exploiting microarchitectural flaws
play

Exploiting Microarchitectural Flaws in the Heart of the Memory - PowerPoint PPT Presentation

Apr 11, 2023 •311 likes •1.59k views

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem

  1. MemJam – 4K Aliasing across Sibling Threads Core Thread A Thread B Store 0x12ABCDEF Load 0xFECD1 Store 0x12ABCDEF Load 0xFECD2 Execute & Time Store 0x12ABCDEF Load 0xFECD3 Store 0x12ABCDEF Load 0xFECD4 Store 0x12ABCDEF Load 0xFECD5 Store 0x12ABCDEF Load 0xFECD6 Store 0x12ABCDEF Load 0xFECD7 Store 0x12ABCDEF Load 0xFECD8 Store 0x12ABCDEF Store 0x12ABCDEF 40

  2. MemJam – 4K Aliasing across Sibling Threads Core Thread A Thread B Store 0x12ABC200 Load 0xFECD1 Store 0x12ABC200 Load 0xFECD2 Execute & Time Store 0x12ABC200 Load 0xFECD3 Store 0x12ABC200 Load 0xFECD4 Store 0x12ABC200 Load 0xFECD5 Store 0x12ABC200 Load 0xFECD6 Store 0x12ABC200 Load 0xFECD7 Store 0x12ABC200 Load 0xFECD8 Store 0x12ABC200 Store 0x12ABC200 41

  3. MemJam – 4K Aliasing across Sibling Threads Core Thread A Thread B Store 0x12ABC Load 0xFECD1 Store 0x12ABC Load 0xFECD2 Execute & Time Store 0x12ABC Load 0xFECD3 Store 0x12ABC Load 0xFECD4 Store 0x12ABC Load 0xFECD5 Store 0x12ABC Load 0xFECD6 Store 0x12ABC Load 0xFECD7 Store 0x12ABC Load 0xFECD8 Store 0x12ABC Store 0x12ABC 42

  4. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) 43

  5. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks 44

  6. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/L3 Cache Attacks 45

  7. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) MemJam L1 Cache Attacks L2/L3 Cache Attacks • Conflicted intra-cache line Leakage (4-byte granularity) • Higher time → Memory accesses with the same bit 3 - 12 • 4 bits of intra-cache level leakage 46

  8. MemJam – Attacking So-Called Constant Time AES • Scatter-gather implementation of AES • Intel SGX Software Development Kit (SDK) and IPP Cryptography Library • 256 S-Box – 4 Cache Line • Cache independent access pattern 64 Bytes A LINE 2 4 Cache Lines B LINE 2 C LINE 2 D LINE 2 A B C D B S-Box Lookup 47

  9. MemJam – Attacking So-Called Constant Time AES 64 Bytes LINE 2 4 Cache Lines

  10. MemJam – AES Key Recovery

  11. Are there other Address Aliasing? Memory Subsystem L1 Store Buffer DATA PFN [8:0] VFN Offset DTLB DATA PFN [8:0] VFN Offset … …. … … DATA Offset PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset … …. … … VFN Offset DATA PFN [8:0] VFN Offset DATA PFN

  12. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer DATA PFN [8:0] VFN Offset DTLB DATA PFN [8:0] VFN Offset … …. … … DATA Offset PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset … …. … … VFN Offset DATA PFN [8:0] VFN Offset DATA PFN

  13. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer DATA PFN [8:0] VFN Offset DTLB DATA PFN [8:0] VFN Offset … …. … … DATA Offset PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset … …. … … VFN Offset DATA PFN [8:0] VFN Offset DATA PFN

  14. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer 0 x 4 0 0 F E 1 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 2 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1020 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  15. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer 0 x 4 0 0 F E 1 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 2 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 0 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  16. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 2 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 3 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 1 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  17. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 3 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 4 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 2 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  18. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 4 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 5 0 C 0 DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 3 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  19. Spoiler: Finding Undocumented Aliasings … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 4 0 C 0 Physical Addresses DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 5 0 C 0 DTLB DATA PFN [8:0] VFN 0C0 … … 0 x 6 5 F 3 2 X X 0 C 0 … …. … … 0 x 4 0 1 0 2 3 0 C 0 DATA 0C0 PFN [8:0] VFN Load Buffer 0 x 3 2 A C 2 X X 0 C 0 DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  20. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer DATA PFN [8:0] VFN 0C0 DTLB DATA PFN [8:0] VFN 0C0 … …. … … DATA 0C0 PFN [8:0] VFN Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN

  21. Spoiler: Finding Undocumented Aliasing … Virtual Pages 60

  22. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) MemJam L1 Cache Attacks L2/L3 Cache Attacks 61

  23. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks PFN MemJam 62 L2/L3 Cache Attacks

  24. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN MemJam 63 L2/L3 Cache Attacks

  25. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN Spoiler MemJam 64 L2/L3 Cache Attacks

  26. 65 Spoiler – JavaScript Eviction Sets

  27. 66 Spoiler - • Row Buffer Conflict Rowhammer • Single-sided Rowhammer

  28. 67 Spoiler - • Detecting Contiguous Memory • Double-sided Rowhammer Rowhammer

  29. 2018: Meltdown Attack? 68

  30. 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 69

  31. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  32. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  33. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  34. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  35. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  36. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  37. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  38. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  39. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space ‘ P ’ = 0x50 P A S S W O R D 256 different CPU Cache Line

  40. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but you can still leak on the fix hardware. • Which part of the CPU leak the data?! • Why does it leak? 79

  41. CPU Memory Subsystem – Challenges? Memory Subsystem EUs Store Buffer ROB DATA PFN [8:0] VFN Offset Store DATA PFN [8:0] VFN Offset Allocation … …. … … Queue DATA PFN [8:0] VFN Offset Load L1 Fill Buffer stor $$, (add_A) Load Buffer Load stor ##, (add_B) Scheduler DATA PFN VFN Offset load (add_C), CX ALU DATA PFN VFN Offset DTLB … …. … … add CX, BX DATA PFN VFN Offset ALU L2 L3 Front End Back End DRAM 80 80

  42. Memory Canonical Access #GP Virtual Address VFN Offset 81

  43. Y Memory Canonical TLB Access PMH #GP Virtual Address VFN Offset PTE P Physical Page Number RW US … A … … 82

  44. Y Y Memory Canonical TLB Perm. Access PMH #GP Virtual Address VFN Offset PTE P Physical Page Number RW US … A … … 83

  45. Y Y Y Memory Canonical TLB Perm. Present Access PMH #GP #PF Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 84

  46. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH #GP #PF Bit Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 85

  47. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH Y #GP #PF Bit Aligned Vector #GP Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 86

  48. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH Y #GP #PF Bit Y Cache Aligned Aligned Vector Split #GP Cache Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 87

  49. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH Y #GP #PF Bit Y Y Cache Aligned Cached Aligned Vector Cache Miss Split #GP Handler Cache Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 88

  50. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH Y #GP #PF Bit Y Y Y False Cache Aligned Cached Store Dep. Aligned Vector Hazard Cache Miss Split #GP Handler Cache Recovery Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 89

  51. Y Y Y Y Memory Canonical TLB Perm. Present Accessed Access Set A PMH Y #GP #PF Bit Y Y Y Y TSX False Cache Aligned Cached Failure Store Dep. Aligned Vector #RTM Hazard Cache Miss Split #GP Handler Cache Recovery Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 90

  52. Fault VS. Assist Dilemma • Microcode Assists: The CPU executes an internal event handler to service complex instructions/operations • Fault (#GP , #PF , #RTM): An assist that run a software-based callback

  53. CPU Memory Subsystem – Hazard Recovery Memory Subsystem EUs Store Buffer ROB DATA PFN [8:0] VFN Offset Store DATA PFN [8:0] VFN Offset Allocation … …. … … Queue DATA PFN [8:0] VFN Offset Load L1 Fill Buffer stor $$, (addr_B) Load Buffer Load load (addr_A), AX Scheduler DATA PFN VFN Offset ALU DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ALU L2 L3 Front End Back End DRAM 92 92

  54. CPU Memory Subsystem – Hazard Recovery Memory Subsystem EUs Store Buffer ROB DATA PFN [8:0] VFN Offset Store DATA PFN [8:0] VFN Offset Allocation … …. … … Queue DATA PFN [8:0] VFN Offset Load L1 Fill Buffer stor $$, (addr_B) Load Buffer Load load (addr_A), AX Scheduler DATA PFN VFN Offset ALU DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ALU L2 L3 Front End Back End DRAM 93 93

  55. CPU Memory Subsystem – Hazard Recovery Memory Subsystem EUs Store Buffer ROB DATA PFN [8:0] VFN Offset Store DATA PFN [8:0] VFN Offset Allocation … …. … … Queue DATA PFN [8:0] VFN Offset Load L1 Fill Buffer stor $$, (addr_B) Load Buffer Load load (addr_A), AX Scheduler DATA PFN VFN Offset ALU DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ALU L2 L3 Front End Back End DRAM 94 94

  56. CPU Memory Subsystem – Hazard Recovery Memory Subsystem EUs Store Buffer ROB DATA PFN [8:0] VFN Offset Store DATA PFN [8:0] VFN Offset Allocation … …. … … Queue DATA PFN [8:0] VFN Offset Load L1 Fill Buffer stor $$, (addr_B) Load Buffer Load load (addr_A), AX Scheduler DATA PFN VFN Offset ALU DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ALU L2 L3 Front End Back End DRAM 95 95

  57. MDS Attacks (ZombieLoad , RIDL, Fallout, …) • The CPU must flush the pipeline before executing an assist. • Upon an Exception/Fault/Assist on a Load, Intel CPUs: • Execute the load until the last stage. • Flush the pipeline at the retirement stage (Cheap Recovery Logic). • Continue the load with some data to reach the retirement stage. • Which data? 96

  58. CPU Memory Subsystem – Leaky Buffers Fallout Memory Subsystem Store Buffer DATA PFN [8:0] VFN Offset DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ZombieLoad L2 L3 DRAM 97 97

  59. CPU Memory Subsystem – Leaky Buffers Fallout Memory Subsystem Store Buffer DATA PFN [8:0] VFN Offset DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … DATA PFN VFN Offset ZombieLoad L2 L3 DRAM 98 98

  60. MDS Attacks (ZombieLoad , RIDL, Fallout, …) • The CPU must flush the pipeline before executing an assist. • Upon an Exception/Fault/Assist on a Load, Intel CPUs: • Execute the load until the last stage. • Flush the pipeline at the retirement stage (Cheap Recovery Logic). • Continue the load with some data to reach the retirement stage. • Which data? (Fill buffer, Store Buffer, Load Buffer) • Which one will be leaked first? 99

  61. ZombieLoad Attack Core L1D Cache L2 L3 DRAM 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx Dean A GREAT COLLABORATION! 2 competitors working together! Thanks to: 7Safe, Part of PA Consulting Group Portcullis Computer Security Limited

1.17k views • 78 slides
WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm Black Hat, 27 July 2017 In collaboration with Domien Schepers and Frank Piessens Introduction More and more Wi-Fi network use

414 views • 26 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Comparison and Analysis Point of view If multiple processes involved in exploiting the

Comparison and Analysis Point of view If multiple processes involved in exploiting the

Comparison and Analysis Point of view If multiple processes involved in exploiting the flaw, how does that affect classification? xterm , fingerd flaws depend on interaction of two processes ( xterm and process to switch file objects;

999 views • 50 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

431 views • 21 slides
Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim, Christopher Torng, Shreesha Srinath, Derek Lockhart, and Christopher Batten Cornell University Cornell University IEEE/ACM International Symposium on

633 views • 31 slides
Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.

1.68k views • 138 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan Beckmann, Anurag Mukkara, Po-An Tsai MIT CSAIL MICRO-48 Tutorial December 5, 2015 Welcome! Agenda 4 8:30 9:10 Intro and Overview 9:10

1.53k views • 124 slides
Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer

Detecting and Resolving Type Flaws in Security Protocols Michael Banks Department of Computer Science, University of York 26th February 2009 Outline 1 Security Protocols 2 Type Flaws: Attacks and Defences 3 Detecting and Resolving Potential

391 views • 25 slides
Bounding Data Races in Space and Time KC Sivaramakrishnan University of Darwin College, 1851

Bounding Data Races in Space and Time KC Sivaramakrishnan University of Darwin College, 1851

Bounding Data Races in Space and Time KC Sivaramakrishnan University of Darwin College, 1851 Royal OCaml Labs Cambridge Cambridge Commission 1 Multicore OCaml 2 Multicore OCaml OCaml is an industrial-strength, functional

1.2k views • 99 slides
Absorber Introduction & Overview Jim Hylen LBNE Hadron Absorber Core Advanced Conceptual

Absorber Introduction & Overview Jim Hylen LBNE Hadron Absorber Core Advanced Conceptual

Absorber Introduction & Overview Jim Hylen LBNE Hadron Absorber Core Advanced Conceptual Design Review 20 January 2015 Outline Summary of Requirements Brief description of absorber design Details of radiation & energy

1.99k views • 51 slides
SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 FSec 2016 2 FSec

SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 FSec 2016 2 FSec

SECURITY IN THE AGE OF FRAMEWORKS LUKA KLADARIC // L@K.HR // @KLL 1 FSec 2016 2 FSec 2016 ONCE UPON A TIME... 3 FSec 2016 WE WROTE OUR OWN CODE 4 FSec 2016 ALL OF IT. 5 FSec 2016 so we knew what was in it. we knew every

788 views • 68 slides
Connectivity Corollary. GRAPH CONNECTIVITY is not FO definable Connectivity Corollary. GRAPH

Connectivity Corollary. GRAPH CONNECTIVITY is not FO definable Connectivity Corollary. GRAPH

Connectivity Corollary. GRAPH CONNECTIVITY is not FO definable Connectivity Corollary. GRAPH CONNECTIVITY is not FO definable If A is a linear order of size n, let G( A ) be the graph with edges { i, i+2 mod n } for all a A Connectivity

905 views • 55 slides
172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3.

172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3.

172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3. Combinatorial Characterization of width 4. Width vs Space 5. Feasible Interpolation for Resolution and size lower bounds 6. Proof Search,

1.52k views • 83 slides
Quantum symmetric spaces from refmection equation and module categories Makoto Yamashita (

Quantum symmetric spaces from refmection equation and module categories Makoto Yamashita (

Quantum symmetric spaces from refmection equation and module categories Makoto Yamashita ( ) joint works with Kenny De Commer, Sergey Neshveyev, Lars Tuset University of Oslo XXXVIII Workshop on Geometric Methods in Physics

844 views • 28 slides
Adventures in Impredicative Semantics Programming and Proving in Cedille Aaron Stump Computer

Adventures in Impredicative Semantics Programming and Proving in Cedille Aaron Stump Computer

Adventures in Impredicative Semantics Programming and Proving in Cedille Aaron Stump Computer Science The University of Iowa 1 / 23 ? Motivation and background for Cedille 2 / 23 A little history 3 / 23 System F (Girard, Reynolds, early

669 views • 32 slides
403: Algorithms and Data Structures Lower Bound for Sor<ng & The closest pair in 2D

403: Algorithms and Data Structures Lower Bound for Sor<ng & The closest pair in 2D

403: Algorithms and Data Structures Lower Bound for Sor<ng & The closest pair in 2D Fall 2016 UAlbany Computer Science So far: Sor<ng Algorithm Time Space Inser&on O(n 2 ) in-place Merge O(n logn) 2 nd array to

407 views • 16 slides

More recommend