context
play

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, - PowerPoint PPT Presentation

Jan 08, 2024 •263 likes •1.07k views

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss February 26, 2020 Graz University of Technology Transient Execution Attacks www.tugraz.at 1

  1. ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss February 26, 2020 Graz University of Technology

  2. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  3. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  4. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  5. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  6. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  7. Transient Execution Attacks www.tugraz.at 1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  8. Transient Execution Attacks www.tugraz.at Transient cause 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  9. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB Meltdown-US-SB Meltdown-DE Meltdown-P-L1 Meltdown-P-LFB Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP Meltdown-RW Meltdown-UD Meltdown-PK-L1 Meltdown-PK Meltdown-PK-SB Meltdown-type Meltdown-SS Meltdown-SM-SB Meltdown-MPX Meltdown-BR Meltdown-BND Meltdown-CPL-REG Meltdown-GP Meltdown-NC-SB Meltdown-AVX-SB Meltdown-AVX Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  10. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB PHT-CA-IP Cross-address-space Meltdown-US-SB Meltdown-DE PHT-CA-OP Spectre-PHT Meltdown-P-L1 PHT-SA-IP Same-address-space Meltdown-P-LFB PHT-SA-OP Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP BTB-CA-IP Meltdown-RW Cross-address-space Meltdown-UD BTB-CA-OP Meltdown-PK-L1 Spectre-BTB Meltdown-PK Meltdown-PK-SB Spectre-type Meltdown-type Meltdown-SS Meltdown-SM-SB BTB-SA-IP Same-address-space BTB-SA-OP Meltdown-MPX Meltdown-BR Meltdown-BND RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Meltdown-CPL-REG Spectre-STL Meltdown-GP Meltdown-NC-SB RSB-SA-IP Same-address-space Meltdown-AVX-SB Meltdown-AVX RSB-SA-OP Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  11. Transient Execution Attacks www.tugraz.at Meltdown-NM-REG Meltdown-AC-LFB Meltdown-AC Meltdown-AC-LP Meltdown-US-L1 Meltdown-US Meltdown-US-LFB PHT-CA-IP Cross-address-space Meltdown-US-SB Meltdown-DE PHT-CA-OP Spectre-PHT Meltdown-P-L1 PHT-SA-IP Same-address-space Meltdown-P-LFB PHT-SA-OP Meltdown-P Transient cause Meltdown-PF Meltdown-P-SB Meltdown-P-LP BTB-CA-IP Meltdown-RW Cross-address-space Meltdown-UD BTB-CA-OP Meltdown-PK-L1 Spectre-BTB Meltdown-PK Meltdown-PK-SB Spectre-type Meltdown-type Meltdown-SS Meltdown-SM-SB BTB-SA-IP Same-address-space BTB-SA-OP Meltdown-MPX Meltdown-BR Meltdown-BND RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Meltdown-CPL-REG Spectre-STL Meltdown-GP Meltdown-NC-SB RSB-SA-IP Same-address-space Meltdown-AVX-SB Meltdown-AVX RSB-SA-OP Meltdown-AVX-LP Meltdown-AD-LFB Meltdown-AD Meltdown-AD-SB Meltdown-TAA-LFB Meltdown-MCA Meltdown-TAA Meltdown-TAA-LP Meltdown-PRM-LFB Meltdown-TAA-SB Meltdown-UC-LFB 2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  12. Spectre Attacks www.tugraz.at PHT-CA-IP Cross-address-space PHT-CA-OP Spectre-PHT PHT-SA-IP Same-address-space PHT-SA-OP BTB-CA-IP Cross-address-space BTB-CA-OP Spectre-BTB Spectre-type BTB-SA-IP Same-address-space BTB-SA-OP RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Spectre-STL RSB-SA-IP Same-address-space RSB-SA-OP 3 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  13. Spectre Root Cause www.tugraz.at operation #n time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  14. Spectre Root Cause www.tugraz.at operation #n prediction time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  15. Spectre Root Cause www.tugraz.at operation #n prediction CF/DF predict operation #n+2 time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  16. Spectre Root Cause www.tugraz.at operation #n prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  17. Spectre Root Cause www.tugraz.at retire operation #n prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  18. Spectre Root Cause www.tugraz.at retire operation #n flush pipeline on wrong prediction retire prediction CF/DF predict operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  19. Spectre Root Cause www.tugraz.at retire operation #n flush pipeline on wrong prediction retire prediction CF/DF predict retire operation #n+2 possibly transient execution architectural time 4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  20. Spectre www.tugraz.at 5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  21. Spectre Gadget www.tugraz.at if(x < array_len) { y = oracle[array[x] * 4096]; } 6 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  22. Spectre Gadget Illustrated www.tugraz.at x = 4 if (x < 4) then else Speculate Memory Oracle A B D array[0] C D E A array[1] {} oracle[array[x]] F G H T array[2] K J K I K A array[3] K L M N O P Q E Y R S T K U V W · · · X Y Z 7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  23. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len jbe .else mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  24. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  25. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  26. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax Secret in rax and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  27. Unprotected Execution www.tugraz.at Unprotected cmp rdi, .array len Bounds check jbe .else Access out-of-bounds array[x] mov (rax + rdi),al shl 12,rax Secret in rax and 0xff000,eax Access secret-dependent memory location mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  28. Fixed Spectre Gadget www.tugraz.at if(x < array_len) { asm volatile("lfence"); y = oracle[array[x] * 4096]; } 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  29. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len jbe .else lfence mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  30. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len Bounds check jbe .else Stop speculation lfence mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  31. Memory Barriers www.tugraz.at Serializing Barrier cmp rdi, .array len Bounds check jbe .else Stop speculation lfence Cannot access out-of-bounds array[x] mov (rax + rdi),al stall shl 12,rax not executed 1 and 0xff000,eax mov (rdx + rax),al mov 0,rax retq mov rax,(rsp + 8) 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  32. Performance Impact www.tugraz.at • 62 % – 74.8 % overhead 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  33. Performance Impact www.tugraz.at • 62 % – 74.8 % overhead • Additional overhead for other Spectre variants 5 % – 50 % 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

Recommend

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary

Context Context Context Context Full control of EIP no longer yields immediate arbitrary code execution y Primarily due to increasing availability and utilization of exploit mitigations such as DEP and ASLR Attackers must identify

1.05k views • 91 slides
Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need

Growing Population Gr o w ing S chools 1 context context E x t e n s i v e 174,045 mo r e p eo p le w ill need 72,530 ne w housing units b y 2030 demographic shifts Visibly C ommunity S uggestions transforming M i s s i o n B a y , C a n d l

469 views • 27 slides
Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitivity Example of a CSG Informatics 2A: Lecture 26 2 Context in Programming

Context Sensitive Grammars Context Sensitive Grammars Context in Programming Languages Context in Programming Languages Context in Natural Languages Context in Natural Languages 1 Context Sensitive Grammars Chomsky Hierarchy Context

160 views • 5 slides
Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

June 17, 2014 Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach to transportation facility design and engineering that involves all stakeholders in the process of developing a solution that is

193 views • 3 slides
Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture

Principles for Catholic Scripture Study Context, Context, Context Four Senses of Scripture (CCC 115-119) Literal What the author intended to say Allegorical Points to Christ Moral Points to living Christian life

960 views • 26 slides
Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave

Hillside Dr. Context Hillside Dr. Site Issues Hillside Dr. Context Broadview Ave Hillside Dr. Context Broadview Ave Charles Sauriol Parkette / pastoral green space Hillside Dr. Context Gamble Ave. Hillside Dr.

788 views • 20 slides
Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power

God Speaks in Solitude: Moses (part 7) Exodus 1-4 Ol Old Timeline and context: Timeline and context: 1:9,22 A new Pharoah came to power and decided to control population by murdering Hebrew baby boys at birth. Timeline and

352 views • 34 slides
Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano

Part 15: Context Dependent Recommendations Francesco Ricci Free University of Bozen-Bolzano Italy fricci@unibz.it Content p What is context? p Types of context p Context impact on recommendations and ratings p Context modelling

938 views • 74 slides
ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness

ECA-DL e Transformaes Patrcia Dockhorn Costa pdcosta@inf.ufes.br Context-Awareness Context-Awareness Context the set of possibly interrelated conditions in which an entity exists. Context-Aware Application Context Application

1.17k views • 92 slides
Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5

Select Bus Service New York City Context 2 New York City Context 3 Transit Context 8.5 million 1,750 million NYC Population Annual subway ridership 665 million Annual bus ridership 1994 1996 1998 2000 2002 2004 2006 2008 2010

441 views • 25 slides
Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed

Java Technologies Servlets The Context We are in the context of developing a distributed application - a software system in which components communicate over the network and coordinate their actions in order to achieve a common goal.

1.01k views • 33 slides
San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up

San Jos: History and Context San Jos: History and Context Historically Multimodal Growing Up Embracing Public Life What is a Better Bikeway? Protected Calm All Ages and Abilities Why Better Bikeways? Policy Background Support

494 views • 33 slides
Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is

Policy 101 Vision &amp; Context Project Development Funding Vision &amp; Context CS is fundamentally about a commitment to equity Needs of vulnerable road user Context is important Project Development Achieving network of

751 views • 64 slides
WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING

WORKING TOGETHER FOR MEDELLIN 1 Some context first SOME CONTEXT | Strong institutions TOUCHING BOTTOM UNITED ALL OF US ON THE SAME PURPOSE @ R u t a _ N CITIZENS MEDELLNS SCIENCE, TECHNOLOGY AND INNOVATION PLAN M E D E L L N 2 0 1 1

400 views • 12 slides
Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of developing large , distributed applications. What components should contain the code that fulfills the purpose of the application: where should we write

779 views • 43 slides
Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and

Helping hands Final presentation Attila van Dijk 4045157 contents -Context -Research and Design -Product -Evaluation Context context Cooking with children Adequate tasks Confmict Context To provide an autonomous and playful activity

886 views • 36 slides
Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
The Millvale EcoDistrict 9.28.2018 Some Context Some Context The Inflection Point Millval e

The Millvale EcoDistrict 9.28.2018 Some Context Some Context The Inflection Point Millval e

The Millvale EcoDistrict 9.28.2018 Some Context Some Context The Inflection Point Millval e Wh What at ar are e Ec EcoD oDist istrict ricts? A rigorous sustainable urban an devel elopm opment ent framework work for achieving

773 views • 53 slides
University of Botswana An academic centre of excellence African Context 2 Regional Context 3

University of Botswana An academic centre of excellence African Context 2 Regional Context 3

University of Botswana An academic centre of excellence African Context 2 Regional Context 3 Gaborone Context Sir Seretse Khama International Airport UB 4 UB Aerial Photograph 5 Origins of UB 6 Vision &amp; Mission Vision Mission

1.84k views • 55 slides
The Great White Fleet Karl Jessen Outline Historical context Personal context Research thus

The Great White Fleet Karl Jessen Outline Historical context Personal context Research thus

Researching the Literature The Great White Fleet Karl Jessen Outline Historical context Personal context Research thus far - Initial process - Promising sources - Next steps - Potential problems Historical Context Why this topic?

267 views • 6 slides
Mapping Context-Dependent Requirements to Event-Based Context-Oriented Programs for Modularity

Mapping Context-Dependent Requirements to Event-Based Context-Oriented Programs for Modularity

Mapping Context-Dependent Requirements to Event-Based Context-Oriented Programs for Modularity Tetsuo Kamina (UTokyo) Tomoyuki Aotani (Tokyo Tech) Hidehiko Masuhara (Tokyo Tech) Purpose Methodology for context-aware systems from

639 views • 37 slides
Chapter 15 Embed: Focus + Context Vis/Visual Analytics, Chap 15 Focus+Context 1 CGGM Lab., CS

Chapter 15 Embed: Focus + Context Vis/Visual Analytics, Chap 15 Focus+Context 1 CGGM Lab., CS

Chapter 15 Embed: Focus + Context Vis/Visual Analytics, Chap 15 Focus+Context 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Focus+context idiom To embed detailed information about a select set the focus within a

323 views • 16 slides
Context-Free Languages 6-0 Context-Free Grammars . . . were invented in the

Context-Free Languages 6-0 Context-Free Grammars . . . were invented in the

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Context-Free Languages 6-0 Context-Free Grammars . . . were invented in the fifties, when

346 views • 20 slides
Context-switch &amp; Threads Goal of Todays Class Understand the concepts of context,

Context-switch &amp; Threads Goal of Todays Class Understand the concepts of context,

Context-switch &amp; Threads Goal of Todays Class Understand the concepts of context, context-switch and threads Understand the related functions in assignment P1 thread_init, thread_create, thread_yield, thread_exit ctx_entry,

3.57k views • 47 slides

More recommend