial Spectre-vulnerable cores are complex, out-of-order, and closed-source. Need to do speculation-security research on an equivalent open-source academic core. 10 Intel Sandy Bridge Intel Skylake ARM A76

  11. BOOM: The Berkeley Out-of-Order Machine 11

  12. BOOM Overview • Open-source, out-of-order, superscalar RISC-V core • Runs RISC-V ISA RV64GC • Linux-capable - boots Fedora + Buildroot • Silicon-proven - taped out • ~18K LoC of open-source Chisel RTL • Highly parameterizable and configurable • Full integration with Rocket Chip, FireSim, HAMMER J. Bachrach, et. al. 2012. Chisel: constructing hardware in a scala embedded language. In DAC. K. Asanovic, et. al. 2016. The Rocket Chip Generator. Technical Report. S. Karandikar, et. al. 2018. FireSim: FPGA-accelerated cycle-exact scale-out system simulation in the public cloud. In ISCA. 12 E. Wang, et. al. 2018. Hammer: Enabling Reusable Physical Design. In WOSET.

  13. BOOM Microarchitecture 13

  14. Replicating Spectre Attacks 14

  15. Spectre v1 Overview Speculation: • Performance-seeking behavior of modern processors • Execute instructions before we know they will commit Side-channel: • Microarchitectural state which holds interacts with program execution • Caches, TLBs, power… Typical Spectre attack: 1. Setup processor to misspeculate in victim code (e.g. train branch predictors) 2. Misspeculation leaks secret into a side channel 3. Attacker recovers secret from side channel 15 P. Kocher, et. al. 2018. Spectre attacks: Exploiting speculative execution. Archived.

  16. Spectre v1 Example if (x < array1_sz): Steps: secret = array1[x] 1. Access if statement multiple times out = array2[secret * amount] correctly (predict if to fall-through) 2. Give x > array1_sz before after 3. Predict the if to be true and bring in array2 array2 addresses addresses secret and array2 value all 0*amount 0*amount 4. Use the time difference between uncached cached cached and uncached lines to 1*amount 1*amount determine secret 2*amount 2*amount 5. Repeat! 3 *amount 3*amount 4*amount 4*amount ... ... 16

  17. Components Needed – With BOOM? • Branch Prediction • Set associative BTB and GShare branch predictors • Speculative Execution • Out-of-order execution and branch kill masks for speculative execution • Caching • L1 data cache and a outer memory set to the latency of an L2 cache • Cache Manipulation • Custom-made L1 data cache clflush BOOM provides all the elements to replicate Spectre! 17

  18. Spectre v1 Running on FireSim 18 S. Karandikar, et. al. 2018. FireSim: FPGA-accelerated cycle-exact scale-out system simulation in the public cloud. In ISCA.

  19. 19

  20. Implementing a Speculation Buffer

  21. Protecting Data Caches Problem: Load refills are not subject to architectural guarantees ld t0, 0(s0) • Misspeculated loads leave side- blt t0, a0, end effects, creating a side-channel sll t1, t0, 2 Misspeculated region add t2, a1, t1 Solution: Treat the data cache as ld t3, 0(t2) an architectural structure end: • Only alter the cache state when New cache line instructions commit Block speculative cache refills • Implement a working prototype in BOOM RTL Data Cache 21

  22. Prior Work InvisiSpec • Per load-queue-entry speculation buffer • Speculation-aware cache-coherence policy Safespec • Speculation- depth sized “shadow structures” • Protect DCache, ICache, TLBs BOOM Speculation Buffer: • Hold speculated loads in line-fill- buffers M. Yan, et. al. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In MICRO. 22 K. N. Khasawneh, et. al. 2018. Safespec: Banishing the spectre of a meltdown with leakage-free speculation. Archived.

  23. Life of a Misspeculated Load Data/tag arrays modified by Outer Memory unsafe instructions/ Side-channel MSHR N Load Queue MSHR 1 Tag Array MSHR 0 0x1 check Replay Queue 0x3 Miss, tags 0x5 allocate MSHR Get(0x200) 0x7 0x2 ld 0x200 ldq[5] ld 0x202 ldq[4] Data Array 0x200 To core Refill(0x200) 0xabbccdde 23

  24. Blocking Misspeculated Loads Data/tag arrays protected from Outer Memory misspeculation MSHR N Load Queue MSHR 1 Tag Array MSHR 0 0x1 check Replay Queue 0x3 Miss, tags 0x5 allocate MSHR Get(0x200) 0x7 ld 0x200 ldq[5] ld 0x202 ldq[4] Data Array 0x200 Refill(0x200) Speculation Buffer 0xabbccdde To core 24

  25. Blocking Misspeculated Loads Outer Memory MSHR N Load Queue MSHR 1 Tag Array MSHR 0 0x1 check Replay Queue 0x3 Miss, tags 0x5 allocate MSHR Get(0x200) 0x2 0x7 ld 0x200 ld 0x202 ld 0x202 Data Array 0x200 0x200 Refill(0x200) Speculation Buffer 0xabbccdde 0xabbccdde 0xabbccdde To core 25

  26. Blocking Misspeculated Loads • Load refills wait in the buffer until one of their misses has committed • Stall writeback until one of the following occurs • A load-miss to that line has committed OR • A store-miss hits that line (stores are non-speculative) • If all load misses to that line were misspeculated, discard it • Bypass loads out of the load-fill-buffer • Subsequent loads “see” the data in the DCache • Minimizes performance penalty 26

  27. Committing Loads When to commit load refills to the DCache? • When the ROB commits the load? • Most secure. • Huge performance penalty for load misses • When the load is free from branches? • Does not consider exceptions/interrupts • Minimal performance penalty • When the load reaches the point-of-no-return • New ROB pointer, tracks instructions which are guaranteed to commit 27

  28. Speculation Buffer Results 1 month implementation time Version of BOOM With Microbenchmarks % Benchmark Normal Speculation Difference Buffer • Set of assembly routines to test edge cases Non-speculative LD 540 cycles 640 cycles -19% Dhrystone results misses to same sets • Original: 2176 dps • W. Speculation buffer: 2216 dps Non-speculative LD 264 cycles 297 cycles -11% misses to different sets • Impact: ~2% better IPC Preliminary physical results in TSMC 45nm MSHR evicted 48 cycles 67 cycles -40% speculative LD misses • ~3% larger area Dhrystone 2176 dps 2216 dps +2% 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Challenges in Open-source RISC-V Implementations Differentiation &amp; Customization Open Source

Challenges in Open-source RISC-V Implementations Differentiation &amp; Customization Open Source

Challenges in Open-source RISC-V Implementations Differentiation &amp; Customization Open Source Hardware Promises and Hopes Great way to collaborate Faster development thanks to readily available IP (e.g. peripherals, ) Very

411 views • 17 slides
How to run Linux on RISC-V with open hardware and open source FPGA tools FOSDEM (2020-02-02)

How to run Linux on RISC-V with open hardware and open source FPGA tools FOSDEM (2020-02-02)

Slides: https://github.com/pdp7/talks/blob/master/fosdem20.pdf How to run Linux on RISC-V with open hardware and open source FPGA tools FOSDEM (2020-02-02) Drew Fustini drew@oshpark.com Twitter: @pdp7 Open Source Hardware designer at OSH

1.02k views • 82 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore Architectures on FPGA First Workshop on Computer Architecture Research with RISC-V (CARRV) @ MICRO 50 2017-10-14 Andreas Kurth Pirmin Vogel Alessandro

216 views • 21 slides
The Microarchitecture Level Wolfgang Schreiner Research Institute for Symbolic Computation

The Microarchitecture Level Wolfgang Schreiner Research Institute for Symbolic Computation

The Digital Logic Level The Microarchitecture Level Wolfgang Schreiner Research Institute for Symbolic Computation (RISC-Linz) Johannes Kepler University Wolfgang.Schreiner@risc.uni-linz.ac.at http://www.risc.uni-linz.ac.at/people/schreine

1.07k views • 44 slides
Workshop on Open Source Hardware Development Tools and RISC-V MohammadHossein AskariHemmat

Workshop on Open Source Hardware Development Tools and RISC-V MohammadHossein AskariHemmat

Workshop on Open Source Hardware Development Tools and RISC-V MohammadHossein AskariHemmat Shahid Bahonar University of Kerman August 24, 2017 MohammadHossein AskariHemmat Workshop on RISC-V August 24, 2017 1 / 71 Agenda Open Source Tools

922 views • 71 slides
Celerity: An Open Source RISC-V Tiered Accelerator Fabric Tutu Ajayi , Khalid Al-Hawaj ,

Celerity: An Open Source RISC-V Tiered Accelerator Fabric Tutu Ajayi , Khalid Al-Hawaj ,

Celerity: An Open Source RISC-V Tiered Accelerator Fabric Tutu Ajayi , Khalid Al-Hawaj , Aporva Amarnath , Steve Dai , Scott Davidson*, Paul Gao*, Gai Liu , Atieh Lotfi*, Julian Puscar*, Anuj Rao*, Austin Rovinski , Loai

1.56k views • 62 slides
GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore

GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore

GOMACTech-2019 BlackParrot An Open-Source, Industrial-Strength, RISC-V, Linux Capable, Multicore Processor 28 MAR 2019 Mark Wyse University of Washington DISTRIBUTION STATEMENT A. Approved for public release: distribution is unlimited. We

367 views • 15 slides
Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded Systems and Applications Group 1 Background RISC-V is a new open-source ISA rapidly gaining momentum Definition controlled by the RISC-V

530 views • 23 slides
PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

ENHANCED TOOLS FOR RISC-V PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the leading provider of RISC-V processor IP Codasip Bk : A portfolio of RISC-V processors Uniquely providing design automation tools

318 views • 9 slides
Instructions and Addressing 1 ISA vs. Microarchitecture ISA vs. Microarchitecture An ISA or

Instructions and Addressing 1 ISA vs. Microarchitecture ISA vs. Microarchitecture An ISA or

CS31001 COMPUTER ORGANIZATION AND ARCHITECTURE Debdeep Mukhopadhyay, CSE, IIT Kharagpur Instructions and Addressing 1 ISA vs. Microarchitecture ISA vs. Microarchitecture An ISA or Instruction Set Architecture describes the aspects of

407 views • 17 slides
The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th

The future of operating systems on RISC-V Alex Bradbury asb@lowrisc.org @asbradbury 4th March 2019 Structure of this talk Introduction to RISC-V RISC-V status Selected RISC-V topics RISC-V and open hardware: the future

733 views • 28 slides
Intel 45nm Core 2 Microarchitecture P r e s e n t e d B y : A l e c W i s e m a n Agenda

Intel 45nm Core 2 Microarchitecture P r e s e n t e d B y : A l e c W i s e m a n Agenda

Intel 45nm Core 2 Microarchitecture P r e s e n t e d B y : A l e c W i s e m a n Agenda Microarchitecture Overview Efficiency Enhancements Enhanced Dynamic Acceleration Technology Results Microarchitecture Overview Microarchitecture

384 views • 26 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both &amp; Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Y86 encoding / SEQ part 1 1 last time instruction set (interface) v microarchitecture

Y86 encoding / SEQ part 1 1 last time instruction set (interface) v microarchitecture

Y86 encoding / SEQ part 1 1 last time instruction set (interface) v microarchitecture (implementation) RISC (simpler HW) v CISC (more fmexible ASM) Y86-64 ISA started Y86 encoding 3 Y86-64 instruction formats 9 0 rA rB OP q rA, rB 6 fn rA

1.2k views • 88 slides
Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media

Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media

Semantic Spaces for Zero-Shot Behaviour Analysis Xun Xu Computer Vision and Interactive Media Lab, NUS Singapore 1 Collaborators Prof. Shaogang Gong Dr. Timothy Hospedales 2 Outline Background Transductive Zero-Shot Action

764 views • 73 slides
Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson

Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson

Lossless or Quantized Boosting with Integer Arithmetic Richard Nock Robert C. Williamson The big picture Many constraints in today-ML (e.g. for privacy, at-the-edge, distributed or deep) generic : integer encoding,

467 views • 8 slides
Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in

Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in

Integration of general-purpose automated theorem provers in Lean Gabriel Ebner Formal Methods in Mathematics 2020-01-08 Vrije Universiteit Amsterdam Introduction Premise selection Applicative translation to FOL Monomorphizing translation to

455 views • 34 slides
RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM

RowHammer in 15' Nicolas RUFF nruff+sstic15@google.com Life of an electron SRAM: static RAM DRAM: dynamic RAM http://en.wikipedia.org/wiki/Static_random-access_memory#/media/File:

338 views • 11 slides
Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu

Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu

Upping the ante: the full Lambek Calculus Robert Levine Ohio State University levine.1@osu.edu Robert Levine The Lambek Calculus 1 / 24 Coordination Coordination is a cross-categorial phenomenon Robert Levine The Lambek Calculus 2 / 24

1.82k views • 164 slides
The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford

The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford

The Big Problem with Meta-Learning and How Bayesians Can Fix It Chelsea Finn Stanford training data test datapoint Braque Cezanne By Braque or Cezanne? How did you accomplish this? Through previous experience. How might you get a

264 views • 25 slides
Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University

Hammering towards Qed Cezary Kaliszyk Josef Urban University of Innsbruck Radboud University July 18, 2014 1 / 21 Outline Automation for Interactive Proof Translations Evaluation Machine Learning Reconstruction Towards Qed Strength

628 views • 29 slides
Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by

Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by

Decomposition of effect algebras and the Hammer-Sobczyk theorem A report of the joint paper by Anna Avallone, Giuseppina Barbieri Paolo Vitolo and Hans Weber on Algebra Universalis E. Marczewski Centennial Conference, 2007 DEFINITION A measure

595 views • 16 slides

More recommend