invisispec making speculative execution invisible in the
play

InvisiSpec: Making Speculative Execution Invisible in the Cache - PowerPoint PPT Presentation

Sep 01, 2023 •333 likes •559 views

InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign Tel Aviv

  1. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison∗, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign ∗Tel Aviv University The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  2. 2 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Speculative Execution Attacks o Exploit the side effects of instructions on incorrectly-speculated paths (instructions to be squashed) o Exploit a key feature of current ooo processors: speculative execution o Any meaningful defense needs hardware support o Defenses will be easier to implement in • Simple cores • Cores with “little legacy” The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  3. 3 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Existing Speculative Execution Attacks o Exploit the side-effects of transient instructions (speculatively-executed instructions that are doomed to be squashed) Sources of Transient Existing Attack 1: if (x < array1_size) { Instructions Spectre Control-flow misprediction 2: val = array1[x] Meltdown 3: ld array2[val] Virtual memory exception L1 Terminal Fault 4: } Speculative Store Address alias between a load and Bypass an earlier store Transient Instructions The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  4. 4 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Proposal: Comprehensive Speculative Attack Model o Any speculative load (i.e., load not at the head of ROB) is vulnerable Attack Model Sources of Transient Instructions Various events, such as: • Exceptions • Control-flow mispredictions Comprehensive • Address alias between a load and an earlier store • Address alias between two loads • Memory consistency model violations • Interrupts Spectre Control-flow misprediction o New speculative execution attacks may be found in the future The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  5. 5 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Lifetime of a load instruction Load is issued Load reaches All prior branches to memory head of ROB are resolved • Exceptions • Control-flow Load is speculative mispredictions unsafe • Address alias safe Spectre attack model load and store • Address alias unsafe safe Comprehensive load and load attack model • Memory consistency model Visibility Point violations The load becomes • Interrupts unsquashable The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  6. How do we Defend against Speculative Attacks? The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  7. 7 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Trivial Approach o Delay issuing the load until its Visibility Point Load could be issued to Load reaches Visibility memory head of ROB Point Delay Issue the load Speculative loads are issued later than in a conventional processor To defend against the comprehensive attack model à the processor becomes an in-order processor The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  8. 8 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Better Approach o The load probes the local L1/L2 o If hit, get the data and use it, but do not change the state (i.e., cache replacement bits) o Otherwise, delay until the Visibility Point Load could be issued to Load reaches Visibility memory head of ROB Point Change Probe L1/L2 and hit replacement bits Load reaches Visibility head of ROB Point Probe L1/L2 and miss: Delay Issue the load The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  9. 9 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Advanced Approach The load probes the local L1/L2 o If hit, get the data and use it, but do not change the state o Otherwise o o Use Value Prediction to return a value to the pipeline o At the Visibility Point: Issue the load and compare the return value to the predicted one o Squash if they are different Load could be issued to Load reaches Visibility memory head of ROB Point Probe L1/L2. If miss, predict value Issue the load Compare The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  10. 10 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy More Advanced Approach o Speculative Taint Tracking: Smart delay-based Load could be issued to Load reaches Visibility memory head of ROB Point Untainted: Issue without delay Load reaches Visibility head of ROB Point Tainted: Delay until untainted Issue the load The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  11. Super Advanced Approach: InvisiSpec: Issue the Load Invisibly The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  12. 12 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy InvisiSpec o Issue the load immediately, invisibly (i.e., no change to the cache hierarchy) o At the Visibility Point: HW re-issues the load and changes state of caches Load reaches Load is issued Visibility head of ROB to memory Point Issue an invisible Use the Make the load load request value visible in cache Speculative loads are issued as early as in a conventional machine and can pass data to dependent instructions immediately Add an “invisible transaction” that does not change the states of the caches The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  13. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy 13 Making Unsafe Loads Invisible o Invisible load request • No modification to cache states, including core core • Cache occupancy • Replacement information • Coherence information L1 cache L1 cache SB SB • TLB state • Bring the data to Speculative Buffer (SB) (in addition to the register) LLC Invisible Returned data load request The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  14. 14 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Risk of Making Loads Visible at Visibility Point memory consistency violations Load reaches Load is issued Visibility head of ROB to memory Point Issue an invisible Use the Make the load load request value visible in cache Window of Invisibility o Make the load visible: HW issues a normal request (which changes the caches) o While in the Window of Invisibility, processor does not receive invalidations The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  15. 15 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy An Example of Memory Consistency Violation P1 P1 sees the lock is Ld lock free, but has read Ld counter old counter. Ld Ld counter lock P1 does not P1 receive an invalidation! time caches Wr release counter lock The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

  16. 16 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy How to Make Load Visible while Maintaining Consistency? At Visibility Point: HW issues the request that changes state of caches (“Validation”) Data goes into L1. Compare the incoming data and the one in the SB squash and If mismatch, squash the load as it violates memory consistency model retry Problem: validations may cause stall at ROB head o Visibility Visibility Ld Ld point point counter lock Ld counter Ld lock P1 time caches Wr release The Blavatnik School of Computer Science The Raymond and Beverly Sackler counter lock Faculty of Exact Sciences Tel Aviv University

  17. 17 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy How to Reduce the Cost of Validations? o For loads with no risk of consistency violation: Issue an Exposure, not a Validation • HW issues the request at the Visibility Point There are many cases where a load • Load does not need to wait for response to retire can use Exposures • Data goes into cache. No need to compare data o High performance: does not cause a stall Visibility point Ld X Ld X P1 time caches Wr X The Blavatnik School of Computer Science The Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv University

Recommend

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

ISCA20 Section 5B Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM MORRISON*, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT

833 views • 57 slides
Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California Information Sciences Institute Advisor : Professor Craig A. Knoblock 1 Outline 1. Review and motivating example 2. Speculative plan execution 3.

1.15k views • 69 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MI MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative

635 views • 49 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing

Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing

Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing instructions from predicted path ? Speculatively Executed A B Block Also Block 2 Speculatively Executed 1 Speculative Execution Block 1

428 views • 29 slides
Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and

Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and

Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and High Performance Run-Time Thesis DefenseMaster of Science Utkarsh Pandey Advisor: Binoy Ravindran Systems Software Research Group Virginia

504 views • 36 slides
Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design Director, GE Aviation Digital Solutions Founder, Speculative Futures San Francisco @neshacom1 contact.phil@gmail.com 99% Invisible - 10,000 years

765 views • 72 slides
1 The Hardware: Reorder Buffer Branch Prediction vs. Precise Interrupt If inst write results in

1 The Hardware: Reorder Buffer Branch Prediction vs. Precise Interrupt If inst write results in

Control Dependencies Every instruction is control dependent on some set of branches Lecture 7: Speculative Execution and if p1 Recovery S1; if p2 Branch prediction and speculative S2; execution, precise interrupt, reorder S1 is control

251 views • 3 slides
Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale

Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale

Introduction Parallel XML Conclusions Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale XML-based Application Data Michael R. Head and Madhusudhan Govindaraju Grid Computing Research Laboratory

997 views • 47 slides
Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul Strackx raoul.strackx@cs.kuleuven.be @raoul_strackx imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium Hardwear.io, June 14 th , 2019

1.05k views • 81 slides
Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of

Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of

Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of Wisconsin - Madison International Symposium on Computer Architecture July, 2001 The Problem Two major barriers to achieving high ILP: MISPREDICTED

427 views • 27 slides
A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit

A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit

A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit Amsterdam Centrum Wiskunde &amp; Informatica November 13th, 2018 Overview 1. Motivation 2. Language 3. Foundation 4. Properties Motivation

911 views • 59 slides
An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng Zhou Tsinghua University June 2011 Joint work with: Wenguang Chen (Tsinghua University), Fred Chow (ICube Technology Corp.) Contents Basic Concepts

670 views • 36 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California June 30th, 2003 Thesis Committee Prof. Craig Knoblock (chair) Dr. Steven Minton, Fetch Technologies Prof. Paul Rosenbloom Prof. Cyrus Shahabi

989 views • 51 slides
Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn Dresden, 2010-09-01 Distributed File Systems NFS (v3),

194 views • 15 slides
Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible S. Faily, I. Flchais Introduction Making the invisible visible Method Results A theory of security culture for secure and usable grids Cases What is Security Culture? Guidelines Future work S. Faily I.

692 views • 17 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval Yarom (University of Adelaide and

243 views • 22 slides
Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for

Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for

Fresh for tomorrow? Peter Martin, The Age Invisible? Invisible? Invisible? When searching for an analogy to describe the government, the first thing that comes to a government ministers mind is a company. Invisible? When searching for

638 views • 37 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides

More recommend