the never died automata theory for reversing modern cpus
play

The never died: Automata theory for reversing modern CPUs - PowerPoint PPT Presentation

Nov 18, 2023 •106 likes •730 views

The never died: Automata theory for reversing modern CPUs RootedCON - March 2020 vwzq.net cgvwzq github.com/cgvwzq About me Im Pepe Vila (a.k.a. cgvwzq) PhD student at the IMDEA Software Institute Worked as security consultant

  1. The never died: Automata theory for reversing modern CPUs RootedCON - March 2020 vwzq.net cgvwzq github.com/cgvwzq

  2. About me I’m Pepe Vila (a.k.a. cgvwzq) PhD student at the IMDEA Software Institute Worked as security consultant and pentester Intern at Facebook and Microsoft Research I used to mess with browsers and JavaScript... ...but fell into the side channel’s rabbit hole 2

  4. Motivation Remember last year’s “Cache and syphilis”? dafuq is this pattern :S 4

  5. Motivation Knowing the cache replacement policy useful for finding eviction sets, Similarly, it dedicates to BIP all the sets for which the complement of the offset equals the constituency identifying bits. Thus for the baseline cache with 1024 sets, if 32 sets are to be dedicated to both LRU and BIP, then complement-select dedicates set 0 and every 33rd set to LRU, and Set 31 and every 31st set to BIP. The sets dedicated to LRU can be identified using a five bit comparator for the bits [4:0] to bits [9:5] of the set index. Similarly, the sets dedicated to BIP can be identified using another five bit comparator that compares the complement of bits [4:0] of the set index to bits [9:5] of the set index but also for optimal eviction strategies in rowhammer, or high bandwidth covert channels 5

  6. A primer on Hardware Caches 4-cycles 32KB 8 ways private per physical core 12-cycles 256KB 4 ways Capacity Latency shared 41-cycles 8MB 16 ways 150-cycles 16GB (data from Kaby Lake i7-8550U CPU) 6

  7. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * 4) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 7

  8. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * 4) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 8

  9. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * 4) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 9

  10. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 HIT Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * 4) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 10

  11. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 64 bytes of data 10 6 = Set 1 HIT fast access time Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * associativity) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 11

  12. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * associativity) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 12

  13. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 MISS Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * associativity) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 13

  14. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data 3 Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 MISS replacement policy evicts one block Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * associativity) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 14

  15. A primer on Hardware Caches Memory block 0 CPU 1 256KBs Cache memory address 2 Tag Data slow access time 3 64 bytes of data Associativity ... Set 0 Tag Set Offset 10 6 = Set 1 MISS insert new block Memory partitioned in memory blocks (64 bytes = 2 6 ) ● Cache partitioned in equally sized cache sets (1024 = 2 10 = 256KB / (64 * associativity) ● ● Cache sets have capacity for N cache lines (also known as ways or associativity ) 15

  16. A primer on Hardware Caches ● Cache set partition exploits programs’ spatial locality ● Replacement policy decides which blocks to evict exploiting programs’ temporal locality ● What does a replacement policy look like? ○ First Input First Output (FIFO), Least Recently Used (LRU), Pseudo-LRU, etc. ○ These examples keep track of the order or ages of blocks, and evict oldest one ● More complex policies nowadays, but same idea: maintain some metadata or control state 16

  17. Caches as Mealy machines Natural abstraction for an individual cache set ● Input alphabet = set of memory blocks, e.g. {a,b,c} ● mapping to the same cache set ● Output alphabet = { H, M} (hit or miss) for the observable result of accessing a given block Every state represents the content of the cache set ● plus its control state (or metadata) Example: 2-way FIFO cache with 3 blocks {a,b,c} 17

  18. Previous work 18

  19. Previous work Others Abel & Reineke Rueda’s MS Automatic NO YES YES Supported class Individual Permutation-based Deterministic of policies On real hardware YES YES NO Scalability NO YES NO Human readable NO NO NO Correctness NO YES NO 19

  20. 20

  21. Our approach Template 4 3 2 1 Hardware interface Program synthesis Automata learning Policy abstraction A B C A f30 f40 f50 f30 h(0) h(1) m() A B C B f30 f40 f50 f40 H H M M 4c 4c 12c 12c _ _ 0 H H M H 4c 4c 12c 4c int missIdx (int[4] state) for(int i = 0; i < 4; i = i + 1) if(state[i] == 3) return i; Explanation 21

  22. Our approach Template 4 3 2 1 Hardware interface Program synthesis Automata learning Policy abstraction A B C A f30 f40 f50 f30 h(0) h(1) m() A B C B f30 f40 f50 f40 H H M M 4c 4c 12c 12c _ _ 0 H H M H 4c 4c 12c 4c int missIdx (int[4] state) for(int i = 0; i < 4; i = i + 1) if(state[i] == 3) return i; Explanation 22

  23. Previous work vs. our approach Others Abel & Reineke Rueda’s MS Our Automatic NO YES YES YES Supported class Individual Permutation-based Deterministic Deterministic of policies On real hardware YES YES NO YES Scalability NO YES NO YES Human readable NO NO NO YES Correctness NO YES NO YES 23

  24. CacheQuery: a hardware interface Template Program synthesis Automata learning Policy abstraction A B C A CacheQuery f30 f40 f50 f30 h(0) h(1) m() A B C B f30 f40 f50 f40 H H M M 4c 4c 12c 12c _ _ 0 H H M H 4c 4c 12c 4c int missIdx (int[4] state) for(int i = 0; i < 4; i = i + 1) if(state[i] == 3) return i; Explanation 24

  25. CacheQuery: a hardware interface ● Frees the user from low-level details like set mapping, timing, cache filtering, code generation, and system’s interferences. ● Accepts sequences of blocks decorated with an optional tag : ? indicates access should be profiled, ! indicates that block should be invalidated, no tag means access. ● Support for macros : ○ @ expansion, _ wildcard, power operator, etc. ○ E.g. For assoc=4: @ x _? expands to ■ (a b c d) x [a b c d]? , which expands to ■ { a b c d x a? , a b c d x b? , a b c d x c? , a b c d x d? } ■ and returns { M , H , H , H } 25

  26. CacheQuery: demo ● Disable system’s noise ● REPL interactive session ● Target specific level and set ● Ask arbitrary queries 26

  27. Polca: a cache automaton abstraction Template Program synthesis Automata learning A B C A f30 f40 f50 f30 CacheQuery h(0) h(1) m() A B C B f30 f40 f50 f40 Polca H H M M 4c 4c 12c 12c _ _ 0 H H M H 4c 4c 12c 4c int missIdx (int[4] state) for(int i = 0; i < 4; i = i + 1) if(state[i] == 3) return i; Explanation 27

  28. Polca: a cache automaton abstraction ● Why not learn directly from the cache? ○ Redundancy → Replacement policy is agnostic of the specific content ○ Policy’s logic should depend only on the control state (metadata) ○ Cache’s content management increases automata complexity and learning cost ● We abstract the replacement policy from the cache content management! 28

Recommend

Automata Theory Why Study Automata? What the Course is About 1 Why Study Automata? A survey of

Automata Theory Why Study Automata? What the Course is About 1 Why Study Automata? A survey of

Automata Theory Why Study Automata? What the Course is About 1 Why Study Automata? A survey of Stanford grads 5 years out asked which of their courses did they use in their job. Basics like intro-programming took the top spots, of course.

584 views • 32 slides
Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were

Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Pushdown Automata 7-0 Pushdown Automata The automata we saw so far were limited by their

368 views • 15 slides
B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and Formal Languages Wolfgang Ahrendt 22nd April 2013 B uchi Automata: TMV027/DIT321 / GU 130423 1 / 25 Motivating Temporal Logic? But How to

832 views • 64 slides
Duality and Automata Theory Mai Gehrke Universit e Paris VII and CNRS Joint work with Serge

Duality and Automata Theory Mai Gehrke Universit e Paris VII and CNRS Joint work with Serge

Duality and Automata Theory Duality and Automata Theory Mai Gehrke Universit e Paris VII and CNRS Joint work with Serge Grigorieff and Jean- Eric Pin Duality and Automata Theory Elements of automata theory a A finite automaton 1 2 b

764 views • 55 slides
Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 , Guillaume BOUFFARD 1,2 , Jessy CLDIRE 3 1 National Cybersecurity Agency of France (ANSSI) 2 Information Security Group, cole Normale

292 views • 28 slides
Integrating Automata Theory and Process Theory (status and open problems) Bas Luttik (based on

Integrating Automata Theory and Process Theory (status and open problems) Bas Luttik (based on

Integrating Automata Theory and Process Theory (status and open problems) Bas Luttik (based on joint work with Jos Baeten, Paul van Tilburg and Fei Yang) Open Problems in Concurrency Theory Bertinoro, 19 June 2014 Automata Theory (classical

232 views • 20 slides
Brzozowskis algorithm (co)algebraically Jan Rutten CWI &amp; Radboud University 1. Example

Brzozowskis algorithm (co)algebraically Jan Rutten CWI &amp; Radboud University 1. Example

1. Example 2. (Co)algebra 3. Automata 4. Duality 5. Reversing 6. Conclusions Brzozowskis algorithm (co)algebraically Jan Rutten CWI &amp; Radboud University 1. Example 2. (Co)algebra 3. Automata 4. Duality 5. Reversing 6.

1.65k views • 125 slides
Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey

Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey

FAST: Fast Architecture Sensitive Tree Search on Modern CPUs and GPUs N. Satish, C. Kim, J. Chhugani, A. Nguyen, V. Lee, D. Kim, P. Dubey SIGMOD 2010 Presented by: Andy Hwang 2 Motivation Index trees are not optimized for architecture

697 views • 26 slides
Modeling Architectural Vulnerability Primary type of transient fault in modern CPUs is a

Modeling Architectural Vulnerability Primary type of transient fault in modern CPUs is a

Modeling Architectural Vulnerability Primary type of transient fault in modern CPUs is a single-bit flip due to cosmic rays Radioactive materials in chip packages are no longer a problemcan be shielded against, screened out Cosmic

238 views • 10 slides
DD2371 Automata Theory Dilian Gurov Lecture Outline 1. The lecturer 2. Introduction to automata

DD2371 Automata Theory Dilian Gurov Lecture Outline 1. The lecturer 2. Introduction to automata

KTH CSC VT 2008 DD2371 Automata Theory Dilian Gurov Lecture Outline 1. The lecturer 2. Introduction to automata theory 3. Course syllabus 4. Course objectives 5. Course organization 6. First definitions 1. Lecturer Name: DilianGurov

707 views • 58 slides
Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata

Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata

Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata Theory (WiSe 2012) 1 / 145 Table of Contents I Regular Languages and Finite Automata 1 Regular Languages Finite Automata Equivalence

1.67k views • 148 slides
Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata

Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata

Applied Automata Theory Roland Meyer TU Kaiserslautern Roland Meyer (TU KL) Applied Automata Theory (WiSe 2013) 1 / 161 Table of Contents I Regular Languages and Finite Automata 1 Regular Languages Finite Automata Equivalence

1.93k views • 164 slides
Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN

Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN

1/23 Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Chinese University of Hong Kong Fall 2017 2/23 Example from last lecture with a simpler solution 1 0 0 1 1 0 or 0 1 0 1 1 0 1 0 0

804 views • 24 slides
Algorithmic aspects of finite semigroup and automata theory using the computer algebra system

Algorithmic aspects of finite semigroup and automata theory using the computer algebra system

Algorithmic aspects of finite semigroup and automata theory using the computer algebra system GAP Manuel Delgado Soria, 20-24/07/2009 GAP Semigroups Automata Automata (II) Semigroups (II) NS References Outline I A short introduction

901 views • 74 slides
Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Fall

Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Fall

Nondeterministic Finite Automata CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Fall 2018 Chinese University of Hong Kong 1/22 Example from last lecture with a simpler solution q 2 0 1 0 or q 0 q 1 0 1 1 1 0 0 1 Three

404 views • 24 slides
Seminar: Automata Theory Timed Automata Jennifer Nist 11 th February 2016 Chair of Software

Seminar: Automata Theory Timed Automata Jennifer Nist 11 th February 2016 Chair of Software

Seminar: Automata Theory Timed Automata Jennifer Nist 11 th February 2016 Chair of Software Engineering Albert-Ludwigs Universit at Freiburg 11 th February 2016 Jennifer Nist Timed Automata 1 / 28 Outline 1 Timed Automata 2 Timed Language

676 views • 30 slides
THEORY OF COMPUTATION Chapter 7 Regular Languages (Automata as Algebras) A. Daneshgar (Slides

THEORY OF COMPUTATION Chapter 7 Regular Languages (Automata as Algebras) A. Daneshgar (Slides

THEORY OF COMPUTATION (Automata as Algebras) THEORY OF COMPUTATION Chapter 7 Regular Languages (Automata as Algebras) A. Daneshgar (Slides prepared by Z. Ghafouri) Department of Mathematical Sciences Sharif University of Technology 2020,

602 views • 35 slides
CS 5220: Optimization basics David Bindel 2017-08-31 1 Reminder: Modern processors Modern

CS 5220: Optimization basics David Bindel 2017-08-31 1 Reminder: Modern processors Modern

CS 5220: Optimization basics David Bindel 2017-08-31 1 Reminder: Modern processors Modern CPUs are Wide: start / retire multiple instructions per cycle Pipelined: overlap instruction executions Out-of-order: dynamically

819 views • 60 slides
MYTHBUSTING MODERN HARDWARE TO GAIN MECHANICAL SYMPATHY Martin Thompson @MJPT777 Myth - 1

MYTHBUSTING MODERN HARDWARE TO GAIN MECHANICAL SYMPATHY Martin Thompson @MJPT777 Myth - 1

MYTHBUSTING MODERN HARDWARE TO GAIN MECHANICAL SYMPATHY Martin Thompson @MJPT777 Myth - 1 CPUs are not getting faster Myth 1 CPUs Are Not Getting Faster The Free Lunch Is Over Herb Sutter &gt; The issue is

794 views • 29 slides
CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03

CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03

CSC 473 Automata, Grammars &amp; Languages 9/29/10 Automata, Grammars and Languages Discourse 03 Finite Automata C SC 473 Automata, Grammars &amp; Languages Finite Automata / Switching Theory (CS) / (CE) Boolean operators / Gates

519 views • 32 slides
1. Mid-Ocean Ridges 1. Mid-Ocean Ridges How Do We Know? We know about Mid-Ocean Ridges

1. Mid-Ocean Ridges 1. Mid-Ocean Ridges How Do We Know? We know about Mid-Ocean Ridges

Modern Theory The Modern Theory of Plate Tectonics is built on Alfred Wegeners theory of Continental Drift . Modern Theory of Two new discoveries (discoveries over the last 60 years) helped scientists Plate Tectonics develop the

461 views • 9 slides
Applications of Tree Automata Theory Lecture I: Tree Automata Andreas Maletti Institute of

Applications of Tree Automata Theory Lecture I: Tree Automata Andreas Maletti Institute of

Applications of Tree Automata Theory Lecture I: Tree Automata Andreas Maletti Institute of Computer Science Universitt Leipzig, Germany on leave from: Institute for Natural Language Processing Universitt Stuttgart, Germany

1.78k views • 130 slides
BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata

BU CS 332 Theory of Computation Lecture 2: Reading: Deterministic Finite Automata Sipser Ch 1.1-1.2 Regular Operations Non-deterministic FAs Mark Bun January 27, 2020 Deterministic Finite Automata 1/26/2020 CS332 - Theory

561 views • 40 slides
C4.1 Minimal Automata Regular NFAs Languages Automata &amp; Regular Formal Languages

C4.1 Minimal Automata Regular NFAs Languages Automata &amp; Regular Formal Languages

Theory of Computer Science March 27, 2019 C4. Regular Languages: Minimal Automata, Closure Properties and Decidability Theory of Computer Science C4. Regular Languages: Minimal Automata, Closure Properties C4.1 Minimal Automata and

546 views • 8 slides

More recommend