s poiler speculative load hazards
play

S POILER : Speculative Load Hazards Boost Rowhammer and Cache - PowerPoint PPT Presentation

Jun 06, 2023 •471 likes •999 views

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

  1. S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic Institute & Univer ersity of Lübec eck 1

  2. CPU Optimization on? • Branch Prediction • Cache and internal buffers • Speculate the Speculations??! – "speculative prefetching“ – "speculatively scheduled operation“ – "speculative execution event counter“ – "speculative memory accesses“ – "speculative load instruction" 2

  3. Specula lative Load Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 3

  4. Specula lative Load Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 4

  5. Resource is Busy Specula lative Load for Store! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 5

  6. Whatever, Let’s Load and Specula lative Load Compute!!! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 6

  7. Huum! Was it dependent Specula lative Load on Stores? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 7

  8. No Clue! Check store ADDRE DRESSES: Specula lative Load X, Y, Z? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 8

  9. How about this one? Is W dependent on Specula lative Load Y? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 9

  10. Or this one? Specula lative Load W VS. X? Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 10

  11. Wrong. Specula lative Load Flush it!!! Execute X1 X2 X3 X4 X5 store a a → X X store b b → Y Y store c c → Z Z load d d ← W W inc d 11

  12. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 Virtual Page Offset VFN (12 bits) 12

  13. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) 13

  14. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH 14

  15. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH address 0 x 5 4 4 0 2 3 0 C 0 Physical PFN 15

  16. Virtual & Physical Addresses What are store and load addresse ses? s? Address 0 x 0 4 0 F E 6 4 1 0 C 0 TLB Virtual Page Offset VFN (12 bits) PMH address 0 x 5 4 4 0 2 3 0 C 0 Physical PFN 16

  17. Design Chall llenges? • Loads are executed out-of-order and speculatively to avoid performance loss. • Load may be dependent on preceding stores (dependency). • Dependency check is difficult: – Virtual addresses may be aliased. – Physical addresses are not available immediately. – Stores may stay in-flight for a while. – We can’t wait for them to succeed. – Can we forward the data from the store to the load? 17

  18. SPOILER 18

  19. US 7,603,527 B2 RESOLVING FALSE DEPENDENCIES OF SPECULATIVE LOAD INSTRUCTIONS “an operation X may determine whether the lower portion of the virtual address of a speculative load instruction matches the lower portion of virtual addresses of older store operations” LoosnetCheck “an operation Y may determine whether the upper portion of the virtual address of the speculative load matches the upper portion of virtual addresses of older store” “If there is a hit at operation Y then the load may be blocked” “in an embodiment, the load instruction may have its input data forwarded SPOILER Attack from the store operation from which the load instruction depends at operation” Store Forwarding Dependency Resolu lution “If there is a hit at operation X and a miss at operation Y, … the physical addresses of the load and the store may be compared at an operation Z” “In one embodiment, if there is a hit at operation X and the physical address of the load or the store operations is not valid, the physical address check at operation Z may be considered as a hit” “In some embodiments, the physical address check at operation Z may use a partial physical address, e.g., base on data stored in the SAB. This makes the checking at operation Z conservative. Accordingly, in some embodiments, 19 a match may occur on a partial address and block …” FinenetCheck

  20. SPOIL ILER ER Attack … Virtual Pages 20

  21. SPOIL ILER ER Attack … Virtual Pages 64 pages 21

  22. SPOIL ILER ER Attack … Virtual Pages 64 pages 0 x 4 0 0 F E 1 0 C 0 Stores 0 x 4 0 0 F E 2 0 C 0 … … 0 x 4 0 1 0 2 0 0 C 0 22

  23. SPOIL ILER ER Attack … Virtual Pages 64 pages 0 x 4 0 0 F E 1 0 C 0 Stores 0 x 4 0 0 F E 2 0 C 0 … … 0 x 4 0 1 0 2 0 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 23

  24. SPOIL ILER ER Attack … Virtual Pages 0 x 4 0 0 F E 2 0 C 0 Stores 0 x 4 0 0 F E 3 0 C 0 … … 0 x 4 0 1 0 2 1 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 24

  25. SPOIL ILER ER Attack … Virtual Pages 0 x 4 0 0 F E 3 0 C 0 Stores 0 x 4 0 0 F E 4 0 C 0 … … 0 x 4 0 1 0 2 2 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 25

  26. SPOIL ILER ER Attack … Virtual Pages Virtual Addresses 0 x 4 0 0 F E 4 0 C 0 Stores 0 x 4 0 0 F E 5 0 C 0 Physical Addresses … … 0 x 4 0 1 0 2 3 0 C 0 0 x 6 5 F 3 2 X X X 0 C 0 Load 0 x 4 F 1 2 3 4 0 C 0 0 x 3 2 A C 2 X X X 0 C 0 26

  27. SPOIL ILER ER Attack … Virtual Pages 27

  28. SPOILER Boosts ts Cache Attack cks 28

  29. SPOIL ILER ER Boosts Cache he Attacks ks Core 1 Core 2 LLC DRAM 29

  30. SPOIL ILER ER Boosts Cache he Attacks ks Core Core 1 Prime+Pr Probe obe Victim Set 1 Set 2 … Set n DRAM 30

  31. SPOIL ILER ER Boosts Cache he Attacks ks Core Core 1 Prime+Pr Probe obe Victim Set 2 … Set n DRAM 31

  32. SPOIL ILER ER Boosts Cache he Attacks ks Core Address 0 x 0 4 0 F E 6 4 1 0 C 0 Core 1 Virtual Prime+Pr Probe obe Victim address 0 x 5 4 4 0 2 3 0 C 0 Physical Cache Index Byte Offset (6 Bit) Set 2 … Set n DRAM 32

  33. SPOIL ILER ER Boosts Cache he Attacks ks Core Address 0 x 0 4 0 F E 6 4 1 0 C 0 Core 1 Virtual Prime+Pr Probe obe Victim address 0 x 5 4 4 0 2 3 0 C 0 Physical Cache Index Byte Offset (6 Bit) Skylake Client L1: 64 Sets, 6 bit Index Set 2 … Set n L2: 1024 Sets, 10 bit Index LLC: 2048 Sets, 11 bit Index, 1-2 bit slices DRAM 33

  34. SPOIL ILER ER – Javascript Eviction on Sets • 1 MB Aliasing Leakage • Eviction Set Finding Comparison 34

  35. SPOILER Boosts ts Rowhammer 35

  36. SPOIL ILER ER Boosts Rowhammer • Physical addresses are used for mapping DRAM banks – More Banks, More Physical Address Bits address 0 x 5 4 4 0 2 3 0 C 0 Physical • Single-Sided Rowhammer: – Requirement: Bank Co-location PFN • Double-Sided Rowhammer: – Contiguous Memory Pages 36

  37. SPOIL ILER ER Boosts Rowhammer • Reverse Engineering DRAM Banks using DRAMA Tool • Rowbuffer Conflict 37

  38. SPOIL ILER ER Boosts Rowhammer • Detecting Contiguous Memory • Rowhammer Bitflips 38

  39. CVE-201 2019-01 0162 62 • 12/01/2018: We informed our findings to iPSIRT. • 12/03/2018: iPSIRT acknowledged the receipt. • 03/01/2018: We published the paper. • 04/09/2019: iPSIRT released public advisory (INTELSA-00238) (CVE-2019-0162). • And we got some free logos, Thanks to Media !!! 39

  40. Question ons?! ?! @danielmgmi https://github.com/UzL-ITS/Spoiler 40

  41. 41

  42. SPOIL ILER ER Attack – HPC Analy lysis 42

Recommend

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides
Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards

The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards

The Challenge of Natural Hazards This PowerPoint will cover information on: Natural Hazards Tectonic Hazards Weather Hazards Climate Change NATURAL HAZARDS Natural hazards pose major risks to people and property Natural Hazards A

1.11k views • 61 slides
CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards

CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards

CSCI341 Lecture 36, Pipelining & Hazards RECALL... RECALL... HAZARDS Data Hazards Control Hazards Dukes of Hazzard DATA HAZARD Hardware solution: Include forwarding paths in the machines datapath. Even though results have not

436 views • 27 slides
Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load

Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load

CSE 2021: Computer Organization Lecture-11 CPU Design : Pipelining-2 Review, Hazards Shakil M. Khan IF for Load (Review) CSE-2021 July-19-2012 2 ID for Load (Review) CSE-2021 July-19-2012 3 EX for Load (Review) CSE-2021 July-19-2012 4

530 views • 38 slides
Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker

Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker

Health Hazards in Construction Health Hazards Potential exposures to health hazards: Worker on the job Workers family Source: OSHA Objectives 1. Identify common health hazards. 2. Describe types of common health hazards. 3. Apply

320 views • 27 slides
Unit 5: Pipelining Load-use stalling Pipelined multi-cycle operations Control hazards

Unit 5: Pipelining Load-use stalling Pipelined multi-cycle operations Control hazards

This Unit: Pipelining App App App Single-cycle & multi-cycle datapaths System software Latency vs throughput & performance Basic pipelining CIS 501: Computer Architecture Mem CPU I/O Data hazards Bypassing Unit

522 views • 24 slides
Exercises for 8.1.3 1. Give a parse tree with semantic records for the statement Z = 2 + 2. Show

Exercises for 8.1.3 1. Give a parse tree with semantic records for the statement Z = 2 + 2. Show

326 Chapter 8 Computer Languages TABLE 4. Semantic record label Address Code Expression translated T6 3 The variable Y. T7 Load 0,A The assignment statement Load 2,B Y = 3 + 2*X. Mult A,B,4 Load 4,A Load 1,B Add A,B,5 Load 5,A

427 views • 8 slides
Load Balancing Load Balancing Load balancing: distributing data and/or computations across

Load Balancing Load Balancing Load balancing: distributing data and/or computations across

Load Balancing Load Balancing Load balancing: distributing data and/or computations across multiple processes to maximize efficiency for a parallel program. Static load-balancing: the algorithm decides a priori how to divide the workload.

444 views • 27 slides
SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY SUBRAMANIAN, MARK JEFFREY, JOEL EMER, DANIEL SANCHEZ PACT 2017 Executive Summary Analyzes the interplay between hardware multithreading and speculative

370 views • 21 slides
Key Points: Control Hazards Control hazards occur when we don t know what the next

Key Points: Control Hazards Control hazards occur when we don t know what the next

Key Points: Control Hazards Control hazards occur when we don t know what the next instruction is Caused by branches and jumps. Strategies for dealing with them Stall Guess! Leads to speculation Flushing the

657 views • 40 slides
Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the shortfall in the 5 year housing supply Joanne Eynon Environment and Transport What are the issues? Increased pressure from speculative

218 views • 8 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such

EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such

1 EE 457 Unit 6c Control Hazards 2 Control Hazards Control (branch) hazards are named such because they deal with 40: BEQ $1,$3,28 issues related to program control 44: AND $12,$2,$5 instructions (branch, jump, 48: OR $13,$6,$2

704 views • 21 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Occupational Health Hazards PPT-SM-OCPHLTHHAZ 1 V.A.0.0 Occupational Health Hazards Three

Occupational Health Hazards PPT-SM-OCPHLTHHAZ 1 V.A.0.0 Occupational Health Hazards Three

Occupational Health Hazards PPT-SM-OCPHLTHHAZ 1 V.A.0.0 Occupational Health Hazards Three classes of occupational health hazards include 1. Chemical hazards 2. Biological hazards 3. Physical hazards PPT-SM-OCPHLTHHAZ 2 V.A.0.0 Chemical

499 views • 22 slides
Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz

Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz

Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz Kilian University of Michigan CEPR Expectations and Speculative Oil Demand A natural economic definition of a speculator in the physical

581 views • 21 slides
Key Points: Control Hazards Control hazards occur when we dont know what the next

Key Points: Control Hazards Control hazards occur when we dont know what the next

Key Points: Control Hazards Control hazards occur when we dont know what the next instruction is Caused by branches and jumps. Strategies for dealing with them Stall Guess! Leads to speculation Flushing the

570 views • 32 slides
Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design Director, GE Aviation Digital Solutions Founder, Speculative Futures San Francisco @neshacom1 contact.phil@gmail.com 99% Invisible - 10,000 years

765 views • 72 slides
Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MI MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative

635 views • 49 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
Natural Hazards Earthquakes Volcanoes Tsunamis Minimizing Damage Works Cited

Natural Hazards Earthquakes Volcanoes Tsunamis Minimizing Damage Works Cited

Slide 1 / 142 Slide 2 / 142 4th Grade Natural Hazards 2015-11-18 www.njctl.org Slide 3 / 142 Slide 4 / 142 Table of Contents Click on the topic to go to that section Natural Hazards Natural Hazards Earthquakes Volcanoes

657 views • 30 slides
Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat

Beat the Heat: Controlling Heat Hazards in the Workplace Safety Meeting Topic What is Heat Stress? Total heat load on the body, including: Heat generated by the body Air temperature and humidity Radiant heat (sun, machines,

295 views • 10 slides

More recommend