theory and practice of finding eviction sets
play

Theory and Practice of Finding Eviction Sets Pepe Vila Boris Kpf - PowerPoint PPT Presentation

Dec 31, 2022 •311 likes •1.07k views

Theory and Practice of Finding Eviction Sets Pepe Vila Boris Kpf Jos F. Morales IMDEA Software Institute Microsoft Research IMDEA Software Institute vwzq.net @cgvwzq github.com/cgvwzq Eviction Sets CACHE Find addresses that collide

  1. Theory and Practice of Finding Eviction Sets Pepe Vila Boris Köpf José F. Morales IMDEA Software Institute Microsoft Research IMDEA Software Institute vwzq.net @cgvwzq github.com/cgvwzq

  2. Eviction Sets CACHE Find addresses that collide in cache: i.e. SLICE 0 addresses mapped into the same cache set associativity sets SLICE 1 associativity sets

  3. Eviction Sets CACHE Find addresses that collide in cache: i.e. SLICE 0 addresses mapped into the same cache set associativity sets SLICE 1 associativity sets

  4. Eviction Sets CACHE Find addresses that collide in cache: i.e. SLICE 0 addresses mapped into the same cache set associativity sets SLICE 1 associativity sets

  5. Eviction Sets CACHE Find addresses that collide in cache: i.e. SLICE 0 addresses mapped into the same cache set associativity sets Find associativity many colliding addresses: i.e. an eviction set SLICE 1 associativity sets

  6. Attacks Efficient attacks require small eviction sets

  7. Attacks Efficient attacks require small eviction sets Prime+Probe

  8. Attacks Efficient attacks require small eviction sets Prime+Probe Rowhammer

  9. Attacks Spectre Efficient attacks require small eviction sets Prime+Probe Rowhammer

  10. Problem PHYSICAL MEMORY CACHE SLICE 0 associativity Potentially unknown mapping from sets physical address to SLICE 1 cache set associativity sets

  11. Problem Unknown translation from virtual to physical addresses PHYSICAL MEMORY CACHE USER PROCESS SLICE 0 associativity sets MMU SLICE 1 associativity sets text heap stack low high

  12. Problem In some scenarios, even unknown virtual address PHYSICAL MEMORY CACHE USER PROCESS SLICE 0 <script> associativity var foo = new Uint32Array(N) ; foo[12]; ... </script> sets MMU SLICE 1 associativity sets text heap stack low high

  13. Problem PHYSICAL MEMORY CACHE USER PROCESS SLICE 0 <script> associativity var foo = new Uint32Array(N) ; foo[12]; ... </script> sets Find associativity many elements (e.g. JS MMU array indices) that collide in cache. SLICE 1 associativity sets text heap stack low high

  14. Contributions Systematic study of the problem of finding eviction sets

  15. Contributions Systematic study of the problem of finding eviction sets Find eviction sets in O(n) compared to previous O(n 2 )

  16. Contributions Systematic study of the problem of finding eviction sets Find eviction sets in O(n) compared to previous O(n 2 ) Reliability and performance evaluation of algorithms in real hardware

  17. Finding minimal eviction sets 1 Find a large eviction set for an address V: - Pick “enough” addresses at random - Timing test:

  18. Finding minimal eviction sets 1 Find a large eviction set for an address V: - Pick “enough” addresses at random - Timing test: 2 Reduce initial large eviction set into its minimal core

  19. Finding minimal eviction sets 1 Find a large eviction set for an address V: - Pick “enough” addresses at random - Timing test: 2 Reduce initial large eviction set into its minimal core

  20. Baseline algorithm Start with large enough eviction set S of size N N S :

  21. Baseline algorithm Pick candidate element C, and Test if remaining set TEST(S\{C}) is still an eviction set N’ S :

  22. Baseline algorithm If TEST(S\{C}) = True, discard C N’ S :

  23. Baseline algorithm and continue with N’=N-1 N’ S :

  24. Baseline algorithm We repeat this process several times N’ S :

  25. Baseline algorithm We repeat this process several times N’ S :

  26. Baseline algorithm We repeat this process several times N’ S :

  27. Baseline algorithm We repeat this process several times N’ S :

  28. Baseline algorithm Until we find an element C such that when removed the remaining set stops being an eviction set: TEST(S\{C}) = False N’ S :

  29. Baseline algorithm We learn that C is part of the minimal core N’ S :

  30. Baseline algorithm We keep track of it, and insert it again in S N’ S :

  31. Baseline algorithm We repeat this process several times N’ S :

  32. Baseline algorithm We repeat this process several times N’ S :

  33. Baseline algorithm We repeat this process several times N’ S :

  34. Baseline algorithm We repeat this process several times N’ S :

  35. Baseline algorithm We repeat this process several times N’ S :

  36. Baseline algorithm We repeat this process several times N’ S :

  37. Baseline algorithm We repeat this process several times N’ S :

  38. Baseline algorithm We repeat this process several times N’ S :

  39. Baseline algorithm We repeat this process several times N’ S :

  40. Baseline algorithm We repeat this process several times N’ S :

  41. Baseline algorithm Until we have identified ASSOCIATIVITY many elements representing the eviction set’s core! N’ S : ASSOCIATIVITY

  42. Baseline algorithm O(N 2 ) memory accesses N’ S : ASSOCIATIVITY

  43. Threshold Group Testing (10 individual tests) Group testing problem by Robert Dorfman (1943) Blood samples

  44. Threshold Group Testing (4 group tests + 3 individual tests ) Group testing problem by Robert Dorfman (1943) Blood samples

  45. Threshold Group Testing (4 group tests + 3 individual tests ) Group testing problem by Robert Dorfman (1943) Blood samples Generalization by Peter Damaschke (2006): - Positive test only if at least “u” defectives - Negative test only if at most “l” defectives - Random otherwise

  46. Threshold Group Testing (4 group tests + 3 individual tests ) Group testing problem by Robert Dorfman (1943) Observation: Our test is a threshold Blood samples Generalization by Peter Damaschke (2006): group test! - Positive test if at least “u” defectives - Negative test if at most “l” defectives - Random answer otherwise

  47. Group-testing algorithm Start with large enough eviction set S of size N N S :

  48. Group-testing algorithm Split S in ASSOCIATIVITY+1 subsets N S :

  49. Group-testing algorithm In the worst case, there exists a union of ASSOCIATIVITY subsets being an eviction set N S :

  50. Group-testing algorithm We can discard N/(ASSOCIATIVITY+1) elements per iteration N S :

  51. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  52. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  53. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  54. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  55. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  56. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  57. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  58. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  59. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  60. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  61. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  62. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  63. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  64. Group-testing algorithm We repeat this process until we have ASSOCIATIVITY many elements N’ S :

  65. Group-testing algorithm We find our minimal eviction set! ASSOCIATIVITY S :

  66. Group-testing algorithm O(N) mem accesses ASSOCIATIVITY S :

  67. Experiments on Skylake i5-6500 with 6MB cache (8192 sets x 12 assoc) Performance Evaluation Tool (C/x86): https://github.com/cgvwzq/evsets O(n) vs. O(n 2 ) advantage shows up in practice! Finding minimal eviction sets is practical without knowledge on any bits timeout of the set index! Y-right (lines): Average running time for eviction set reduction Y-left (columns): Cost of finding an initial eviction set of certain size X: Eviction set size in number of addresses

  68. Experiments on Skylake i5-6500 with 6MB cache (8192 sets x 12 assoc) Robustness Evaluation Modern replacement policies break our test assumption and introduce errors. X: Cache set offset (each points aggregates all slices) Y: Average success rate for Green: reduction rate w/o error correcting mechanisms. Yellow: Test rate reliability

  69. Demo running on Chrome 74.0.3729.75 with V8 7.4 - CPU i7-8550U Live demo (Bonus Material!) Find minimal eviction sets on Chrome with JS and Wasm

  70. Conclusions Finding minimal eviction sets is a threshold group-testing problem: new insight for research on principled countermeasures Novel linear-time algorithm makes attacks faster and enables them in scenarios previously considered impractical

Recommend

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks

Dynamically Finding Minimal Eviction Sets Can Be Quicker Than You Think for Side-Channel Attacks against the LLC Wei Song State Key Laboratory of Information Security Institute of Information Engineering, CAS, Beijing, China Peng Liu The

274 views • 25 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the

EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the

EVICTION EVICTION MORATORIUM MORATORIUM This crisis is not over No New Yorker should lose the roof over their head NEED: State to extend FULL eviction moratorium through August 20 by executive order NEED: State approval to allow tenants who

405 views • 11 slides
LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due

LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due

LANDLORD TENANT LAW ANTI-EVICTION ACT Who is protected by the Anti-Eviction Act? Entitled to due process Good cause Non-payment of rent Disorderly conduct, e.g. harassing other tenants Damage to or destruction of property, e.g.

377 views • 19 slides
THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER

THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER

THE COVID-19 EVICTION DEFENSE PROJECT NATI TIONAL ONAL EVICTION CTION RISK SK NUMBER UMBERS S 5/29/2020 2020 THE COVID-19 EVICTION DEFENSE PROJECT RESPONDS TO THIS UNPRECEDENTED CRISIS BY: Pairing lawyers with tenants

373 views • 5 slides
practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no internal normative content practice theory for understanding social change well demonstrated as enabling distinctive insight into change

536 views • 24 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
Heriditarily Finite Sets in Constructive Type Theory Gert Smolka Saarland University Based on

Heriditarily Finite Sets in Constructive Type Theory Gert Smolka Saarland University Based on

Heriditarily Finite Sets in Constructive Type Theory Gert Smolka Saarland University Based on joint work with Kathrin Stark Paper at ITP 2016 (Springer LNCS 9807) HF Sets in Naive Set Theory An HF set is a finite set of HF sets Inductive

228 views • 21 slides
From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no difference between theory and practice, but We can time different methods, but how to compare timings? not in practice Different on different

450 views • 7 slides
Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R

Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R

Mathematics for Computer Science Infinite Sizes MIT 6.042J/18.062J Are all sets the same size? NO! Uncountable Cantors Theorem shows how to keep finding Sets bigger infinities. Albert R Meyer, March 4, 2015 Albert R Meyer, March

486 views • 7 slides
The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International House, Rome April 17-18, 2010 Leo van Lier Monterey Institute of International Studies lvanlier@miis.edu 1 1 The ecology has spoken! 2 2 All

421 views • 29 slides
Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482

Californias Statewide Eviction Control Overview New Eviction and Rent Control Law AB-1482 (Adds new Code Sections: Civil Code 1946.2, 1947.12 and 1947.13) 1946.2 Restricts Certain Owners of Residential Property as to How They Can

369 views • 26 slides
Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2)

Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2)

Set Theory CMPS/MATH 2170: Discrete Mathematics Outline Sets and Set Operations (2.1-2.2) Functions (2.3) Sequences and Summations (2.4) Cardinality of Sets (2.5) Introduction to Sets A set is an unordered collection of

657 views • 39 slides
Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN

Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN

Eviction Defense Collaborative PREVENT HOMELESSNESS PRESERVE AFFORDABLE HOUSING PROTECT SAN FRANCISCOS DIVERSITY Eviction Defense Collaborative The Eviction Defense Collaborative is the principal organization in San Francisco helping

486 views • 12 slides
Seth Cable Introduction to Linguistic Theory Spring 2018 Linguistics 201 Some Optional Practice

Seth Cable Introduction to Linguistic Theory Spring 2018 Linguistics 201 Some Optional Practice

Seth Cable Introduction to Linguistic Theory Spring 2018 Linguistics 201 Some Optional Practice on Allophonic Rules The following are some optional problems in finding allophonic (phonological) rules. They are intended to help you practice for

359 views • 4 slides
XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web

XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web

XML Retrieval XML Retrieval XML Retrieval XML Retrieval DB/IR in DB/IR in Theory Theory Web in Web in Practice Practice Sihem Amer-Yahia Mariano Consens Yahoo! Research University of Toronto In collaboration with: Ricardo Baeza-Yates

1.06k views • 59 slides
Sets and Languages Debdeep Mukhopadhyay IIT Madras Introduction to Set Theory A set is a new

Sets and Languages Debdeep Mukhopadhyay IIT Madras Introduction to Set Theory A set is a new

Sets and Languages Debdeep Mukhopadhyay IIT Madras Introduction to Set Theory A set is a new type of structure, representing an unordered collection (group, plurality) of zero or more distinct (different) objects. Set theory deals with

794 views • 58 slides
New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh

New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh

New model structures on simplicial sets Matt Feller University of Virginia CT 2019 Edinburgh Outline 1 Background 2 Cisinskis Theory 3 New Stuff Category Theory in Simplicial Sets 0-simplices: Category Theory in Simplicial Sets

1.19k views • 95 slides
Semantics of Rough Sets From theory to applications (through semantics understanding).

Semantics of Rough Sets From theory to applications (through semantics understanding).

Semantics of Rough Sets From theory to applications (through semantics understanding). Motivated by Dubois, D. and Prade, P. The three semantics of fuzzy set, Fuzzy Sets and Systems, 90, 141-150, 1997. Rough sets and concepts Rough

549 views • 15 slides
One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in

One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in

One-Pass Streaming Algorithms Complaints and Grievances Theory and Practice about theory in practice Disclaimer Experiences with Gigascope. A practitioners perspective. Will be using my own implementations, rather than

849 views • 46 slides
Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee

Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee

Arlington County Tenant-Landlord Commissions Eviction Reduction Subcommittee Interim Presentation September 11, 2019 Charge The Eviction Reduction Subcommittee will hold meetings and take steps to reduce the number of preventable

294 views • 7 slides
Undecidability in number theory Listable sets DPRM theorem Consequences of DPRM

Undecidability in number theory Listable sets DPRM theorem Consequences of DPRM

Undecidability in number theory Bjorn Poonen H10 Polynomial equations Hilberts 10th problem Diophantine sets Undecidability in number theory Listable sets DPRM theorem Consequences of DPRM Prime-producing Bjorn Poonen polynomials

993 views • 62 slides
The Theory of Sets Cunsheng Ding HKUST, Hong Kong September 25, 2015 Cunsheng Ding (HKUST, Hong

The Theory of Sets Cunsheng Ding HKUST, Hong Kong September 25, 2015 Cunsheng Ding (HKUST, Hong

The Theory of Sets Cunsheng Ding HKUST, Hong Kong September 25, 2015 Cunsheng Ding (HKUST, Hong Kong) The Theory of Sets September 25, 2015 1 / 24 Contents Basic Definitions 1 Subsets 2 Power Sets 3 Operations on Sets 4 5 The

600 views • 24 slides
A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette

A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette

A polynomial-time algorith for finding minimal conflicting sets St ephane Vialette vialette@univ-mlv.fr LIGM Universit e Paris-Est Marne-la-Vall ee November 8-10, 2010 S. Vialette (LIGM) MCSR 11, 8-10, 10 1 / 1 Consecutive 1 s

474 views • 18 slides

More recommend