Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,

Published byElinor Walker Modified over 6 years ago

Similar presentations

Presentation on theme: "Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,"— Presentation transcript:

1 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy
Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos, Adam Morrison∗, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign ∗Tel Aviv University †Authors contributed equally to this work.

2 Motivation: Speculative Execution Attacks
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Motivation: Speculative Execution Attacks Hardware speculative execution offers a big attack surface for covert and side channels Speculative execution attacks exploit the side effects of instructions on incorrect speculative paths (squashed) It is crucial to fix this vulnerability efficiently Compilers and programmers can not reason about it.

3 Outline Background A comprehensive threat model
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Outline Background A comprehensive threat model Invisible Speculation (InvisiSpec): the first holistic defense mechanism Evaluation results and current work

4 Speculative Execution Attacks
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Speculative Execution Attacks An example of Spectre Variant 1 (array bound checking attack). Victim code Attack to read arbitrary memory: 1: if (x < array1_size) { 2: val = array1[x] 3: ld array2[val] 4: } Train branch predictor Trigger branch misprediction Side channel Leaves side effects in cache Speculative execution attacks exploit side effects of instructions on paths that will be squashed

5 Generalization of Speculative Execution Attacks
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Generalization of Speculative Execution Attacks Transient instructions: speculatively-executed instructions that are destined to be squashed. Speculative execution attack exploits side effects of transient instructions. 1: if (x < array1_size) { 2: val = array1[x] 3: ld array2[val] 4: } Attack Sources of Transient Instructions Spectre Control-flow misprediction Meltdown Virtual memory exception L1 Terminal Fault Speculative Store Bypass Address alias between a load and an earlier store Transient Instruction

6 Futuristic Speculative Attack Model
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Futuristic Speculative Attack Model Futuristic speculative attack model An attacker can exploit any speculative load (load not at the head of ROB). It includes all existing attacks and future speculative execution attacks Attack Model Sources of Transient Instructions Futuristic Various events, such as: • Exceptions • Control-flow mispredictions • Address alias between a load and an earlier store • Address alias between two loads • Memory consistency model violations • Interrupts Spectre Control-flow misprediction

7 Lifetime of a load instruction
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Lifetime of a load instruction Load is issued to memory Load reaches head of ROB All prior branches are resolved Load is speculative Spectre attack model unsafe safe safe Futuristic attack model unsafe Visibility Point The load becomes unsquashable Naïve solution Delay issuing the load until its visibility point

8 MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy InvisiSpec The first holistic defense mechanism against speculative execution attacks Key idea: Make unsafe loads invisible in the cache hierarchy Load is issued to memory Visibility Point Load reaches head of ROB Issue an invisible load request Obtain the value and proceed to use it Make the load visible in cache Speculative loads are issued as early as in a conventional machine

9 Making Unsafe Loads Invisible
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Making Unsafe Loads Invisible Invisible load request No modification to cache states, including Cache occupancy Replacement information Coherence information TLB state Bring the data, store in Speculative Buffer (SB) and in register core core L1 cache SB L1 cache SB LLC Invisible load request Returned data

10 Making Safe Loads Visible
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Making Safe Loads Visible Visibility Point Issue an invisible load request Obtain the value and proceed to use it Make the load visible in cache Load is issued to memory Load reaches head of ROB Risk of memory consistency violations Window of invisibility Make the load visible: HW issues a normal request (which changes the caches) While in the window of invisibility, processor does not receive invalidations

11 An Example of Memory Consistency Violation
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy An Example of Memory Consistency Violation P1 Ld lock Ld counter An example under TSO P1 will see the lock is free, but has read old counter. P1 caches Ld lock counter time P1 will not receive an invalidation! Wr counter release lock

12 Maintaining Memory Consistency
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Maintaining Memory Consistency Need to issue another access at Visibility Point: Validation HW issues a request (which changes caches) Data goes into cache. Compare the incoming data and the one in the SB If mismatch, squash the load as it violates memory consistency model Problem: validations may cause a processor stall squash and retry Visibility point Ld lock Visibility point Ld counter P1 caches Ld lock counter Wr release time

13 Maintaining Memory Consistency (II)
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Maintaining Memory Consistency (II) For loads with no risk of memory consistency violation: Exposure HW issues a request at the Visibility Point Load does not need to wait for response to retire Data goes into cache. No need to compare data High performance: does not cause a stall See the paper for the many cases where a load can use exposures Visibility point Ld X Ld X P1 time caches Wr X

14 Pros & Cons of InvisiSpec
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Pros & Cons of InvisiSpec Security Successfully prevent attacks in both Spectre and Futuristic attack models High performance Speculative loads are issued as early as in a conventional machine Applicability Handle multi-threaded issues No software changes Performance overhead Double accesses May stall due to validations BUT: - Many can be converted to exposures - Most hit in L1, and return very quickly

15 Average Execution Time for SPEC and PARSEC (Normalized)
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Average Execution Time for SPEC and PARSEC (Normalized) Delay load until visibility point Conventional insecure baseline InvisiSpec Delay load until visibility point InvisiSpec Spectre attack model Futuristic attack model

16 MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Current Work Reduce performance overhead: selectively enable InvisiSpec

17 More in the paper Security analysis
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy More in the paper Security analysis Details of when to use validations and exposures, and overlapping of them Details of implementation Detailed performance and area overhead evaluation results

18 Conclusion https://github.com/mjyan0720/InvisiSpec-1.0
MICRO’18 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Conclusion InvisiSpec is the first comprehensive defense mechanism against speculative execution attacks in the cache hierarchy We published the code of our architecture simulator:

Download ppt "Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,"

Similar presentations

Runahead Execution: An Alternative to Very Large Instruction Windows for Out-of-order Processors Onur Mutlu, The University of Texas at Austin Jared Start,

Runahead Execution: An Alternative to Very Large Instruction Windows for Out-of-order Processors Onur Mutlu, The University of Texas at Austin Jared Start,
Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.

Hardware-Based Speculation. Exploiting More ILP Branch prediction reduces stalls but may not be sufficient to generate the desired amount of ILP One way.
EECS 470 Lecture 8 RS/ROB examples True Physical Registers? Project.

EECS 470 Lecture 8 RS/ROB examples True Physical Registers? Project.
1 Lecture 20: Speculation Papers: Is SC+ILP=RC?, Purdue, ISCA’99 Coherence Decoupling: Making Use of Incoherence, Wisconsin, ASPLOS’04 Selective, Accurate,

1 Lecture 20: Speculation Papers: Is SC+ILP=RC?, Purdue, ISCA’99 Coherence Decoupling: Making Use of Incoherence, Wisconsin, ASPLOS’04 Selective, Accurate,
Sim-alpha: A Validated, Execution-Driven Alpha 21264 Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.

Sim-alpha: A Validated, Execution-Driven Alpha Simulator Rajagopalan Desikan, Doug Burger, Stephen Keckler, Todd Austin.
A Scalable Approach to Thread-Level Speculation J. Gregory Steffan, Christopher B. Colohan, Antonia Zhai, and Todd C. Mowry Carnegie Mellon University.

A Scalable Approach to Thread-Level Speculation J. Gregory Steffan, Christopher B. Colohan, Antonia Zhai, and Todd C. Mowry Carnegie Mellon University.
Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.

Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.
Lecture 13: Consistency Models

Lecture 13: Consistency Models
PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.

PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.
1 Lecture 15: Consistency Models Topics: sequential consistency, requirements to implement sequential consistency, relaxed consistency models.

1 Lecture 15: Consistency Models Topics: sequential consistency, requirements to implement sequential consistency, relaxed consistency models.
1/36 by Martin Labrecque How to Fake 1000 Registers Oehmke, Binkert, Mudge, Reinhart to appear in Micro 2005.

1/36 by Martin Labrecque How to Fake 1000 Registers Oehmke, Binkert, Mudge, Reinhart to appear in Micro 2005.
ReSlice: Selective Re-execution of Long-retired Misspeculated Instructions Using Forward Slicing Smruti R. Sarangi, Wei Liu, Josep Torrellas, Yuanyuan.

ReSlice: Selective Re-execution of Long-retired Misspeculated Instructions Using Forward Slicing Smruti R. Sarangi, Wei Liu, Josep Torrellas, Yuanyuan.
Implementing Precise Interrupts in Pipelined Processors James E. Smith Andrew R.Pleszkun Presented By: Ravikumar Source:

Implementing Precise Interrupts in Pipelined Processors James E. Smith Andrew R.Pleszkun Presented By: Ravikumar Source:
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
1/25 June 28 th, 2006 BranchTap: Improving Performance With Very Few Checkpoints Through Adaptive Speculation Control BranchTap Improving Performance With.

1/25 June 28 th, 2006 BranchTap: Improving Performance With Very Few Checkpoints Through Adaptive Speculation Control BranchTap Improving Performance With.
Implementing Precise Interrupts in Pipelined Processors James E. Smith Andrew R.Pleszkun Presented By: Shrikant G.

Implementing Precise Interrupts in Pipelined Processors James E. Smith Andrew R.Pleszkun Presented By: Shrikant G.
컴퓨터교육과 이상욱 Published in: COMPUTER ARCHITECTURE LETTERS (VOL. 10, NO. 1) Issue Date: JANUARY-JUNE 2011 Publisher: IEEE Authors: Omer Khan (Massachusetts.

컴퓨터교육과 이상욱 Published in: COMPUTER ARCHITECTURE LETTERS (VOL. 10, NO. 1) Issue Date: JANUARY-JUNE 2011 Publisher: IEEE Authors: Omer Khan (Massachusetts.
1 Lecture 20: Speculation Papers: Is SC+ILP=RC?, Purdue, ISCA’99 Coherence Decoupling: Making Use of Incoherence, Wisconsin, ASPLOS’04.

1 Lecture 20: Speculation Papers: Is SC+ILP=RC?, Purdue, ISCA’99 Coherence Decoupling: Making Use of Incoherence, Wisconsin, ASPLOS’04.
CS717 1 Hardware Fault Tolerance Through Simultaneous Multithreading (part 2) Jonathan Winter.

CS717 1 Hardware Fault Tolerance Through Simultaneous Multithreading (part 2) Jonathan Winter.
Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.

Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.

Similar presentations

Ads by Google