Presentation is loading. Please wait.

Presentation is loading. Please wait.

Meltdown and Spectre: Complexity and the death of security

Published byHarry Simen Modified over 6 years ago

Similar presentations

Presentation on theme: "Meltdown and Spectre: Complexity and the death of security"— Presentation transcript:

1 Meltdown and Spectre: Complexity and the death of security Dr. Michael S. Kirkpatrick May 8, 2018

2 Meltdown and Spectre: Wait, my computer does what? Dr. Michael S. Kirkpatrick May 8, 2018

3 Meltdown and Spectre: Whoever thought that was a good idea? Dr. Michael S. Kirkpatrick May 8, 2018

4 Meltdown and Spectre: I give up. Can I just retire now? Dr. Michael S. Kirkpatrick May 8, 2018

5 No one alive understands how computers behave.

6

7 Kernel co-location Race conditions Page tables Cache mapping Process forks Branch prediction Cache hierarchy Out-of-order execution Pipelined CPU design High-resolution timers Speculative execution Physical memory map

8 Computers are complex systems.

9

10 ✓ ✓ Read data location 12345 Read data location 12345 stack code data
heap kernel kernel stack iTunes Page Table Chrome Page Table heap Read data location 12345 Read data location 12345 data code

11 Read kernel location deadbeef
stack code data heap kernel kernel stack iTunes Page Table Chrome Page Table heap data code Read kernel location deadbeef

12 Memory hierarchy and cache
Core 0 Core 3 Regs Regs L1 data cache L1 inst. cache L1 data cache L1 inst. cache . . . 1: Here’s your data 2: Access allowed? 1: Access allowed? 2: OK, here’s your data L2 unified cache L2 unified cache 1: Access allowed? 2: OK, here’s your data L3 unified cache (shared by all cores) 1: Access allowed? 2: OK, here’s your data Main Memory

13 Check for exception PC update Write back Memory Execute Decode Fetch d
New PC Register file valA valB A B E M L U ALU cntrl valE Cnd CC valM d r Data Mem Memory valP icode ifun rA rB valC PC incr. Inst. Memory

14 If orange 5 doesn’t depend on 3 & 4, why wait?
x86 Pipelining Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check If orange 5 doesn’t depend on 3 & 4, why wait? Fetch Decode Exec Mem Write PC Check Fetch Decode Exec Mem Write PC Check 1 2 4 3 5 6 7 8 1 2 4 3 5 6 7 8

15 Green and orange can’t “retire” yet
x86 Pipelining Green and orange can’t “retire” yet 1 2 4 3 5 6 7 8

16 What we know so far… You’re not supposed to access kernel
L1 cache timing is wrong x86 pipelining is complex Macroarchitecture != microarchitecture “First” != First “Invisible” side effects are visible

17 Cache-based side channels
Guess what q is! x = array[q]; 1 3 2 4 5 6 7 for (i = 0; i < 8; i++) { start_timer(); y = array[i]; stop_timer(); }

18 Meltdown Read a byte of the kernel Multiply byte by 4096
Use value to hit cache line 8: Maybe I should check if step 4 was valid…

19 Meltdown O-ho! Second byte is 1. Ah! First byte is 2. ATTACK! ATTACK!
x = array[y]; ATTACK! ATTACK! fork() fork() for (i = 0; i < 8; i++) { start_timer(); y = array[i]; stop_timer(); }

20 Meltdown Process memory contains... the kernel, which contains…
physical memory, which contains… the memory contents of every process.

21 Meltdown Short-term fix Long-term fix
KAISER/PTI/ KVAS Long-term fix Replace hardware stack code data heap kernel stack code data heap kernel

22 x86 Pipelining

23 Speculative execution
if (x < array_length) y = array[x]; a b d c e f g h x is 2 y becomes c x is 5 y becomes f x is 1 y becomes b x is 327 y becomes

24 Spectre variant 1 Cache miss Cache hit Cache hit Cache miss
x = &target - &array1 array1[x] is the target Cache miss 1 3 2 4 5 6 7

25 Spectre variant 2 widgets

26 What about applications?
Meltdown Spectre Short-term fix KAISER/PTI/ KVAS Browser hardening Long-term fix Replace hardware ???? Meltdown Short-term fix KAISER/PTI/ KVAS Long-term fix Replace hardware What about applications?

27

28 And so it begins… BUSTED

29 And so it begins…

30 A return to the past…

31

32 Thank you and good luck!

Download ppt "Meltdown and Spectre: Complexity and the death of security"

Similar presentations

University of Amsterdam Computer Systems – the processor architecture Arnoud Visser 1 Computer Systems The processor architecture.

University of Amsterdam Computer Systems – the processor architecture Arnoud Visser 1 Computer Systems The processor architecture.
Computer Structure 2014 – Out-Of-Order Execution 1 Computer Structure Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.

Computer Structure 2014 – Out-Of-Order Execution 1 Computer Structure Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.
Computer Organization and Architecture

Computer Organization and Architecture
Randal E. Bryant Carnegie Mellon University CS:APP2e CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.

Randal E. Bryant Carnegie Mellon University CS:APP2e CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.
Computer Architecture 2011 – Out-Of-Order Execution 1 Computer Architecture Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.

Computer Architecture 2011 – Out-Of-Order Execution 1 Computer Architecture Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.
EECS 470 Pipeline Hazards Lecture 4 Coverage: Appendix A.

EECS 470 Pipeline Hazards Lecture 4 Coverage: Appendix A.
Lec 8: Pipelining Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University.

Lec 8: Pipelining Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University.
Chapter 12 CPU Structure and Function. Example Register Organizations.

Chapter 12 CPU Structure and Function. Example Register Organizations.
Randal E. Bryant CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture SequentialImplementation Slides.

Randal E. Bryant CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture SequentialImplementation Slides.
Datapath Design II Topics Control flow instructions Hardware for sequential machine (SEQ) Systems I.

Datapath Design II Topics Control flow instructions Hardware for sequential machine (SEQ) Systems I.
Pipelining III Topics Hazard mitigation through pipeline forwarding Hardware support for forwarding Forwarding to mitigate control (branch) hazards Systems.

Pipelining III Topics Hazard mitigation through pipeline forwarding Hardware support for forwarding Forwarding to mitigate control (branch) hazards Systems.
TDC 311 The Microarchitecture. Introduction As mentioned earlier in the class, one Java statement generates multiple machine code statements Then one.

TDC 311 The Microarchitecture. Introduction As mentioned earlier in the class, one Java statement generates multiple machine code statements Then one.
Randal E. Bryant Carnegie Mellon University CS:APP CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.

Randal E. Bryant Carnegie Mellon University CS:APP CS:APP Chapter 4 Computer Architecture SequentialImplementation CS:APP Chapter 4 Computer Architecture.
Datapath Design I Topics Sequential instruction execution cycle Instruction mapping to hardware Instruction decoding Systems I.

Datapath Design I Topics Sequential instruction execution cycle Instruction mapping to hardware Instruction decoding Systems I.
Review (1/2) °Caches are NOT mandatory: Processor performs arithmetic Memory stores data Caches simply make data transfers go faster °Each level of memory.

Review (1/2) °Caches are NOT mandatory: Processor performs arithmetic Memory stores data Caches simply make data transfers go faster °Each level of memory.
Sample Code (Simple) Run the following code on a pipelined datapath: add1 2 3 ; reg 3 = reg 1 + reg 2 nand 4 5 6 ; reg 6 = reg 4 & reg 5 lw2 4 20 ; reg.

Sample Code (Simple) Run the following code on a pipelined datapath: add1 2 3 ; reg 3 = reg 1 + reg 2 nand ; reg 6 = reg 4 & reg 5 lw ; reg.
Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.

Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.
1 Sequential CPU Implementation. 2 Outline Logic design Organizing Processing into Stages SEQ timing Suggested Reading 4.2,4.3.1 ~ 4.3.3.

1 Sequential CPU Implementation. 2 Outline Logic design Organizing Processing into Stages SEQ timing Suggested Reading 4.2,4.3.1 ~
Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Virtual Memory: Concepts Slides adapted from Bryant.

Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Virtual Memory: Concepts Slides adapted from Bryant.
1 SEQ CPU Implementation. 2 Outline SEQ Implementation Suggested Reading 4.3.1, 4.3.4.

1 SEQ CPU Implementation. 2 Outline SEQ Implementation Suggested Reading 4.3.1,

Similar presentations

Ads by Google