transient side channels
play

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from - PowerPoint PPT Presentation

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP


  1. Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

  2. Reminder • 1 st paper review due midnight on 09/27 (before the next lecture) • You will receive an invitation from HotCRP • https://mit-6888-fa20.hotcrp.com/ 6.888 L6-Transient Side Channels 2

  3. Micro-architecture Side Channels secret-dependent execution A Channel (a micro-architecture structure) Victim Attacker Kiriansky et al. DAWG: a defense against cache timing attacks in speculative execution processors. MICRO’18 6.888 L6-Transient Side Channels 3

  4. Micro-architecture Side Channels secret-dependent execution A Channel (a micro-architecture structure) Victim Attacker X {Cache, DRAM, TLB, NoC, etc.} {Transient, Non-transient} Kiriansky et al. DAWG: a defense against cache timing attacks in speculative execution processors. MICRO’18 6.888 L6-Transient Side Channels 3

  5. Recap: 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we PC addr ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Memory Imm wdata Ext Write-Back Execute Memory Decode, Reg. Fetch I-Fetch (WB) (EX) (MA) (ID) (IF) 6.888 L6-Transient Side Channels 4

  6. 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we addr PC ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Imm Memory wdata Ext I-Fetch Write-Back Decode, Reg. Fetch Execute Memory (IF) (WB) (EX) (ID) (MA) time t0 t1 t2 t3 t4 t5 t6 t7 . . . . instruction1 IF 1 ID 1 EX 1 MA 1 WB 1 instruction2 IF 2 ID 2 EX 2 MA 2 WB 2 instruction3 IF 3 ID 3 EX 3 MA 3 WB 3 instruction4 IF 4 ID 4 EX 4 MA 4 WB 4 instruction5 IF 5 ID 5 EX 5 MA 5 WB 5 6.888 L6-Transient Side Channels 5

  7. 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we addr PC ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Imm Memory wdata Ext I-Fetch Write-Back Decode, Reg. Fetch Execute Memory (IF) (WB) (EX) (ID) (MA) time t0 t1 t2 t3 t4 t5 t6 t7 . . . . instruction1 IF 1 ID 1 EX 1 MA 1 WB 1 instruction2 IF 2 ID 2 EX 2 MA 2 WB 2 instruction3 IF 3 ID 3 EX 3 MA 3 WB 3 instruction4 IF 4 ID 4 EX 4 MA 4 WB 4 instruction5 IF 5 ID 5 EX 5 MA 5 WB 5 6.888 L6-Transient Side Channels 5

  8. 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we addr PC ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Imm Memory wdata Ext I-Fetch Write-Back Decode, Reg. Fetch Execute Memory (IF) (WB) (EX) (ID) (MA) • In-order execution: • Execute instructions according to the program order time t0 t1 t2 t3 t4 t5 t6 t7 . . . . instruction1 IF 1 ID 1 EX 1 MA 1 WB 1 instruction2 IF 2 ID 2 EX 2 MA 2 WB 2 instruction3 IF 3 ID 3 EX 3 MA 3 WB 3 instruction4 IF 4 ID 4 EX 4 MA 4 WB 4 instruction5 IF 5 ID 5 EX 5 MA 5 WB 5 6.888 L6-Transient Side Channels 5

  9. Data Hazard and Control Hazard time t0 t1 t2 t3 t4 t5 t6 t7 . . . . Loop: …… LD(R1, 0, R2) IF 1 ID 1 EX 1 MA 1 WB 1 ADD(R2, 10, R3) IF 2 ID 2 EX 2 MA 2 WB 2 BNE(R3, Loop) IF 3 ID 3 EX 3 MA 3 WB 3 …… 6.888 L6-Transient Side Channels 6

  10. Resolving Hazards • Stall or Bypass time t0 t1 t2 t3 t4 t5 t6 t7 . . . . Loop: …… LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 WB 1 ADD(R2, 10, R3) IF 2 ID 2 EX 2 MA 2 WB 2 BNE(R3, Loop) IF 3 ID 3 EX 3 MA 3 WB 3 …… • Speculation (e.g., branch predictor) • Guess a value and continue executing anyway • When actual value is available, two cases • Guessed correctly à do nothing • Guessed incorrectly à restart with correct value (roll back) 6.888 L6-Transient Side Channels 7

  11. Branch Predictor • Predict Taken/Not taken • Not taken: PC+4 • Taken: need to know target address 6.888 L6-Transient Side Channels 8

  12. Branch Predictor • Predict Taken/Not taken • Not taken: PC+4 • Taken: need to know target address • Predict target address • Branch target buffer (BTB) • Map <current PC, target PC> 6.888 L6-Transient Side Channels 8

  13. Branch Predictor • Predict Taken/Not taken • Not taken: PC+4 • Taken: need to know target address • Predict target address • Branch target buffer (BTB) • Map <current PC, target PC> • Use history information to setup the predictor 6.888 L6-Transient Side Channels 8

  14. Complex In-order Pipeline ALU Mem IF ID Issue WB Fadd GPRs FPRs Fmul Fdiv • Need complex bypass/stall/kill paths 6.888 L6-Transient Side Channels 9

  15. Complex In-order Pipeline ALU Mem IF ID Issue WB Fadd GPRs FPRs Fmul Fdiv • Need complex bypass/stall/kill paths • In real systems, EX/MA can take multiple cycles 6.888 L6-Transient Side Channels 9

  16. Out-of-order Execution • When the pipeline is stalled, find something else to do time t0 t1 t2 t3 t4 t5 t6 t7 ALU Mem IF ID Issue WB Fadd GPRs FPRs Fmul Fdiv 6.888 L6-Transient Side Channels 10

  17. Out-of-order Execution • When the pipeline is stalled, find something else to do time t0 t1 t2 t3 t4 t5 t6 t7 ALU Mem IF ID Issue WB LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 MA 1 MA 1 MA 1 WB 1 Fadd GPRs ADD( R3 , 10, R4) IF 2 ID 2 EX 2 MA 2 WB 2 FPRs Fmul SUB(R4, 10, R5) IF 3 ID 3 EX 3 MA 3 WB 3 …… Fdiv 6.888 L6-Transient Side Channels 10

  18. Out-of-order Execution • When the pipeline is stalled, find something else to do • When we do out-of-order execution, we are speculating that previous instructions do not cause exception time t0 t1 t2 t3 t4 t5 t6 t7 ALU Mem IF ID Issue WB LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 MA 1 MA 1 MA 1 WB 1 Fadd GPRs ADD( R3 , 10, R4) IF 2 ID 2 EX 2 MA 2 WB 2 FPRs Fmul SUB(R4, 10, R5) IF 3 ID 3 EX 3 MA 3 WB 3 …… Fdiv 6.888 L6-Transient Side Channels 10

  19. Out-of-order Execution • When the pipeline is stalled, find something else to do • When we do out-of-order execution, we are speculating that previous instructions do not cause exception • If instruction n is speculative instruction, instruction n+i is also speculative time t0 t1 t2 t3 t4 t5 t6 t7 ALU Mem IF ID Issue WB LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 MA 1 MA 1 MA 1 WB 1 Fadd GPRs ADD( R3 , 10, R4) IF 2 ID 2 EX 2 MA 2 WB 2 FPRs Fmul SUB(R4, 10, R5) IF 3 ID 3 EX 3 MA 3 WB 3 …… Fdiv 6.888 L6-Transient Side Channels 10

  20. Speculative & Out-of-Order Execution Update predictors Branch Prediction In-Order Decode & Commit PC Fetch Rename (head of ROB) In-Order 11

  21. Speculative & Out-of-Order Execution Update predictors Branch Prediction In-Order Decode & Commit PC Fetch Rename (head of ROB) In-Order Physical Reg. File Physical Reg. File FALU …… ALU MEM Execute 11

  22. Speculative & Out-of-Order Execution Update predictors Branch Prediction Out-of-Order In-Order Decode & Reorder Buffer Commit PC Fetch Rename (ROB) (head of ROB) In-Order Physical Reg. File Physical Reg. File FALU …… ALU MEM Execute 11

  23. Speculative & Out-of-Order Execution Update predictors Branch Prediction Out-of-Order In-Order Decode & Reorder Buffer Commit PC Fetch Rename (ROB) (head of ROB) In-Order Physical Reg. File Physical Reg. File Dispatch logic: Detect data dependency, FALU …… issue instructions to execute ALU MEM Execute 11

  24. Speculative & Out-of-Order Execution Update predictors Branch Resolution Branch Prediction Out-of-Order In-Order Decode & Reorder Buffer Commit PC Fetch Rename (ROB) (head of ROB) In-Order Physical Reg. File Physical Reg. File Dispatch logic: Detect data dependency, FALU …… issue instructions to execute ALU MEM Execute 11

  25. Speculative & Out-of-Order Execution Update predictors Branch kill Resolution Branch kill kill Prediction kill Out-of-Order In-Order Decode & Reorder Buffer Commit PC Fetch Rename (ROB) (head of ROB) In-Order Physical Reg. File Physical Reg. File Dispatch logic: Detect data dependency, FALU …… issue instructions to execute ALU MEM Execute 11

  26. Terminology A speculative instruction may squash. When executed, can change uArch state • 6.888 L6-Transient Side Channels 12

  27. Terminology A speculative instruction may squash. When executed, can change uArch state • A Transient instruction will squash, i.e., will not commit. A Non-Transient instruction will not squash, i.e., will eventually retire. 6.888 L6-Transient Side Channels 12

  28. Terminology A speculative instruction may squash. When executed, can change uArch state • A Transient instruction will squash, i.e., will not commit. A Non-Transient instruction will not squash, i.e., will eventually retire. That is, transient instructions are unreachable on a non-speculative microarchitecture. 6.888 L6-Transient Side Channels 12

  29. General Attack Schema Attacker Victim Access secret recv() transmit (secret) Channel 6.888 L6-Transient Side Channels 13

  30. General Attack Schema Attacker Victim Access secret recv() transmit (secret) Channel • The difference between transient and non-transient side channels • Whether the secret access or transmitter execution is transient 6.888 L6-Transient Side Channels 13

  31. Meltdown & Spectre

  32. Kernel/User Pages Virtual memory 0x00000000 • In x86, a process’s virtual address space Kernel pages includes kernel pages, but kernel pages are only accessible in kernel mode • For performance purpose • Avoids switching page tables on context switches User pages 6.888 L6-Transient Side Channels 15 0xffffffff

Recommend


More recommend