cache and syphilis
play

Cache and Syphilis RootedCON 2019 Haswell (4th generation) - PowerPoint PPT Presentation

Apr 28, 2023 •441 likes •1.02k views

Cache and Syphilis RootedCON 2019 Haswell (4th generation) architecture Cache latencies: L1 ~5 cycles L2 ~12 cycles L3 ~50 cycles DRAM ~50 cycles + 50 ns (RAM) Coherence: Inclusive vs. non-inclusive vs. exclusive

  1. Cache and Syphilis RootedCON 2019

  3. Haswell (4th generation) architecture Cache latencies: ● L1 ~5 cycles ● L2 ~12 cycles ● L3 ~50 cycles ● DRAM ~50 cycles + 50 ns (RAM) Coherence: ● Inclusive vs. non-inclusive vs. exclusive

  4. /microarchitectural_attacks Cache Attacks Rowhammer Evict+Time, Prime+Probe , Flush+Reload, etc. GPU MMU and TLB Port contention Meltdown Memory deduplication Foreshadow

  5. /rowhammer Single Event Upsets (SEUs) in electronics first proposed in 1962 (J.T. Wallmark and S.M. Marcus) ● Cosmic rays can limit the scaling of devices Can random bit-flips in physical memory be exploited? Rowhammer allows to induce random bit-flips via software in an often repeatable fashion ● repetition is what makes exploitation reliable Some real exploits: ● NaCl bit-flip in x86 instructions to a non 32-byte-aligned address ● Linux Kernel bit-flip in physical frame number of PTE with R/W permission ● RSA keys (ssh and apt-get): bit-flip in public key allows easy factorization ● Trusted Zone bit-flip in private key, recover secret from signature ● Opcode flipping bit-flip to ignore privilege checks in setuid binaries

  6. /rowhammer Dual In-line Memory Module front of DIMM: rank 0 channel 0 back of DIMM: rank 1 Serial Presence Detect (SPD) chip bank 0 channel 1 row 0 row 1 row 2 Bank = matrix of cells Row “activation” ... Cell = capacitor + transistor = 1-bit Cells leak charge, need to refresh row N Cells grouped into rows Refresh rate ~64ms Typical row size: 8K row buffer

  7. /rowhammer Hammering a row = repeatedly activating a row ● Higher storage capacity -> Higher cell density -> Lower isolation bank ● An aggressor row that is repeatedly activated can cause victim row 0 row’s cells to bit-flip. row 1 ● Defective cells are randomly distributed row 2 ... row N loop: mov (A), %eax // Read from address A (row 1) row buffer mov (B), %ebx // Read from address B (row k) clflush (A) // Flush A from cache clflush (B) // Flush B from cache jmp loop

  8. /spectre-v1 ● instruction fetch ● out-of-order execution ● branch prediction ● speculative execution

  9. /spectre-v1 victim_func: # void victim_func(int offset) { mov eax, dword ptr [rip + arr1_size] # cmp rax, rdi # if (offset < arr1_size) { jbe .OOB # lea rax, [rip + arr1] # movzx eax, byte ptr [rdi + rax] # eax = arr1[offset]; shl rax, 6 # rax = rax * 64; lea rcx, [rip + arr2] # mov al, byte ptr [rax + rcx] # al = arr2[rax]; and byte ptr [rip + temp], al # temp = temp & al; .OOB: # } ret # return; # } arr1_size: .long 16 # 0x10 .size arr1_size, 4 arr1: .ascii "\001\002\003\004\005\006\007\b\t\n\013\f\r\016\017\020" .size arr1, 16 temp: .byte 0 # 0x0 .size temp, 1 arr2: .comm arr2,131072,16

  10. /caches ● Memory splitted in “blocks” (64B) ● Set-associative cache ( n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy

  11. /caches ● Memory splitted in “blocks” (64B) ● Set-associative cache ( n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy Example: How many sets there are in a 6MB 12-way cache? 6*1024*1024 / (12*64) = 8192 sets We need 13 set-index bits! (w/o slicing)

  12. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  13. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  14. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

  15. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  16. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

  17. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  18. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

  19. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I F load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  20. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I F load @576 // @00100 1 000000 (9) 9 J ... 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

  21. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I F load @576 // @00100 1 000000 (9) 9 J ... B 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  22. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I F load @576 // @00100 1 000000 (9) 9 J ... B 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

  23. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I A F load @576 // @00100 1 000000 (9) 9 J ... B 10 K 11 L 12 M 13 N 14 O 15 P 16 Q ...

  24. 4K toy RAM /caches 0 A 1 B 2 C 3 D ... 512 bytes 4-way toy cache load @192 // @00001 1 000000 (3) 4 E load @264 // @00010 0 001000 (4) 5 F load @324 // @00010 1 000100 (5) Set 0 Set 1 load @096 // @00000 1 100000 (1) 6 G load @003 // @00000 0 000010 (0) 7 H E D load @464 // @00011 1 010000 (7) load @324 // @00010 1 000100 (5) 8 I A F load @576 // @00100 1 000000 (9) 9 J ... B 10 K 11 L 12 M MISS! 13 N 14 O 15 P 16 Q ...

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Update on Congenital Syphilis Elimination efforts, Chicago, IL Irina Tabidze, MD, MPH HIV/STI

Update on Congenital Syphilis Elimination efforts, Chicago, IL Irina Tabidze, MD, MPH HIV/STI

Update on Congenital Syphilis Elimination efforts, Chicago, IL Irina Tabidze, MD, MPH HIV/STI Bureau Syphilis in Pregnancy Syphilis is a sexually transmitted disease caused by the bacterium Treponema pallidum . Perinatal transmission

391 views • 15 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache, and all blocks initially marked as not valid , Given the main memory word addresses 0 1 2 3 4 3 4 15, calculate Cache hit rate. Cache Index

654 views • 9 slides
HIV/Syphilis dual test in Kenya Dr. Githuka George PMTCT Program Manager Ministry of Health,

HIV/Syphilis dual test in Kenya Dr. Githuka George PMTCT Program Manager Ministry of Health,

Optimizing maternal retesting and lessons learned using the HIV/Syphilis dual test in Kenya Dr. Githuka George PMTCT Program Manager Ministry of Health, Kenya Outline Introduction/Background HIV testing strategies Dual HIV/Syphilis

1.11k views • 14 slides
What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache

What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache

What Is Memory Hierarchy A typical memory hierarchy today: Lecture 13: Cache Basics and Cache Performance Proc/Regs L1-Cache Bigger Faster L2-Cache Memory hierarchy concept, cache L3-Cache (optional) design fundamentals, set-associative

303 views • 4 slides
Coinfections with HBV, HCV and Syphilis in MSM with known date of HIV 1-seroconversion in Germany

Coinfections with HBV, HCV and Syphilis in MSM with known date of HIV 1-seroconversion in Germany

Coinfections with HBV, HCV and Syphilis in MSM with known date of HIV 1-seroconversion in Germany Klaus Jansen Barbara Bartmeyer, Claus Bock, Claudia Kcherer, Osamah Hamouda, Karolin Meixenberger, Ramona Scheufele, Michael Thamm Robert

168 views • 16 slides
Cache Performance Associativity Replacement Samira Khan Cache Performance March 28,

Cache Performance Associativity Replacement Samira Khan Cache Performance March 28,

3/28/17 Agenda Review from last lecture Cache access Cache Performance Associativity Replacement Samira Khan Cache Performance March 28, 2017 Direct-Mapped Cache: Placement and Access Cache Abstraction and Metrics 00 | 000

518 views • 16 slides
Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity Cache Analysis in Practice 2 Marc Moreno Maza The Ideal-Cache Model 3 University of Western Ontario, London, Ontario (Canada) Cache Complexity

632 views • 25 slides
Generations of Cache 1980: no cache in proc; 1989 first Intel proc with a cache on chip.

Generations of Cache 1980: no cache in proc; 1989 first Intel proc with a cache on chip.

Generations of Cache 1980: no cache in proc; 1989 first Intel proc with a cache on chip. 1995 2-level cache on chip Instructions Per Cycle Lost to Memory 1st Alpha 340 ns/5.0 ns = 68 clks x 2 or 136 2nd Alpha 266 ns/3.3 ns

588 views • 46 slides
Caches Electronic Computers M Caches 1 Cache LOCALITY PRINCIPLE (SPATIAL AND TEMPORAL)

Caches Electronic Computers M Caches 1 Cache LOCALITY PRINCIPLE (SPATIAL AND TEMPORAL)

Caches Electronic Computers M Caches 1 Cache LOCALITY PRINCIPLE (SPATIAL AND TEMPORAL) WORKING SET CPU Cache Registers Cache I lev. Cache II lev. Cache III lev. Memory Disk Tape The cache is a memory with an access time some

572 views • 55 slides
1 Locate set Cache Read Example: Direct Mapped Cache (E = 1) Check if any line in set

1 Locate set Cache Read Example: Direct Mapped Cache (E = 1) Check if any line in set

Today Cache memory organization and operation Performance impact of caches Cache Memories The memory mountain Rearranging loops to improve spatial locality Using blocking to improve temporal locality CSci 2021: Machine

102 views • 8 slides
CSE378 - Cache Performance metrics for caches Parameters for cache design Basic performance

CSE378 - Cache Performance metrics for caches Parameters for cache design Basic performance

CSE378 - Cache Performance metrics for caches Parameters for cache design Basic performance metric: hit ratio h Goal: Have h as high as possible without paying too much for T cache h = Number of memory references that hit in the cache /

427 views • 6 slides
Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware

Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware

Memory Hierarchy: Cache Memory hierarchy Cache basics Locality Cache organization Cache-aware programming How does execution time grow with SIZE? int[] array = new int[SIZE]; fillArrayRandomly(array); int s = 0; for (int i = 0; i &lt;

847 views • 48 slides
Direct Map Cache and Set Associative Cache (Revision) Lecture 14 CDA 3103 07-07-2014 Example 1

Direct Map Cache and Set Associative Cache (Revision) Lecture 14 CDA 3103 07-07-2014 Example 1

Direct Map Cache and Set Associative Cache (Revision) Lecture 14 CDA 3103 07-07-2014 Example 1 A set-associative cache consists of 64 lines, or slots, divided into four-line sets. Main memory contains 4K blocks of 128 words each. Show the

357 views • 19 slides
Cache Creek Placer Area Fee Proposal History of Placer Mining at Cache Creek Prospecting in

Cache Creek Placer Area Fee Proposal History of Placer Mining at Cache Creek Prospecting in

Cache Creek Placer Area Fee Proposal History of Placer Mining at Cache Creek Prospecting in Colorado began in 1858 1859, First discovery of gold in Cache Creek Park 1860, Campbell and Shoewalter excavated their first pits in Cache

298 views • 13 slides
Sparsity-aware sampling theorems and applications Rachel Ward University of Texas at Austin

Sparsity-aware sampling theorems and applications Rachel Ward University of Texas at Austin

Sparsity-aware sampling theorems and applications Rachel Ward University of Texas at Austin November, 2014 Sparsity-aware sampling: motivating example N = 100 , 000 soldiers should be screened for syphilis. Problem: Syphilis is rare (only

516 views • 29 slides
Ethics in Security Research Which lines should not be crossed? Sebastian Schrittwieser, Martin

Ethics in Security Research Which lines should not be crossed? Sebastian Schrittwieser, Martin

Ethics in Security Research Which lines should not be crossed? Sebastian Schrittwieser, Martin Mulazzani, Edgar Weippl Ideas of this talk Proposal of fundamental ethical principles Analysis of their role in recent papers Discussion

463 views • 24 slides
Gestational Trophoblastic Disease I. Discuss clinical pearls for work-up and evaluation UCSF

Gestational Trophoblastic Disease I. Discuss clinical pearls for work-up and evaluation UCSF

10/20/2017 Objectives I. Epidemiology, definitions and terminology I. Review the clinical entity of gestational trophoblastic neoplasia and discuss the spectrum of presentation Gestational Trophoblastic Disease I. Discuss clinical pearls

471 views • 8 slides
Collapsed Cone Convolution 2D illustration 8 cones Energy desposition decreases very quickly

Collapsed Cone Convolution 2D illustration 8 cones Energy desposition decreases very quickly

Collapsed Cone Convolution 2D illustration 8 cones Energy desposition decreases very quickly with distance Energy is absorber in blue pixels only. IGRT1 technologies Pawe Kukoowicz Warsaw, Poland IGRT The aim to ensure that the

1.33k views • 45 slides
2 7/1/2020 3 4

2 7/1/2020 3 4

2 7/1/2020 3 4 7/1/2020 5 7/1/2020 6 7/1/2020 7 7/1/2020 8 7/1/2020 9 Includes HIV

429 views • 23 slides
Getting to Zero San Francisco Consortium Zero new HIV infections Zero HIV deaths Zero stigma

Getting to Zero San Francisco Consortium Zero new HIV infections Zero HIV deaths Zero stigma

Getting to Zero San Francisco Consortium Zero new HIV infections Zero HIV deaths Zero stigma and discrimination Agenda 1. Welcome, Acknowledgements &amp; Overview 2. In Memoriam 3. Policy &amp; Legislative Update 4. GTZ-SF looking back to

862 views • 52 slides
chrome slides at goo.gl/kIfUe localhost:8000/Presentations/MobileToolBelt/#26 1/29 11/7/12 The

chrome slides at goo.gl/kIfUe localhost:8000/Presentations/MobileToolBelt/#26 1/29 11/7/12 The

11/7/12 The Mobile Web Developer's Tool Belt Google IO 2012 chrome slides at goo.gl/kIfUe localhost:8000/Presentations/MobileToolBelt/#26 1/29 11/7/12 The Mobile Web Developer's Tool Belt Google IO 2012 The Mobile Web Developer's

680 views • 29 slides
Algebraic models of dependent type theory Clive Newstead HoTT/UF Workshop 2018 Oxford, UK (in

Algebraic models of dependent type theory Clive Newstead HoTT/UF Workshop 2018 Oxford, UK (in

Algebraic models of dependent type theory Clive Newstead HoTT/UF Workshop 2018 Oxford, UK (in absentia) Saturday 7th July 2018 These slides: https://goo.gl/Ttacdq Natural models Polynomials Semantics End Natural models 1 2 Connection

1.29k views • 128 slides

More recommend