Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bruhadeshwar bru.bezawada@colostate.edu Meltdown Bruhadeshwar bru.bezawada@colostate.edu.

Published byBarry Floyd Modified over 6 years ago

Similar presentations

Presentation on theme: "Bruhadeshwar bru.bezawada@colostate.edu Meltdown Bruhadeshwar bru.bezawada@colostate.edu."— Presentation transcript:

1 Bruhadeshwar bru.bezawada@colostate.edu
Meltdown Bruhadeshwar

2 Motivation Meltdown is security attack on user data mapped to kernel memory Meltdown uses out-of-order execution feature of micro-processors to extract kernel data The attack is independent of OS vulnerabilities Meltdown is possible through a combination of Cache side-channel inference Out-of-order execution The attack is applicable in almost all processors manufactured after 2010

3 Background: Instruction Pipelining
Pipelining is an optimization technique to keep the processor busy Parts of the instruction cycle: Fetch, Decode, Execute Read memory, Write back can be executed independently

4 Background: Speculative execution
This is the process of executing an instruction in anticipation that it might be used This provides instruction level parallelism For instance in a conditional statement, both the instructions in a condition might be executed Depending on the condition, only one of the execution is retired or committed The other instruction is flushed from the pipeline Tomasulo algorithm describes these details

5 Background: Out-of-order Execution
Multiple instructions executed regardless of the actual program order lw $3, 100($4) in execution, cache miss sub $5, $6, $7 can execute during the cache miss add $2, $3, $4 waits until the miss is satisfied The instructions are fetched, decoded and prepared for execution and pushed into a reservation station Those instructions without data dependencies will execute in no specific order Others will stall until dependency is satisfied (resolving data hazards)

6 Background: Page Sharing
Sharing of pages across un-trusted processes is common Computing systems use copy-on-write mechanisms to separate access More importantly, when shared page is accessed from memory, that page is cached This allows for side-channel attacks on caches A spy process can monitor access to a shared page and use timing information as side-channel

7 Background: Memory Hierarchy
Intel Core-i5 Memory Architecture

8 Meltdown Attack Combination of two steps
Cache side-channel Attack : Flush + Reload Out-of-order Execution

9 Cache Side-channel Attack
A spy process evicts the shared page from the cache using clflush instruction The victim process is allowed to execute some time The spy process checks if the victim process loaded those pages again If access to these pages is seen, then the spy makes inferences about the execution sequence The Flush+Reload is most efficient attack

10 Flush+Reload Three steps + a pre-processing mmap step
First: Flush the shared cache line from memory using clflush Second: Wait for some time Third: Reload the memory line If the victim access the memory during waiting period, the page is in cache and will load faster If not, the loading is done from memory and hence, longer The timing difference is noted by the spy

11 Ex: Extracting RSA Private Keys
Attack Intuition Exponentiation Algorithm Exponentiation with square- and-multiply The message is raised to the power of private key Depending on bit value the code execution time varies If key bit is 1 then the if condition is true Inference: The pages containing square, reduce, multiply, reduce are executed when private key bit is 1

12 Flush+Reload Attack Code
The code measures the time for loading the page The clflush keeps removing the monitored pages from memory The other commands are to ensure that this code executes in-order The final output is the time taken to load the corresponding page into memory after a waiting period

13 Access Time

14 Meltdown User pages are separated using page table addresses in virtual memory But, entire Physical memory is mapped in the kernel as kernel needs to have access to both kernel pages and user pages The offsets of kernel code are typically known ASLR for kernel is KASLR, but not implemented This is exploited by meltdown Such instructions are called transient instructions

15 Meltdown Speculative execution executes second line
Sample example Description Speculative execution executes second line The array location is accessed and brought into the cache

16 Meltdown : Architecture

17 Meltdown : Core Sequence
Line 1 reads an inaccessible address Should throw an exception but is delayed due to out-of- order execution Line 4 copies the byte in the kernel address into al This should not happen but does happen! The register al is rax Line 5 multiplies the address with 4096 Line 8 accesses the location pointed by rbx+rax

18 Meltdown The location accessed by the code is cached
The attackers uses Flush+Reload to mark the cache access timings Next, the attacker probes for all the pages in array Only the cached line will be retrieved faster The page number of this cache line corresponds to the kernel data Hence, complete!

19 Meltdown : Access Time

20 Exceptions What happens to exceptions thrown due to the invalid kernel access? Can be handled by forking or exception catching

21 Mitigation Disable out-of-order execution
Use page access check like AMD Do not map all user space into kernel Disable clflush?  other side-channel attacks might be still possible

22 Summary Meltdown is a cache side-channel attack affecting nearly every computer The hardware choices make this attack possible Open challenges: How to keep performance high while not allowing such side-channels? How to discover such side-channels?

Download ppt "Bruhadeshwar bru.bezawada@colostate.edu Meltdown Bruhadeshwar bru.bezawada@colostate.edu."

Similar presentations

Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.

Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.
Data Dependencies Describes the normal situation that the data that instructions use depend upon the data created by other instructions, or data is stored.

Data Dependencies Describes the normal situation that the data that instructions use depend upon the data created by other instructions, or data is stored.
CS6290 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.

CS6290 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.
Dyn. Sched. CSE 471 Autumn 0219 Tomasulo’s algorithm “Weaknesses” in scoreboard: –Centralized control –No forwarding (more RAW than needed) Tomasulo’s.

Dyn. Sched. CSE 471 Autumn 0219 Tomasulo’s algorithm “Weaknesses” in scoreboard: –Centralized control –No forwarding (more RAW than needed) Tomasulo’s.
Pipeline Computer Organization II 1 Hazards Situations that prevent starting the next instruction in the next cycle Structural hazards – A required resource.

Pipeline Computer Organization II 1 Hazards Situations that prevent starting the next instruction in the next cycle Structural hazards – A required resource.
Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.

Intro to Computer Org. Pipelining, Part 2 – Data hazards + Stalls.
Lecture Objectives: 1)Define pipelining 2)Calculate the speedup achieved by pipelining for a given number of instructions. 3)Define how pipelining improves.

Lecture Objectives: 1)Define pipelining 2)Calculate the speedup achieved by pipelining for a given number of instructions. 3)Define how pipelining improves.
ECE 2162 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.

ECE 2162 Tomasulo’s Algorithm. Implementing Dynamic Scheduling Tomasulo’s Algorithm –Used in IBM 360/91 (in the 60s) –Tracks when operands are available.
Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)

Spring 2003CSE P5481 Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers)
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
Computer Organization and Architecture

Computer Organization and Architecture
Memory Management (II)

Memory Management (II)
Chapter 12 Pipelining Strategies Performance Hazards.

Chapter 12 Pipelining Strategies Performance Hazards.
Pipelining Andreas Klappenecker CPSC321 Computer Architecture.

Pipelining Andreas Klappenecker CPSC321 Computer Architecture.
CS 300 – Lecture 23 Intro to Computer Architecture / Assembly Language Virtual Memory Pipelining.

CS 300 – Lecture 23 Intro to Computer Architecture / Assembly Language Virtual Memory Pipelining.
Modified from Silberschatz, Galvin and Gagne Lecture 15 Chapter 8: Main Memory.

Modified from Silberschatz, Galvin and Gagne Lecture 15 Chapter 8: Main Memory.
Chapter 12 CPU Structure and Function. Example Register Organizations.

Chapter 12 CPU Structure and Function. Example Register Organizations.
1  1998 Morgan Kaufmann Publishers Chapter Seven Large and Fast: Exploiting Memory Hierarchy (Part II)

1  1998 Morgan Kaufmann Publishers Chapter Seven Large and Fast: Exploiting Memory Hierarchy (Part II)
CMPE 421 Parallel Computer Architecture

CMPE 421 Parallel Computer Architecture
Virtual Memory Expanding Memory Multiple Concurrent Processes.

Virtual Memory Expanding Memory Multiple Concurrent Processes.

Similar presentations

Ads by Google