S POILER : Speculative Load Hazards Boost Rowhammer and Cache - - PowerPoint PPT Presentation
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic
1
2
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
3
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
4
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
5
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
6
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
7
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
8
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
9
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
10
store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d
X1 X2 X3 X4 X5 Execute
11
Virtual Address 0
Page Offset (12 bits) VFN
12
Virtual Address 0
Page Offset (12 bits) VFN
13
Virtual Address 0
Page Offset (12 bits) VFN
14
Virtual Address 0
VFN Page Offset (12 bits)
Physical address 0
PFN
15
Virtual Address 0
VFN Page Offset (12 bits)
Physical address 0
PFN
16
– We can’t wait for them to succeed. – Can we forward the data from the store to the load?
17
18
Dependency Resolu lution
US 7,603,527 B2 RESOLVING
FALSE DEPENDENCIES OF SPECULATIVE LOAD INSTRUCTIONS
“an
X may determine whether the lower portion
the virtual address
a speculative load instruction matches the lower portion
virtual addresses
store
LoosnetCheck “an
Y may determine whether the upper portion
the virtual address
the speculative load matches the upper portion
virtual addresses
store” “If there is a hit at
Y then the load may be blocked” “in an embodiment, the load instruction may have its input data forwarded from the store
from which the load instruction depends at
Store Forwarding “If there is a hit at
X and a miss at
Y, … the physical addresses
the load and the store may be compared at an
Z” “In
embodiment, if there is a hit at
X and the physical address
the load
the store
is not valid, the physical address check at
Z may be considered as a hit” “In some embodiments, the physical address check at
Z may use a partial physical address, e.g., base
data stored in the
makes the checking at
Z
in some embodiments, a match may
address and block…” FinenetCheck
19
Virtual Pages
20
Virtual Pages 64 pages
21
Virtual Pages 64 pages
C x 4 F E 2 C x 4 F E 1 … … C x 4 1 2
22
Virtual Pages 64 pages
C x 4 F E 2
C x 4 F E 1 … … C x 4 1 2 C x 4 F 1 2 3 4
23
Virtual Pages
C x 4 F E 3
C x 4 F E 2 … … C x 4 1 2 1 C x 4 F 1 2 3 4
24
Virtual Pages
C x 4 F E 4
C x 4 F E 3 … … C x 4 1 2 2 C x 4 F 1 2 3 4
25
Virtual Pages
C x 4 F E 5
C x 4 F E 4 … … C x 4 1 2 3 C x 4 F 1 2 3 4 C x 6 5 F 3 2 X X X C x 3 2 A C 2 X X X
Virtual Addresses Physical Addresses
26
Virtual Pages
27
28
29
Prime+Pr Probe
30
Prime+Pr Probe
31
Prime+Pr Probe
Virtual Address 0
Cache Index Byte Offset (6 Bit)
Physical address 0
32
Prime+Pr Probe
Virtual Address 0
Cache Index Byte Offset (6 Bit)
Physical address 0
L1: 64 Sets, 6 bit Index L2: 1024 Sets, 10 bit Index Skylake Client LLC: 2048 Sets, 11 bit Index, 1-2 bit slices
33
34
35
Physical address 0
PFN
36
37
38
39
https://github.com/UzL-ITS/Spoiler
40
41
42
43
44
45
46
Store Buffer
47
Store Buffer
48
Store Buffer
49
Store Buffer
50
Store Buffer
51