context
play

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, - PowerPoint PPT Presentation

Jan 08, 2024 •263 likes •1.07k views

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss February 26, 2020 Graz University of Technology Transient Execution Attacks www.tugraz.at 1

  1. ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss February 26, 2020 Graz University of Technology

  2. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  3. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  4. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  5. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  6. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  7. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  8. Transient Execution Attacks www.tugraz.at Transient cause 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  9. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB Meltdown-US-SB Meltdown-DE Meltdown-P-L1 Meltdown-P-LFB Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP Meltdown-RW Meltdown-UD Meltdown-PK-L1 Meltdown-PK Meltdown-PK-SB Meltdown-type Meltdown-SS Meltdown-SM-SB Meltdown-MPX Meltdown-BR Meltdown-BND Meltdown-CPL-REG Meltdown-GP Meltdown-NC-SB Meltdown-AVX-SB Meltdown-AVX Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  10. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB PHT-CA-IP Cross-address-space Meltdown-US-SB Meltdown-DE PHT-CA-OP Spectre-PHT Meltdown-P-L1 PHT-SA-IP Same-address-space Meltdown-P-LFB PHT-SA-OP Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP BTB-CA-IP Meltdown-RW Cross-address-space Meltdown-UD BTB-CA-OP Meltdown-PK-L1 Spectre-BTB Meltdown-PK Meltdown-PK-SB Spectre-type Meltdown-type Meltdown-SS Meltdown-SM-SB BTB-SA-IP Same-address-space BTB-SA-OP Meltdown-MPX Meltdown-BR Meltdown-BND RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Meltdown-CPL-REG Spectre-STL Meltdown-GP Meltdown-NC-SB RSB-SA-IP Same-address-space Meltdown-AVX-SB Meltdown-AVX RSB-SA-OP Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  11. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB PHT-CA-IP Cross-address-space Meltdown-US-SB Meltdown-DE PHT-CA-OP Spectre-PHT Meltdown-P-L1 PHT-SA-IP Same-address-space Meltdown-P-LFB PHT-SA-OP Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP BTB-CA-IP Meltdown-RW Cross-address-space Meltdown-UD BTB-CA-OP Meltdown-PK-L1 Spectre-BTB Meltdown-PK Meltdown-PK-SB Spectre-type Meltdown-type Meltdown-SS Meltdown-SM-SB BTB-SA-IP Same-address-space BTB-SA-OP Meltdown-MPX Meltdown-BR Meltdown-BND RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Meltdown-CPL-REG Spectre-STL Meltdown-GP Meltdown-NC-SB RSB-SA-IP Same-address-space Meltdown-AVX-SB Meltdown-AVX RSB-SA-OP Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  12. Spectre Attacks www.tugraz.at PHT-CA-IP Cross-address-space PHT-CA-OP Spectre-PHT PHT-SA-IP Same-address-space PHT-SA-OP BTB-CA-IP Cross-address-space BTB-CA-OP Spectre-BTB Spectre-type BTB-SA-IP Same-address-space BTB-SA-OP RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Spectre-STL RSB-SA-IP Same-address-space RSB-SA-OP 3 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  13. Spectre Root Cause www.tugraz.at operation #n time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  14. Spectre Root Cause www.tugraz.at operation #n prediction time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  15. Spectre Root Cause www.tugraz.at operation #n prediction CF/DF predict operation #n+2 time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  16. Spectre Root Cause www.tugraz.at operation #n prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  17. Spectre Root Cause www.tugraz.at retire operation #n prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  18. Spectre Root Cause www.tugraz.at retire operation #n flush pipeline on wrong prediction retire prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  19. Spectre Root Cause www.tugraz.at retire operation #n flush pipeline on wrong prediction retire prediction CF/DF predict retire operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  20. Spectre www.tugraz.at 5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  21. Spectre Gadget www.tugraz.at if(x < array_len) { y = oracle[array[x] * 4096]; } 6 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  22. Spectre Gadget Illustrated www.tugraz.at x = 4 if (x < 4) then else Speculate Memory Oracle A B D array[0] C D E A array[1] {} oracle[array[x]] F G H T array[2] K J K I K A array[3] K L M N O P Q E Y R S T K U V W · · · X Y Z 7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  23. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len jbe .else mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  24. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  25. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  26. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax Secret in rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  27. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax Secret in rax and 0xff000,eax Access secret-dependent memory location mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  28. Fixed Spectre Gadget www.tugraz.at if(x < array_len) { asm volatile("lfence"); y = oracle[array[x] * 4096]; } 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  29. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len jbe .else lfence mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  30. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len Bounds check jbe .else Stop speculation lfence mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  31. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len Bounds check jbe .else Stop speculation lfence Cannot access out-of-bounds array[x] mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  32. Performance Impact www.tugraz.at • 62 % – 74.8 % overhead 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  33. Performance Impact www.tugraz.at • 62 % – 74.8 % overhead • Additional overhead for other Spectre variants 5 % – 50 % 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

1.05k views • 91 slides
Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Growing Population Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need 72,530 ne w housing units b y 2030 demographic shifts Visibly C ommunity S uggestions transforming M i s s i o n B a y , C a n d l

469 views • 27 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture (CCC 115-119) Literal What the author intended to say Allegorical Points to Christ Moral Points to living Christian life

960 views • 26 slides
Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave Hillside Dr. Context Broadview Ave Charles Sauriol Parkette / pastoral green space Hillside Dr. Context Gamble Ave. Hillside Dr.

788 views • 20 slides
Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

God Speaks in Solitude: Moses (part 7) Exodus 1-4 Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power and decided to control population by murdering Hebrew baby boys at birth. Timeline and

352 views • 34 slides
Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano Italy fricci@unibz.it Content p What is context? p Types of context p Context impact on recommendations and ratings p Context modelling

938 views • 74 slides
ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness Context-Awareness Context the set of possibly interrelated conditions in which an entity exists. Context-Aware Application Context Application

1.17k views • 92 slides
Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5 million 1,750 million NYC Population Annual subway ridership 665 million Annual bus ridership 1994 1996 1998 2000 2002 2004 2006 2008 2010

441 views • 25 slides
Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed application - a software system in which components communicate over the network and coordinate their actions in order to achieve a common goal.

1.01k views • 33 slides
San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up Embracing Public Life What is a Better Bikeway? Protected Calm All Ages and Abilities Why Better Bikeways? Policy Background Support

494 views • 33 slides
Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is fundamentally about a commitment to equity Needs of vulnerable road user Context is important Project Development Achieving network of

751 views • 64 slides
WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING BOTTOM UNITED ALL OF US ON THE SAME PURPOSE @ R u t a _ N CITIZENS MEDELLNS SCIENCE, TECHNOLOGY AND INNOVATION PLAN M E D E L L N 2 0 1 1

400 views • 12 slides
Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of developing large , distributed applications. What components should contain the code that fulfills the purpose of the application: where should we write

779 views • 43 slides
Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and Design -Product -Evaluation Context context Cooking with children Adequate tasks Confmict Context To provide an autonomous and playful activity

886 views • 36 slides
Applying Ontology in Network Analysis EWG-DSS Research Collaboration Network EWG-DSS Collab-Net

Applying Ontology in Network Analysis EWG-DSS Research Collaboration Network EWG-DSS Collab-Net

Applying Ontology in Network Analysis EWG-DSS Research Collaboration Network EWG-DSS Collab-Net V.2 EURO XXV - Vilnius, July 2012 Applying Ontology in the Analysis of a Research Collaboration Network Applying Ontology in Network Analysis

519 views • 27 slides
A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic

A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory STORM STrategic Offensive Research &amp; Mitigations Intel Corporation Rodrigo Branco, Kekai Hu, Henrique Kawakami , and Ke Sun. Motivation One of the most

306 views • 12 slides
Proportionally Modular Diophantine Inequalities and its Multiplicity J.C. Rosales, M.B. Branco

Proportionally Modular Diophantine Inequalities and its Multiplicity J.C. Rosales, M.B. Branco

Proportionally Modular Diophantine Inequalities and its Multiplicity J.C. Rosales, M.B. Branco and P. Vasco (Universidad de Granada, E-18071 Granada, Spain, Universidade de Evora, 7000 Evora and Universidade de Tr as-os-Montes e

534 views • 17 slides
QTL EAP : A PROJECT ON MACHINE TRANSLATION BY DEEP LANGUAGE ENGINEERING APPROACHES A NTNIO B

QTL EAP : A PROJECT ON MACHINE TRANSLATION BY DEEP LANGUAGE ENGINEERING APPROACHES A NTNIO B

QTL EAP : A PROJECT ON MACHINE TRANSLATION BY DEEP LANGUAGE ENGINEERING APPROACHES A NTNIO B RANCO , H ANS U SZKOREIT , A LJOSCHA B URCHARDT , J AN H AJI , M ARTIN P OPEL , K IRIL S IMOV , P ETYA O SENOVA , M ARKUS E GG , E NEKO A GIRRE , G

481 views • 17 slides
Families of Numerical Semigroups Kunz Coordinates and Semigroup Trees Nathan Kaplan University

Families of Numerical Semigroups Kunz Coordinates and Semigroup Trees Nathan Kaplan University

Families of Numerical Semigroups Kunz Coordinates and Semigroup Trees Nathan Kaplan University of California, Irvine AMS 2019: Factorization and Arithmetic Properties of Integral Domains and Monoids March 22, 2019 Kaplan (UCI) Families of

502 views • 19 slides
Leptonic decays in 2HDM Maria Krawczyk, Warsaw U. with David Temes hep-ph/0410248 [EPJC

Leptonic decays in 2HDM Maria Krawczyk, Warsaw U. with David Temes hep-ph/0410248 [EPJC

Leptonic decays in 2HDM Maria Krawczyk, Warsaw U. with David Temes hep-ph/0410248 [EPJC 44(2005)435] Outlook The leptonic tau decays Two Higgs Doublet Model (CP conservation) Large loop corrections for leptonic tau decays

398 views • 35 slides
OLTP on Hardware Islands Danica Porobic , Ippokratis Pandis*, Miguel Branco, Pnar Tzn ,

OLTP on Hardware Islands Danica Porobic , Ippokratis Pandis*, Miguel Branco, Pnar Tzn ,

OLTP on Hardware Islands Danica Porobic , Ippokratis Pandis*, Miguel Branco, Pnar Tzn , Anastasia Ailamaki Data-Intensive Application and Systems Lab, EPFL *IBM Research - Almaden Hardware topologies have changed Core 2 Hardware

345 views • 22 slides
Land Administration Land Administration Devolpments in Portugal Devolpments in Portugal

Land Administration Land Administration Devolpments in Portugal Devolpments in Portugal

Land Administration Land Administration Devolpments in Portugal Devolpments in Portugal www.igeo.pt www.igeo.pt Jos Jos Pedro Neto Pedro Neto jneto@igeo.pt jneto@igeo.pt ACTUAL SITUATION ACTUAL SITUATION Rural Property Cadastre

985 views • 19 slides

More recommend