Meltdown and Spectre: Complexity and the death of security

Slides:



Advertisements
Similar presentations
University of Amsterdam Computer Systems – the processor architecture Arnoud Visser 1 Computer Systems The processor architecture.
Advertisements

Computer Structure 2014 – Out-Of-Order Execution 1 Computer Structure Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.
Computer Organization and Architecture
Randal E. Bryant Carnegie Mellon University CS:APP2e CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.
Computer Architecture 2011 – Out-Of-Order Execution 1 Computer Architecture Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.
EECS 470 Pipeline Hazards Lecture 4 Coverage: Appendix A.
Chapter 12 CPU Structure and Function. Example Register Organizations.
Randal E. Bryant CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture SequentialImplementation Slides.
Datapath Design II Topics Control flow instructions Hardware for sequential machine (SEQ) Systems I.
Pipelining III Topics Hazard mitigation through pipeline forwarding Hardware support for forwarding Forwarding to mitigate control (branch) hazards Systems.
TDC 311 The Microarchitecture. Introduction As mentioned earlier in the class, one Java statement generates multiple machine code statements Then one.
Randal E. Bryant Carnegie Mellon University CS:APP CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.
Datapath Design I Topics Sequential instruction execution cycle Instruction mapping to hardware Instruction decoding Systems I.
Review (1/2) °Caches are NOT mandatory: Processor performs arithmetic Memory stores data Caches simply make data transfers go faster °Each level of memory.
Sample Code (Simple) Run the following code on a pipelined datapath: add1 2 3 ; reg 3 = reg 1 + reg 2 nand ; reg 6 = reg 4 & reg 5 lw ; reg.
Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.
1 Sequential CPU Implementation. 2 Outline Logic design Organizing Processing into Stages SEQ timing Suggested Reading 4.2,4.3.1 ~
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Virtual Memory: Concepts Slides adapted from Bryant.
Adapted from Computer Organization and Design, Patterson & Hennessy, UCB ECE232: Hardware Organization and Design Part 13: Branch prediction (Chapter 4/6)
1 SEQ CPU Implementation. 2 Outline SEQ Implementation Suggested Reading 4.3.1,
Sequential Hardware “God created the integers, all else is the work of man” Leopold Kronecker (He believed in the reduction of all mathematics to arguments.
Out-of-order execution Lihu Rappoport 11/ MAMAS – Computer Architecture Out-Of-Order Execution Dr. Lihu Rappoport.
Rabi Mahapatra CS:APP3e Slides are from Authors: Bryant and O Hallaron.
Real-World Pipelines Idea –Divide process into independent stages –Move objects through stages in sequence –At any given times, multiple objects being.
1 Seoul National University Sequential Implementation.
Real-World Pipelines Idea Divide process into independent stages
Computer Organization
Lecture 13 Y86-64: SEQ – sequential implementation
Section 9: Virtual Memory (VM)
Today How was the midterm review? Lab4 due today.
Lecture 14 Y86-64: PIPE – pipelined implementation
Constructive Computer Architecture Tutorial 6: Discussion for lab6
CSE 502: Computer Architecture
Decode and Operand Read
/ Computer Architecture and Design
Bruhadeshwar Meltdown Bruhadeshwar
Sequential Implementation
Samira Khan University of Virginia Feb 14, 2017
Sequential Execution Semantics
Pipelined Implementation : Part I
Seoul National University
Seoul National University
Instruction Decoding Optional icode ifun valC Instruction Format
CMPT 886: Computer Architecture Primer
Pipelined Implementation : Part II
Systems I Pipelining III
Meltdown and Spectre: Complexity and the death of security
Systems I Pipelining II
ECE Dept., University of Toronto
Pipelined Implementation : Part I
Krste Asanovic Electrical Engineering and Computer Sciences
Seoul National University
Pipeline Architecture I Slides from: Bryant & O’ Hallaron
Pipelined Implementation : Part I
Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,
Data Prefetching Smruti R. Sarangi.
Pipelined Implementation
Systems I Pipelining II
Systems I Pipelining II
Chapter 11 Processor Structure and function
Real-World Pipelines: Car Washes
Sequential CPU Implementation
Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.
Landon Cox January 17, 2018 January 22, 2018
Lecture 11: Machine-Dependent Optimization
Sequential Design תרגול 10.
Spring 2019 Prof. Eric Rotenberg
Meltdown & Spectre Attacks
Presentation transcript:

Meltdown and Spectre: Complexity and the death of security Dr. Michael S. Kirkpatrick January 24, 2018

Meltdown and Spectre: Wait, my computer does what? Dr. Michael S. Kirkpatrick January 24, 2018

Meltdown and Spectre: Whoever thought that was a good idea? Dr. Michael S. Kirkpatrick January 24, 2018

Meltdown and Spectre: I give up. Can I just retire now? Dr. Michael S. Kirkpatrick January 24, 2018

No one alive understands how computers behave.

Meltdown and Spectre Kernel co-location Race conditions Page tables Cache mapping Process forks Branch prediction Cache hierarchy Out-of-order execution Pipelined CPU design High-resolution timers Speculative execution Physical memory map

✓ ✓ Read data location 12345 Read data location 12345 stack code data heap kernel kernel ✓ ✓ stack iTunes Page Table Chrome Page Table heap Read data location 12345 Read data location 12345 data code

Read kernel location deadbeef stack code data heap kernel kernel stack iTunes Page Table Chrome Page Table heap data code Read kernel location deadbeef

Memory hierarchy and cache Core 0 Core 3 Regs Regs L1 data cache L1 inst. cache L1 data cache L1 inst. cache . . . 1: Here’s your data 2: Access allowed? 1: Access allowed? 2: OK, here’s your data L2 unified cache L2 unified cache 1: Access allowed? 2: OK, here’s your data L3 unified cache (shared by all cores) 1: Access allowed? 2: OK, here’s your data Main Memory

Check for exception PC update Write back Memory Execute Decode Fetch d New PC Register file valA valB A B E M L U ALU cntrl valE Cnd CC valM d r Data Mem Memory valP icode ifun rA rB valC PC incr. Inst. Memory

If orange 5 doesn’t depend on 3 & 4, why wait? x86 Pipelining Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check If orange 5 doesn’t depend on 3 & 4, why wait? Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check 1 2 4 3 5 6 7 8 1 2 4 3 5 6 7 8

Green and orange can’t “retire” yet x86 Pipelining Green and orange can’t “retire” yet 1 2 4 3 5 6 7 8

What we know so far… You’re not supposed to access kernel L1 cache timing is wrong x86 pipelining is crazy Macroarchitecture != microarchitecture “First” != first Invisible side effects are visible

Cache-based side channels Guess what y is! x = array[y]; 1 3 2 4 5 6 7 for (i = 0; i < 8; i++) { start_timer(); y = array[i]; stop_timer(); }

Meltdown Read a byte of the kernel Multiply byte by 4096 Use value to hit cache line 8: Maybe I should check if step 4 was valid…

Meltdown O-ho! Second byte is 1. Ah! First byte is 2. ATTACK! ATTACK! fork() fork()

Meltdown Process memory contains... the kernel, which contains… physical memory, which contains… the memory contents of every process.

x86 Pipelining

Speculative execution if (x < array_length) y = array[x]; a b d c e f g h x is 2 y becomes c x is 5 y becomes f x is 1 y becomes b x is 327 y becomes

Choose x = &target - &array1 Spectre variant 1 Cache miss Cache hit Cache hit Choose x = &target - &array1 Cache miss 1 3 2 4 5 6 7

Spectre variant 2 gadgets https://34c3.cyber-itl.org/slides.pdf

Meltdown Spectre Short-term fix KAISER/PTI Browser hardening Long-term fix Replace hardware ???? All BP Hyperthreading Change of CPL

And so it begins…

A return to the past…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.