s poiler speculative load hazards
play

S POILER : Speculative Load Hazards Boost Rowhammer and Cache - PowerPoint PPT Presentation

Jun 06, 2023 •471 likes •999 views

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

  1. S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic Institute & Univer ersity of Lübec eck 1

  2. CPU Optimization on? • Branch Prediction • Cache and internal buffers • Speculate the Speculations??! – "speculative prefetching“ – "speculatively scheduled operation“ – "speculative execution event counter“ – "speculative memory accesses“ – "speculative load instruction" 2

  3. Specula lative Load Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 3

  4. Specula lative Load Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 4

  5. Resource is Busy Specula lative Load for Store! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 5

  6. Whatever, Let’s Load and Specula lative Load Compute!!! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 6

  7. Huum! Was it dependent Specula lative Load on Stores? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 7

  8. No Clue! Check store ADDRE DRESSES: Specula lative Load X, Y, Z? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 8

  9. How about this one? Is W dependent on Specula lative Load Y? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 9

  10. Or this one? Specula lative Load W VS. X? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 10

  11. Wrong. Specula lative Load Flush it!!! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 11

  12. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 Virtual Page Offset VFN (12 bits) 12

  13. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) 13

  14. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH 14

  15. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH address 0 x 5 4 4 0 2 3 0 C 0 Physical PFN 15

  16. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH address 0 x 5 4 4 0 2 3 0 C 0 Physical PFN 16

  17. Design Chall llenges? • Loads are executed out-of-order and speculatively to avoid performance loss. • Load may be dependent on preceding stores (dependency). • Dependency check is difficult: – Virtual addresses may be aliased. – Physical addresses are not available immediately. – Stores may stay in-flight for a while. – We can’t wait for them to succeed. – Can we forward the data from the store to the load? 17

  18. SPOILER 18

  19. US 7,603,527 B2 RESOLVING FALSE DEPENDENCIES OF SPECULATIVE LOAD INSTRUCTIONS “an operation X may determine whether the lower portion of the virtual address of a speculative load instruction matches the lower portion of virtual addresses of older store operations” LoosnetCheck “an operation Y may determine whether the upper portion of the virtual address of the speculative load matches the upper portion of virtual addresses of older store” “If there is a hit at operation Y then the load may be blocked” “in an embodiment, the load instruction may have its input data forwarded SPOILER Attack from the store operation from which the load instruction depends at operation” Store Forwarding Dependency Resolu lution “If there is a hit at operation X and a miss at operation Y, … the physical addresses of the load and the store may be compared at an operation Z” “In one embodiment, if there is a hit at operation X and the physical address of the load or the store operations is not valid, the physical address check at operation Z may be considered as a hit” “In some embodiments, the physical address check at operation Z may use a partial physical address, e.g., base on data stored in the SAB. This makes the checking at operation Z conservative. Accordingly, in some embodiments, 19 a match may occur on a partial address and block …” FinenetCheck

  20. SPOIL ILER ER Attack … Virtual Pages 20

  21. SPOIL ILER ER Attack … Virtual Pages 64 pages 21

  22. SPOIL ILER ER Attack … Virtual Pages 64 pages 0 x 4 0 0 F E 1 0 C 0 Stores 0 x 4 0 0 F E 2 0 C 0 … … 0 x 4 0 1 0 2 0 0 C 0 22

  23. SPOIL ILER ER Attack … Virtual Pages 64 pages 0 x 4 0 0 F E 1 0 C 0 Stores 0 x 4 0 0 F E 2 0 C 0 … … 0 x 4 0 1 0 2 0 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 23

  24. SPOIL ILER ER Attack … Virtual Pages 0 x 4 0 0 F E 2 0 C 0 Stores 0 x 4 0 0 F E 3 0 C 0 … … 0 x 4 0 1 0 2 1 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 24

  25. SPOIL ILER ER Attack … Virtual Pages 0 x 4 0 0 F E 3 0 C 0 Stores 0 x 4 0 0 F E 4 0 C 0 … … 0 x 4 0 1 0 2 2 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 25

  26. SPOIL ILER ER Attack … Virtual Pages Virtual Addresses 0 x 4 0 0 F E 4 0 C 0 Stores 0 x 4 0 0 F E 5 0 C 0 Physical Addresses … … 0 x 4 0 1 0 2 3 0 C 0 0 x 6 5 F 3 2 X X X 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 0 x 3 2 A C 2 X X X 0 C 0 26

  27. SPOIL ILER ER Attack … Virtual Pages 27

  28. SPOILER Boosts ts Cache Attack cks 28

  29. SPOIL ILER ER Boosts Cache he Attacks ks Core 1 Core 2 LLC DRAM 29

  30. SPOIL ILER ER Boosts Cache he Attacks ks Core Core 1 Prime+Pr Probe obe Victim Set 1 Set 2 … Set n DRAM 30

  31. SPOIL ILER ER Boosts Cache he Attacks ks Core Core 1 Prime+Pr Probe obe Victim Set 2 … Set n DRAM 31

  32. SPOIL ILER ER Boosts Cache he Attacks ks Core Address 0 x 0 4 0 F E 6 4 1 0 C 0 Core 1 Virtual Prime+Pr Probe obe Victim address 0 x 5 4 4 0 2 3 0 C 0 Physical Cache Index Byte Offset (6 Bit) Set 2 … Set n DRAM 32

  33. SPOIL ILER ER Boosts Cache he Attacks ks Core Address 0 x 0 4 0 F E 6 4 1 0 C 0 Core 1 Virtual Prime+Pr Probe obe Victim address 0 x 5 4 4 0 2 3 0 C 0 Physical Cache Index Byte Offset (6 Bit) Skylake Client L1: 64 Sets, 6 bit Index Set 2 … Set n L2: 1024 Sets, 10 bit Index LLC: 2048 Sets, 11 bit Index, 1-2 bit slices DRAM 33

  34. SPOIL ILER ER – Javascript Eviction on Sets • 1 MB Aliasing Leakage • Eviction Set Finding Comparison 34

  35. SPOILER Boosts ts Rowhammer 35

  36. SPOIL ILER ER Boosts Rowhammer • Physical addresses are used for mapping DRAM banks – More Banks, More Physical Address Bits address 0 x 5 4 4 0 2 3 0 C 0 Physical • Single-Sided Rowhammer: – Requirement: Bank Co-location PFN • Double-Sided Rowhammer: – Contiguous Memory Pages 36

  37. SPOIL ILER ER Boosts Rowhammer • Reverse Engineering DRAM Banks using DRAMA Tool • Rowbuffer Conflict 37

  38. SPOIL ILER ER Boosts Rowhammer • Detecting Contiguous Memory • Rowhammer Bitflips 38

  39. CVE-201 2019-01 0162 62 • 12/01/2018: We informed our findings to iPSIRT. • 12/03/2018: iPSIRT acknowledged the receipt. • 03/01/2018: We published the paper. • 04/09/2019: iPSIRT released public advisory (INTELSA-00238) (CVE-2019-0162). • And we got some free logos, Thanks to Media !!! 39

  40. Question ons?! ?! @danielmgmi https://github.com/UzL-ITS/Spoiler 40

  41. 41

  42. SPOIL ILER ER Attack – HPC Analy lysis 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides
Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards

The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards

The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards Tectonic Hazards Weather Hazards Climate Change NATURAL HAZARDS Natural hazards pose major risks to people and property Natural Hazards A

1.11k views • 61 slides
CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards

CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards

CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards Control Hazards Dukes of Hazzard DATA HAZARD Hardware solution: Include forwarding paths in the machines datapath. Even though results have not

436 views • 27 slides
Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load

Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load

CSE 2021: Computer Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load (Review) CSE-2021 July-19-2012 2 ID for Load (Review) CSE-2021 July-19-2012 3 EX for Load (Review) CSE-2021 July-19-2012 4

530 views • 38 slides
Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker

Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker

Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker on the job Workers family Source: OSHA Objectives 1. Identify common health hazards. 2. Describe types of common health hazards. 3. Apply

320 views • 27 slides
Unit 5: Pipelining Load-use stalling Pipelined multi-cycle operations Control hazards

Unit 5: Pipelining Load-use stalling Pipelined multi-cycle operations Control hazards

This Unit: Pipelining App App App Single-cycle & multi-cycle datapaths System software Latency vs throughput & performance Basic pipelining CIS 501: Computer Architecture Mem CPU I/O Data hazards Bypassing Unit

522 views • 24 slides
Exercises for 8.1.3 1. Give a parse tree with semantic records for the statement Z = 2 + 2. Show

Exercises for 8.1.3 1. Give a parse tree with semantic records for the statement Z = 2 + 2. Show

326 Chapter 8 Computer Languages TABLE 4. Semantic record label Address Code Expression translated T6 3 The variable Y. T7 Load 0,A The assignment statement Load 2,B Y = 3 + 2*X. Mult A,B,4 Load 4,A Load 1,B Add A,B,5 Load 5,A

427 views • 8 slides
Load Balancing Load Balancing Load balancing: distributing data and/or computations across

Load Balancing Load Balancing Load balancing: distributing data and/or computations across

Load Balancing Load Balancing Load balancing: distributing data and/or computations across multiple processes to maximize efficiency for a parallel program. Static load-balancing: the algorithm decides a priori how to divide the workload.

444 views • 27 slides
SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY SUBRAMANIAN, MARK JEFFREY, JOEL EMER, DANIEL SANCHEZ PACT 2017 Executive Summary Analyzes the interplay between hardware multithreading and speculative

370 views • 21 slides
Key Points: Control Hazards Control hazards occur when we don t know what the next

Key Points: Control Hazards Control hazards occur when we don t know what the next

Key Points: Control Hazards Control hazards occur when we don t know what the next instruction is Caused by branches and jumps. Strategies for dealing with them Stall Guess! Leads to speculation Flushing the

657 views • 40 slides
Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the shortfall in the 5 year housing supply Joanne Eynon Environment and Transport What are the issues? Increased pressure from speculative

218 views • 8 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such

EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such

1 EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such because they deal with 40: BEQ $1,$3,28 issues related to program control 44: AND $12,$2,$5 instructions (branch, jump, 48: OR $13,$6,$2

704 views • 21 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Cache Memories 15-213: Introduc0on to Computer Systems 10 th

Cache Memories 15-213: Introduc0on to Computer Systems 10 th

Carnegie Mellon Cache Memories 15-213: Introduc0on to Computer Systems 10 th Lecture, Sep. 23, 2010. Instructors: Randy Bryant and Dave OHallaron 1 Carnegie

752 views • 47 slides
Lecture 2: Single processor architecture and memory David Bindel 30 Aug 2011 Teaser What will

Lecture 2: Single processor architecture and memory David Bindel 30 Aug 2011 Teaser What will

Lecture 2: Single processor architecture and memory David Bindel 30 Aug 2011 Teaser What will this plot look like? for n = 100:10:1000 tic; A = []; for i = 1:n A(i,i) = 1; end times(n) = toc; end ns = 100:10:1000; loglog(ns,

541 views • 40 slides
Modeling Hardware Timing 1 Caches and Pipelines Peter Puschner slides: P. Puschner, R. Kirner,

Modeling Hardware Timing 1 Caches and Pipelines Peter Puschner slides: P. Puschner, R. Kirner,

Modeling Hardware Timing 1 Caches and Pipelines Peter Puschner slides: P. Puschner, R. Kirner, B. Huber VU 2.0 182.101 SS 2016 Generic WCET Analysis Framework source

623 views • 18 slides
Cache Performance 1 C and cache misses (1) int array[1024]; // 4KB array int even_sum = 0,

Cache Performance 1 C and cache misses (1) int array[1024]; // 4KB array int even_sum = 0,

Cache Performance 1 C and cache misses (1) int array[1024]; // 4KB array int even_sum = 0, odd_sum = 0; for ( int i = 0; i < 1024; i += 2) { even_sum += array[i + 0]; odd_sum += array[i + 1]; } Assume everything but array is kept in

921 views • 67 slides
General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory

General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory

General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory Hierarchy: Cache Smaller, faster, more expensive. Cache 8 9 14 3 Stores subset of memory blocks . (lines) Data is moved in block units Memory

467 views • 8 slides
lecture 18 cache 2 - TLB (hit and miss) - instruction or data cache - cache (hit and

lecture 18 cache 2 - TLB (hit and miss) - instruction or data cache - cache (hit and

lecture 18 cache 2 - TLB (hit and miss) - instruction or data cache - cache (hit and miss) Wed. March 16, 2016 virtual physical physical virtual address address address address Last lecture I discussed the TLB and how virtual

599 views • 33 slides
Direct-Mapped Cache: Write Allocate with Write-Through Protocol Block size in bytes: B = 2 b WRITE

Direct-Mapped Cache: Write Allocate with Write-Through Protocol Block size in bytes: B = 2 b WRITE

Direct-Mapped Cache: Write Allocate with Write-Through Protocol Block size in bytes: B = 2 b WRITE data to address [x] n-m [w] m [d] b Cache size in blocks: M = 2 m (2 b+m bytes) Block Address A = [x] n-m [w] m Memory size in blocks = 2 n (2 b+n

529 views • 25 slides
CS 136: Advanced Architecture Review of Caches 1 / 30 Introduction Why Caches? Basic goal:

CS 136: Advanced Architecture Review of Caches 1 / 30 Introduction Why Caches? Basic goal:

CS 136: Advanced Architecture Review of Caches 1 / 30 Introduction Why Caches? Basic goal: Size of cheapest memory . . . At speed of most expensive Locality makes it work Temporal locality: If you reference x , youll probably

717 views • 33 slides

More recommend