spectres
play

SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong - PowerPoint PPT Presentation

Jul 31, 2023 •501 likes •842 views

SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong University of Rochester Zhuojia Shen University of Rochester John Criswell University of Rochester

  1. SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT Xiaowan Dong University of Rochester Zhuojia Shen University of Rochester John Criswell University of Rochester Alan Cox Rice University Sandhya Dwarkadas University of Rochester

  2. Goal Analyze the impact of speculation side channel mitigation on mechanisms that protect user data from compromised OS kernels. 2

  3. SPECTRES: SPECULATION SIDE CHANNELS 3

  4. Speculation Side Channels: Spectre and Meltdown • Speculative execution exacerbates • Example of Spectre side channels if (x < array1_size) • Confidential data is speculatively y = array2[array1[x] * 256]; read and exposed via cache side channels 4

  5. VIRTUAL GHOST: PROTECTING APPLICATION DATA FROM COMPROMISED OS KERNELS 5

  6. Virtual Ghost • A compiler-based approach to protect application data from OS kernels by • Instrumenting every kernel load and store: Software Fault Isolation (SFI) • Requiring the OS kernel to invoke SVA-OS to • Manipulate program state (context switch) OS Kernel • Configure hardware state (MMU) SVA-OS Processor 6

  7. Virtual Address Space of Virtual Ghost User • Protected memory regions include Space Secure User • Secure user space Space • Protected from the OS kernel Virtual Ghost • Virtual Ghost space Space • Saves virtual ghost VM internal data structures Kernel Space Virtual address space 7

  8. Virtual Ghost Instrumentation (SFI) • SFI on Virtual Ghost could be • Example of SFI vulnerable to bounds check bypass If ((addr < SECURE_MEM_START) OR (addr > SECURE_MEM_END)) • A compromised kernel speculatively reads data before the check completes access_memory(addr); Goal: Defend against bounds check bypass (Spectre variant 1) directly launched by the kernel on secure user and virtual ghost space 8

  9. THREE MITIGATIONS 9

  10. Three mitigations • Bit-Masking SFI • MPX SFI with lfence • Separate address spaces 10

  11. mov POINTER_ADDR_HIGH_ORDER_BITS, %R1 Bit-Masking SFI cmp PROT_MEM_HIGH_ORDER_BITS, %R1 sete %R2 • Check whether a pointer points to protected memory regions sign-extend and left shift %R2 • Move it into the kernel region if so or POINTER_ADDR, %R2 • Cmp and sete instructions mov (%R2), %R1 User Space • Results in a data dependence Addr between the SFI code and the Secure User Space memory load Virtual Ghost VM • Intel does not support value Memory speculation Check must complete before memory Kernel Space load is performed 11

  12. Three mitigations • Bit-Masking SFI • MPX SFI with lfence • Separate address spaces 12

  13. MPX SFI • Intel MPX is a hardware mechanism designed for efficient bounds checking • Limitation: MPX only supports checks against one memory region at a time • Solution: Make the kernel- and user-space appear contiguous [1] • Subtract the start address of secure user space from the pointer address Secure Secure User Virtual Ghost Kernel Virtual Ghost Kernel User User User Space Space Space Space Space Space Space Space (2 64 -1) - gstart 2 64 -1 2 64 -1 0 0 [1] Xiaowan Dong, Zhuojia Shen, John Criswell, Alan Cox, and Sandhya Dwarkadas. Shielding Software From Privileged Side- Channel Attacks. To appear in the 27th USENIX Security Symposium, 2018. 13

  14. Handling Speculation: MPX SFI with lfence • Problem : Intel speculatively executes the mov %R1, %R2 instructions following bounds check sub GHOST_MEM_START_ADDR, %R2 • Assumes the bounds check will pass bndcl %R2, %bnd0 • Solution : Insert an lfence instruction lfence between the bounds check and the mov (%R1), %R1 memory load • Introduce pipeline stalls All subsequent instructions are stalled until the bounds check commits 14

  15. Comparing The Two Approaches Bit-Masking SFI MPX SFI with lfence • Only introduces data dependence • Stalls the pipeline completely • Other instructions can proceed • More expensive than Bit-Masking SFI Bounds_check(addr) Bounds_check(addr) lfence Data Dependence Access(addr) Access(addr) Instr1 Instr1 Instr2 Instr2 15

  16. Three mitigations • Bit-Masking SFI • MPX SFI with lfence • Separate address spaces 16

  17. Separate Address Spaces User User User Space Space Space Secure User Secure User Space Space Virtual Ghost Virtual Ghost Space Space Virtual Ghost Virtual Ghost Virtual Ghost VM Trampolines VM Trampolines VM Trampolines Kernel Kernel Kernel Space Space Space Kernel root-level Virtual Ghost and application root-level Virtual address space page table page page table pages 17

  18. Separate Address Spaces • Challenges: Address space switch can be frequent and expensive • Each kernel invocation of SVA-OS incurs two address space switches • Kernel-AddrSpace VirtualGhost-AddrSpace • Address space switch incurs execution of serializing instructions • Updating the CR3 register with the page table base address 18

  19. Comparing The Three Approaches Separate Address Spaces Bit-Masking SFI MPX SFI with lfence • Address space switch is • Instruments every • Instruments every very expensive load and store load and store • Kernel Virtual Ghost can be frequent • Introduces data • lfence incurs pipeline dependence stall 19

  20. EVALUATION 20

  21. Methodology • Experiment environment • 3.4GHz Intel i7-6700 hyperthreading quad-core processor • 16 GB RAM • 256 GB SSD • FreeBSD 9.0 ported to Virtual Ghost 21

  22. Benchmarks • Basic OS operation Benchmarks • LMBench • Null syscall, open/close, mmap, page fault, fork, fork + exec • Applications • FreeBSD 9.0 C library compilation • SSHD • On an isolated Gigabit Ethernet network • Use scp to transfer files from the OpenSSH server to the client 22

  23. LMBench Results lfence is very expensive The best performance The best performance 23

  24. Libc Compilation Results 24

  25. SSHD FileTransfer Rates SSH Server File Transfer Bandwidth 25

  26. SSHD File Transfer Rates SSH Server File Transfer Bandwidth 26

  27. SSHD File Transfer Rates SSH Server File Transfer Bandwidth 27

  28. SSHD File Transfer Rates SSH Server File Transfer Bandwidth 28

  29. • MPX-SFI without lfence is faster than bit-masking SFI • Can we eliminate the use of lfence on MPX-SFI? 29

  30. Enhanced MPX SFI • We propose two architectural improvements to MPX bndcl MULTI_BOUNDS, %R1 /* cmp is used to emulate new bndcl */ • Add a data dependence between sete %R2 bounds check and memory load sign-extend %R2 • Eliminate lfence • Set a flag in a register if the address or %R2, %R1 is out-of-bounds and check the flag mov (%R1), %R1 later • Support checks against multiple bounds • Reduce register pressure • alleviate pointer arithmetic 30

  31. The enhanced MPX-SFI does not outperform Bit-masking SFI Results LMBench Libc Compilation 31

  32. SSHD Results The enhanced MPX-SFI does not outperform Bit-masking SFI 32

  33. Conclusion • Bit-Masking SFI usually achieves the best performance • Separate address spaces can incur frequent and expensive address space switch • MPX-SFI with lfence performs the worst • With enhancements, MPX SFI does not outperform Bit-Masking SFI 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pics, ligne de base, bruit : s eparation ternaire de sources assist ee (BEADS : positivit

Pics, ligne de base, bruit : s eparation ternaire de sources assist ee (BEADS : positivit

I NTRODUCTION BEADS MODEL AND ALGORITHM E VALUATION AND RESULTS O NGOING , EXTENSIONS , CONCLUSION Pics, ligne de base, bruit : s eparation ternaire de sources assist ee (BEADS : positivit e, parcimonie), spectres chimiques &amp;

1.08k views • 58 slides
S7105 ADAS/AD CHALLENGES: GPU SCHEDULING &amp; SYNCHRONIZATION Venugopala Madumbu, NVIDIA GTC

S7105 ADAS/AD CHALLENGES: GPU SCHEDULING &amp; SYNCHRONIZATION Venugopala Madumbu, NVIDIA GTC

S7105 ADAS/AD CHALLENGES: GPU SCHEDULING &amp; SYNCHRONIZATION Venugopala Madumbu, NVIDIA GTC 2017 210D ADVANCED DRIVING ASSIST SYSTEMS (ADAS) &amp; AUTONOMOUS DRIVING (AD) High Compute Workloads Mapped to GPU 2 ADAS/AD Requirements

326 views • 22 slides
Core-Aware Scheduling: Balancing Application Parallelism with Core Availability Henry Qin

Core-Aware Scheduling: Balancing Application Parallelism with Core Availability Henry Qin

Core-Aware Scheduling: Balancing Application Parallelism with Core Availability Henry Qin Advisor: John Ousterhout Febuary 2, 2016 1 / 15 Introduction Motivation: Inefficient core and thread management Hard to get high throughput in low

297 views • 25 slides
Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker

Introduction to Program Analysis: A Pointer Centric View Uday Khedker (www.cse.iitb.ac.in/uday) Department of Computer Science and Engineering, Indian Institute of Technology, Bombay Dec 2017 WSSE Pune Intro to PA: Outline 1/7 An Outline

552 views • 8 slides
Trust in the Digital World Vienna 7-8 April 2014 Panel: Trusted Personal data Management

Trust in the Digital World Vienna 7-8 April 2014 Panel: Trusted Personal data Management

Trust in the Digital World Vienna 7-8 April 2014 Panel: Trusted Personal data Management Organised by Digital Enlightenment Forum Overview 1. Panel Agenda 2. What is Digital Enlightenment Forum 3. Personal Data Management (PDM) terminology,

448 views • 13 slides
Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich Department of Informatics Binzm uhlestrasse 14, 8050 Zurich, Switzerland { vorburger, bernstein } @ifi.unizh.ch Abstract per is a real-world

176 views • 6 slides
Porting FreeBSD to AArch64 Andrew Turner andrew@fubar.geek.nz 12 June 2015 About me Source

Porting FreeBSD to AArch64 Andrew Turner andrew@fubar.geek.nz 12 June 2015 About me Source

Porting FreeBSD to AArch64 Andrew Turner andrew@fubar.geek.nz 12 June 2015 About me Source committer focusing on ARM Freelance Software Engineer Status of arm64 (AArch64) Support to boot in QEMU committed to subversion Some support

410 views • 37 slides
How$to$Measure$RTOS$ Performance Colin/Walls colin_walls@mentor.com

How$to$Measure$RTOS$ Performance Colin/Walls colin_walls@mentor.com

How$to$Measure$RTOS$ Performance Colin/Walls colin_walls@mentor.com with/acknowledgement/to/Faheem Sheikh/&amp;/Dan/Driscoll mentor.com/embedded Android'is'a'trademark'of'Google'Inc.'Use'of'this'trademark'is'subject'to'Google'Permissions.

781 views • 43 slides
Communication for Enterprise Appliances Anton Burtsev , Kiran Srinivasan, Prashanth

Communication for Enterprise Appliances Anton Burtsev , Kiran Srinivasan, Prashanth

Fido: Fast Inter-Virtual-Machine Communication for Enterprise Appliances Anton Burtsev , Kiran Srinivasan, Prashanth Radhakrishnan, Lakshmi N. Bairavasundaram, Kaladhar Voruganti, Garth R. Goodson NetApp, Inc University of Utah, School

767 views • 37 slides
Surviving the Zombie Apocalypse or How to flourish in a career in computers Andy Walker

Surviving the Zombie Apocalypse or How to flourish in a career in computers Andy Walker

Surviving the Zombie Apocalypse or How to flourish in a career in computers Andy Walker (Skyscanner) Knowing yourself is the beginning of all wisdom Aristotle VS Understanding stress Stress / Anxiety Scope (aka number of

459 views • 22 slides
Flexible Protocol Stack Framework : Design, Validation and Performance Tim Farnham 1 , Thorsten

Flexible Protocol Stack Framework : Design, Validation and Performance Tim Farnham 1 , Thorsten

O C U S T Flexible Protocol Stack Framework : Design, Validation and Performance Tim Farnham 1 , Thorsten Schler 2 SDR Forum Technical Conference November 2003 1 Toshiba Research Europe Ltd 2 Siemens AG Authors: Tim Farnham, Date:

601 views • 21 slides
OpenStack Operations Quick Ramp-up and Survival Guide Joshua Guan, Operations Engineer, IBM

OpenStack Operations Quick Ramp-up and Survival Guide Joshua Guan, Operations Engineer, IBM

OpenStack Operations Quick Ramp-up and Survival Guide Joshua Guan, Operations Engineer, IBM Bluemix Private Cloud, @joshuakwan Fan He, Architect, IBM Bluemix Private Cloud, @fancyhe Joshua Guan, Operations Lead Fan He, Cloud Architect IBM

562 views • 32 slides
Soft Timers: Efficient Microsecond Software Timer Support for Network Processing Mohit Aron

Soft Timers: Efficient Microsecond Software Timer Support for Network Processing Mohit Aron

Soft Timers: Efficient Microsecond Software Timer Support for Network Processing Mohit Aron Peter Druschel Presenter: Christopher Head Problem: Network Bandwidth Bandwidth: 1Gbps MTU: 1518B Rate: ~82000 pps Period: ~12s ~=

379 views • 15 slides
RTker Anubha Verma Shikha Kapoor Features Modular Design Isolation of Architecture/CPU

RTker Anubha Verma Shikha Kapoor Features Modular Design Isolation of Architecture/CPU

RTker Anubha Verma Shikha Kapoor Features Modular Design Isolation of Architecture/CPU dependent and independent code Easy to Port Pluggable Scheduler Two level Interrupt Handling Small footprint Oskits Device

502 views • 19 slides
Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture

Enhance protection from security bugs in the Xen hypervisor Anthony PERARD Xen architecture Dom0 VMs QEMU Xen Scheduler MMU vPIC Memory CPUs I/O HW Emulation in hypervisor For performance Examples: Interrupt controller

859 views • 20 slides
Verifying the FreeRTOS Real-Time OS Deepak DSouza Department of Computer Science and

Verifying the FreeRTOS Real-Time OS Deepak DSouza Department of Computer Science and

How RTOS works ADTs and refinement in Z RTOS as an ADT Verification strategy Bugs found Verifying the FreeRTOS Real-Time OS Deepak DSouza Department of Computer Science and Automation Indian Institute of Science, Bangalore. Joint work

654 views • 41 slides
Biofilm Killer BIOSCIENCES LYON iGEM TEAM 2012 Context iGEM Synthetic Biology for Innovative

Biofilm Killer BIOSCIENCES LYON iGEM TEAM 2012 Context iGEM Synthetic Biology for Innovative

Biofilm Killer BIOSCIENCES LYON iGEM TEAM 2012 Context iGEM Synthetic Biology for Innovative Solutions competition Context Industrial biofilm issues Oil industry : Osli, Schlumberger Cosmetics: Gatefoss Enzyme-based cleaning solutions:

518 views • 51 slides
Scala and Go: A Comparison of Concurrency Features Brent Smith and Leon Gibson CSCI5828 Spring

Scala and Go: A Comparison of Concurrency Features Brent Smith and Leon Gibson CSCI5828 Spring

Scala and Go: A Comparison of Concurrency Features Brent Smith and Leon Gibson CSCI5828 Spring 2012 Comparison of Scala &amp; Go's concurrency constructs By Brent Smith and Leon Gibson What does Scala and Go offer your company for a scalable

680 views • 63 slides
Enabling Customer Choice for RPP TOU Customers EB-2020-0152 Please mute yourself when

Enabling Customer Choice for RPP TOU Customers EB-2020-0152 Please mute yourself when

Enabling Customer Choice for RPP TOU Customers EB-2020-0152 Please mute yourself when entering the meeting. Participants will then be able to unmute themselves if they wish to speak. To ask questions or provide comments please use

319 views • 28 slides
Throughput Computing Harry Guo - Minh Truong Larrabee Outline 1. Motivation 2. Architectural

Throughput Computing Harry Guo - Minh Truong Larrabee Outline 1. Motivation 2. Architectural

Throughput Computing Harry Guo - Minh Truong Larrabee Outline 1. Motivation 2. Architectural Overview a. Scalar Unit b. VPU c. Inter-processor Ring Network d. Fixed function logic 3. Software Rendering 4. Evaluation a. Merits

518 views • 27 slides
Something you didnt know about Rapita/Ada/Software Ian Broster ianb@rapitasystems.com 1

Something you didnt know about Rapita/Ada/Software Ian Broster ianb@rapitasystems.com 1

Something you didnt know about Rapita/Ada/Software Ian Broster ianb@rapitasystems.com 1 What does Rapita do? Advanced technologies for reducing V&amp;V costs Revolutionize your software verification 2 RVS: Software verification

440 views • 24 slides
PROJECT IMPLEMENTATION PLACE: Naberezhnye Chelny, Prompark Razvitie&quot; VOLUME OF NECESSARY

PROJECT IMPLEMENTATION PLACE: Naberezhnye Chelny, Prompark Razvitie&quot; VOLUME OF NECESSARY

PROJECT BASIS: Construction of a paper mill for the production of paper for corrugating from recycled raw materials with a capacity of 150 tons per day. COMPANY NAME: Naberezhnochelninskaya KBF LLC,registered on 01.04.2018. PROJECT

569 views • 20 slides
ThumbAd Mobile Media and Advertising @mobilmannen How can brands and publishers succeed with

ThumbAd Mobile Media and Advertising @mobilmannen How can brands and publishers succeed with

ThumbAd Mobile Media and Advertising @mobilmannen How can brands and publishers succeed with targeted mobile advertising? ThumbAd Digital ads distribution on MOBILE | DESKTOP | VIDEO | SOSIAL Actionable Data | Algorithms | Real Time

743 views • 31 slides
The Practical Evolution of the Auto-Tagging Technology as a Service Georgi Kadrev @georgikadrev

The Practical Evolution of the Auto-Tagging Technology as a Service Georgi Kadrev @georgikadrev

The Practical Evolution of the Auto-Tagging Technology as a Service Georgi Kadrev @georgikadrev Imagga Technologies @imagga GTC 17, May10th In numbers more than more than in more than 200 8.9K 82 Businesses Developers Countries

951 views • 41 slides

More recommend