Timeline of a Vulnerability
|
|
- Eileen Fletcher
- 6 years ago
- Views:
Transcription
1
2 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years 1 Daniel Gruss, Moritz Lipp, Michael Schwarz
3 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before 1 Daniel Gruss, Moritz Lipp, Michael Schwarz
4 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months 1 Daniel Gruss, Moritz Lipp, Michael Schwarz
5 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months Let s create an evidence board 1 Daniel Gruss, Moritz Lipp, Michael Schwarz
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in Daniel Gruss, Moritz Lipp, Michael Schwarz
23 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before 2 Daniel Gruss, Moritz Lipp, Michael Schwarz
24 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area 2 Daniel Gruss, Moritz Lipp, Michael Schwarz
25 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area The bug was ripe a consequence of research in this area 2 Daniel Gruss, Moritz Lipp, Michael Schwarz
26 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area The bug was ripe a consequence of research in this area bug collision nearly inevitable 2 Daniel Gruss, Moritz Lipp, Michael Schwarz
27 The Fallout You realize it is something big when... 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
28 The Fallout You realize it is something big when... it is in the news, all over the world 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
29 The Fallout You realize it is something big when... it is in the news, all over the world 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
30 The Fallout You realize it is something big when... it is in the news, all over the world 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
31 The Fallout You realize it is something big when... it is in the news, all over the world 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
32 The Fallout You realize it is something big when... it is in the news, all over the world 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
33 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
34 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
35 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
36 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
37 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
38 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
39 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
40 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 3 Daniel Gruss, Moritz Lipp, Michael Schwarz
41 The Wall 4 Daniel Gruss, Moritz Lipp, Michael Schwarz
42 The Core of Meltdown/Spectre Kernel is isolated from user space Userspace Kernelspace Applications Operating System Memory 5 Daniel Gruss, Moritz Lipp, Michael Schwarz
43 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software Userspace Kernelspace Applications Operating System Memory 5 Daniel Gruss, Moritz Lipp, Michael Schwarz
44 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel Userspace Kernelspace Applications Operating System Memory 5 Daniel Gruss, Moritz Lipp, Michael Schwarz
45 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel There is only a well-defined interface syscalls Userspace Applications Kernelspace Operating System Memory 5 Daniel Gruss, Moritz Lipp, Michael Schwarz
46
47
48
49
50 Revolutionary concept! Store your food at home, never go to the grocery store during cooking. Can store ALL kinds of food. ONLY TODAY INSTEAD OF $1,300 ORDER VIA PHONE:
51 CPU Cache printf("%d", i); printf("%d", i); 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
52 CPU Cache printf("%d", i); printf("%d", i); Cache miss 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
53 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
54 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request Response 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
55 CPU Cache printf("%d", i); printf("%d", i); Cache miss i Request Response 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
56 CPU Cache printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
57 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
58 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i No DRAM access, much faster Request Response 6 Daniel Gruss, Moritz Lipp, Michael Schwarz
59 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
60 Flush+Reload ATTACKER Shared Memory VICTIM flush access cached Shared Memory cached access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
61 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
62 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
63 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
64 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
65 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
66 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access fast if victim accessed data, slow otherwise 7 Daniel Gruss, Moritz Lipp, Michael Schwarz
67 Back to Work
68
69
70 Wait for an hour
71 Wait for an hour LATENCY
72
73 Dependency Parallelize
74 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; printf("area %d x %d = %d\n", width, height, area); 8 Daniel Gruss, Moritz Lipp, Michael Schwarz
75 Out-of-order Execution Dependency int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; Parallelize printf("area %d x %d = %d\n", width, height, area); 8 Daniel Gruss, Moritz Lipp, Michael Schwarz
76 Building the Code Find something human readable, e.g., the Linux version # sudo grep linux_banner /proc/kallsyms ffffffff81a000e0 R linux_banner 9 Daniel Gruss, Moritz Lipp, Michael Schwarz
77 Building the Code char data = *(char*)0xffffffff81a000e0; printf("%c\n", data); 10 Daniel Gruss, Moritz Lipp, Michael Schwarz
78 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader 11 Daniel Gruss, Moritz Lipp, Michael Schwarz
79 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible 11 Daniel Gruss, Moritz Lipp, Michael Schwarz
80 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible Any invalid access throws an exception segmentation fault 11 Daniel Gruss, Moritz Lipp, Michael Schwarz
81 Building the Code Just catch the segmentation fault! 12 Daniel Gruss, Moritz Lipp, Michael Schwarz
82 Building the Code Just catch the segmentation fault! We can simply install a signal handler 12 Daniel Gruss, Moritz Lipp, Michael Schwarz
83 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue 12 Daniel Gruss, Moritz Lipp, Michael Schwarz
84 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value 12 Daniel Gruss, Moritz Lipp, Michael Schwarz
85 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value Sounds like a good idea 12 Daniel Gruss, Moritz Lipp, Michael Schwarz
86 Building the Code Still no kernel memory 13 Daniel Gruss, Moritz Lipp, Michael Schwarz
87 Building the Code Still no kernel memory Maybe it is not that straight forward 13 Daniel Gruss, Moritz Lipp, Michael Schwarz
88 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work 13 Daniel Gruss, Moritz Lipp, Michael Schwarz
89 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work Are privilege checks also done when executing instructions out of order? 13 Daniel Gruss, Moritz Lipp, Michael Schwarz
90 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work Are privilege checks also done when executing instructions out of order? Problem: out-of-order instructions are not visible 13 Daniel Gruss, Moritz Lipp, Michael Schwarz
91 Building the Code Adapted code *(volatile char*)0; array[0] = 0; 14 Daniel Gruss, Moritz Lipp, Michael Schwarz
92 Building the Code Adapted code *(volatile char*)0; array[0] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; 14 Daniel Gruss, Moritz Lipp, Michael Schwarz
93 Building the Code Adapted code *(volatile char*)0; array[0] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; Static code analyzer is still not happy warning : D e r e f e r e n c e o f n u l l p o i n t e r ( v o l a t i l e char ) 0 ; 14 Daniel Gruss, Moritz Lipp, Michael Schwarz
94 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
95 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
96 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
97 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
98 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
99 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
100 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
101 Traces in the Cache 15 Daniel Gruss, Moritz Lipp, Michael Schwarz
102 Building the Code Out-of-order instructions leave microarchitectural traces 16 Daniel Gruss, Moritz Lipp, Michael Schwarz
103 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache 16 Daniel Gruss, Moritz Lipp, Michael Schwarz
104 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions 16 Daniel Gruss, Moritz Lipp, Michael Schwarz
105 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions We can indirectly observe the execution of transient instructions 16 Daniel Gruss, Moritz Lipp, Michael Schwarz
106 Building the Code Maybe there is no permission check in transient instructions Daniel Gruss, Moritz Lipp, Michael Schwarz
107 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them 17 Daniel Gruss, Moritz Lipp, Michael Schwarz
108 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*)0xffffffff81a000e0; array[data * 4096] = 0; 17 Daniel Gruss, Moritz Lipp, Michael Schwarz
109 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*)0xffffffff81a000e0; array[data * 4096] = 0; Then check whether any part of array is cached 17 Daniel Gruss, Moritz Lipp, Michael Schwarz
110 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data 18 Daniel Gruss, Moritz Lipp, Michael Schwarz
111 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data Permission check is in some cases not fast enough 18 Daniel Gruss, Moritz Lipp, Michael Schwarz
112
113
114
115
116 Not so fast...
117 Take the kernel addresses... Kernel addresses in user space are a problem 19 Daniel Gruss, Moritz Lipp, Michael Schwarz
118 Take the kernel addresses... Kernel addresses in user space are a problem Why don t we take the kernel addresses Daniel Gruss, Moritz Lipp, Michael Schwarz
119 ...and remove them...and remove them if not needed? 20 Daniel Gruss, Moritz Lipp, Michael Schwarz
120 ...and remove them...and remove them if not needed? User accessible check in hardware is not reliable 20 Daniel Gruss, Moritz Lipp, Michael Schwarz
121 Idea Let s just unmap the kernel in user space 21 Daniel Gruss, Moritz Lipp, Michael Schwarz
122 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present 21 Daniel Gruss, Moritz Lipp, Michael Schwarz
123 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present Memory which is not mapped cannot be accessed at all 21 Daniel Gruss, Moritz Lipp, Michael Schwarz
124
125 Kernel Address Isolation to have Side channels Efficiently Removed
126 KAISER /ˈkʌɪzə/ 1. [german] Emperor, ruler of an empire 2. largest penguin, emperor penguin Kernel Address Isolation to have Side channels Efficiently Removed
127 Userspace Kernelspace Applications Operating System Memory
128 Kernel View User View Userspace Kernelspace Userspace Kernelspace Applications Operating System Memory Applications context switch
129 Kernel Address Space Isolation We published KAISER in July Daniel Gruss, Moritz Lipp, Michael Schwarz
130 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) 22 Daniel Gruss, Moritz Lipp, Michael Schwarz
131 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows Daniel Gruss, Moritz Lipp, Michael Schwarz
132 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map 22 Daniel Gruss, Moritz Lipp, Michael Schwarz
133 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map All share the same idea: switching address spaces on context switch 22 Daniel Gruss, Moritz Lipp, Michael Schwarz
134
135 Performance Depends on how often you need to switch between kernel and user space 23 Daniel Gruss, Moritz Lipp, Michael Schwarz
136 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware 23 Daniel Gruss, Moritz Lipp, Michael Schwarz
137 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features 23 Daniel Gruss, Moritz Lipp, Michael Schwarz
138 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features Performance overhead on average below 2% 23 Daniel Gruss, Moritz Lipp, Michael Schwarz
139 Meltdown and Spectre 24 Daniel Gruss, Moritz Lipp, Michael Schwarz
140 Meltdown and Spectre 24 Daniel Gruss, Moritz Lipp, Michael Schwarz
141
142 Prosciutto
143 Funghi
144 Diavolo
145 Diavolo
146 Diavolo
147 Diavolo
148 »A table for 6 please«
149
150 Speculative Cooking
151 »A table for 6 please«
152
153
154
155
156 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
157 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
158 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
159 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
160 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
161 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
162 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
163 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
164 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
165 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
166 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
167 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
168 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
169 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
170 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
171 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
172 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
173 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
174 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
175 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
176 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
177 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
178 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
179 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
180 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
181 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 25 Daniel Gruss, Moritz Lipp, Michael Schwarz
182 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
183 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 25 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
184 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
185 Spectre (variant 2) Animal* a = bird; a->move() () swim() fly sw Speculate im () Prediction LUT[data[index] * 4096] 26 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
186 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
187 Spectre (variant 2) Animal* a = bird; a->move() Execute () fly swim() sw im () Prediction LUT[data[index] * 4096] 26 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
188 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
189 Spectre (variant 2) Animal* a = bird; a->move() Speculate () fly fly() sw im () Prediction LUT[data[index] * 4096] 26 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
190 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
191 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
192 Spectre (variant 2) Animal* a = fish; a->move() Speculate ) ( fly fly() sw im () Prediction LUT[data[index] * 4096] 26 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
193 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
194 Spectre (variant 2) Animal* a = fish; a->move() () fly() fly Execute sw im () Prediction LUT[data[index] * 4096] 26 0 Daniel Gruss, Moritz Lipp, Michael Schwarz
195 Spectre (variant 2) Animal* a = fish; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 26 Daniel Gruss, Moritz Lipp, Michael Schwarz
196 Spectre Read own memory (e.g., sandbox escape) 27 Daniel Gruss, Moritz Lipp, Michael Schwarz
197 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets 27 Daniel Gruss, Moritz Lipp, Michael Schwarz
198 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret 27 Daniel Gruss, Moritz Lipp, Michael Schwarz
199 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret Much harder to fix, KAISER does not help 27 Daniel Gruss, Moritz Lipp, Michael Schwarz
200 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret Much harder to fix, KAISER does not help Ongoing effort to patch via microcode update and compiler extensions 27 Daniel Gruss, Moritz Lipp, Michael Schwarz
201 Spectre Variant 1 Mitigations 28 Daniel Gruss, Moritz Lipp, Michael Schwarz
202 Spectre Variant 1 Mitigations LFENCE 28 Daniel Gruss, Moritz Lipp, Michael Schwarz
203 Spectre Variant 1 Mitigations LFENCE speculation barrier to insert after every bounds check 28 Daniel Gruss, Moritz Lipp, Michael Schwarz
204 Spectre Variant 1 Mitigations LFENCE speculation barrier to insert after every bounds check implemented as a compiler extension 28 Daniel Gruss, Moritz Lipp, Michael Schwarz
205 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
206 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): do not speculate based on anything before entering IBRS mode 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
207 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): do not speculate based on anything before entering IBRS mode hyperthreading? 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
208 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): do not speculate based on anything before entering IBRS mode hyperthreading? Indirect Branch Predictor Barrier (IBPB): 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
209 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): do not speculate based on anything before entering IBRS mode hyperthreading? Indirect Branch Predictor Barrier (IBPB): flush branch-target buffer 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
210 Spectre Variant 2 Mitigations (Microcode/MSRs) Indirect Branch Restricted Speculation (IBRS): do not speculate based on anything before entering IBRS mode hyperthreading? Indirect Branch Predictor Barrier (IBPB): flush branch-target buffer hyperthreading? 29 Daniel Gruss, Moritz Lipp, Michael Schwarz
211 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
212 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
213 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
214 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
215 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
216 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
217 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
218 Spectre Variant 2 Mitigations (Software) Single Thread Indirect Branch Predictors (STIBP) = retpoline push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction microcode patches to prevent that 30 Daniel Gruss, Moritz Lipp, Michael Schwarz
219 What do we learn from it? We have ignored software side-channels for many many years: 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
220 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
221 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
222 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
223 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
224 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
225 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
226 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model for years we solely optimized for performance 31 Daniel Gruss, Moritz Lipp, Michael Schwarz
227 When you read the Intel manuals... After learning about a side channel you realize: 32 Daniel Gruss, Moritz Lipp, Michael Schwarz
228 When you read the Intel manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual 32 Daniel Gruss, Moritz Lipp, Michael Schwarz
229 When you read the Intel manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual only now we understand the implications 32 Daniel Gruss, Moritz Lipp, Michael Schwarz
230 What do we learn from it? Motor Vehicle Deaths in U.S. by Year 33 Daniel Gruss, Moritz Lipp, Michael Schwarz
231
232 A unique chance A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) find good trade-offs between security and performance 34 Daniel Gruss, Moritz Lipp, Michael Schwarz
233 Conclusion Underestimated microarchitectural attacks for a long time Basic techniques were there for years Industry and customers must embrace security mechanisms Run through the same development (for security) as the automobile industry (for safety) It should not be performance first, but security first 35 Daniel Gruss, Moritz Lipp, Michael Schwarz
234 Fact or Fiction?
235 Fact or Fiction? FAc tt
236 Any Questions?
237
Timeline of a Vulnerability
Introduction Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years 2 Michael Schwarz (@misc0110) www.iaik.tugraz.at Timeline of a Vulnerability Is this all a conspiracy?
More informationAdministrivia. Course Objectives. Overview. Lecture Notes Week markem/cs333/ 2. Staff. 3. Prerequisites. 4. Grading. 1. Theory and application
Administrivia 1. markem/cs333/ 2. Staff 3. Prerequisites 4. Grading Course Objectives 1. Theory and application 2. Benefits 3. Labs TAs Overview 1. What is a computer system? CPU PC ALU System bus Memory
More informationEffective Entropy for Memory Randomization Defenses
Effective Entropy for Memory Randomization Defenses William Herlands, Thomas Hobson, Paula Donovan 7 th Workshop on Cyber Security Experimentation and Test 18 August 2014 This work is sponsored by Assistant
More informationComputer Architecture
Computer Architecture QtSpim, a Mips simulator S. Coudert and R. Pacalet January 4, 2018..................... Memory Mapping 0xFFFF000C 0xFFFF0008 0xFFFF0004 0xffff0000 0x90000000 0x80000000 0x7ffff4d4
More informationECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University
ECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University Prof. Mi Lu TA: Ehsan Rohani Laboratory Exercise #4 MIPS Assembly and Simulation
More informationICS 233 Computer Architecture & Assembly Language
ICS 233 Computer Architecture & Assembly Language Assignment 6 Solution 1. Identify all of the RAW data dependencies in the following code. Which dependencies are data hazards that will be resolved by
More informationIssue = Select + Wakeup. Out-of-order Pipeline. Issue. Issue = Select + Wakeup. OOO execution (2-wide) OOO execution (2-wide)
Out-of-order Pipeline Buffer of instructions Issue = Select + Wakeup Select N oldest, read instructions N=, xor N=, xor and sub Note: ma have execution resource constraints: i.e., load/store/fp Fetch Decode
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationGo Tutorial. Ian Lance Taylor. Introduction. Why? Language. Go Tutorial. Ian Lance Taylor. GCC Summit, October 27, 2010
GCC Summit, October 27, 2010 Go Go is a new experimental general purpose programming language. Main developers are: Russ Cox Robert Griesemer Rob Pike Ken Thompson It was released as free software in November
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 09/10, Jan., 2018 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 43 Most Essential Assumptions for Real-Time Systems Upper
More informationCS 700: Quantitative Methods & Experimental Design in Computer Science
CS 700: Quantitative Methods & Experimental Design in Computer Science Sanjeev Setia Dept of Computer Science George Mason University Logistics Grade: 35% project, 25% Homework assignments 20% midterm,
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 02, 03 May 2016 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 53 Most Essential Assumptions for Real-Time Systems Upper
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationvsyscall and vdso Adrien «schischi» Schildknecht vsyscall and vdso March 17, 2014
March 17, 2014 Section 1 Introduction Goal In computing, a system call is how a program requests a service from an operating system s kernel. This may include hardware related services (e.g. accessing
More informationUnit 6: Branch Prediction
CIS 501: Computer Architecture Unit 6: Branch Prediction Slides developed by Joe Devie/, Milo Mar4n & Amir Roth at Upenn with sources that included University of Wisconsin slides by Mark Hill, Guri Sohi,
More informationCSE. 1. In following code. addi. r1, skip1 xor in r2. r3, skip2. counter r4, top. taken): PC1: PC2: PC3: TTTTTT TTTTTT
CSE 560 Practice Problem Set 4 Solution 1. In this question, you will examine several different schemes for branch prediction, using the following code sequence for a simple load store ISA with no branch
More informationComputer Algorithms CISC4080 CIS, Fordham Univ. Outline. Last class. Instructor: X. Zhang Lecture 2
Computer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2 Outline Introduction to algorithm analysis: fibonacci seq calculation counting number of computer steps recursive formula
More informationComputer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2
Computer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2 Outline Introduction to algorithm analysis: fibonacci seq calculation counting number of computer steps recursive formula
More informationPortland State University ECE 587/687. Branch Prediction
Portland State University ECE 587/687 Branch Prediction Copyright by Alaa Alameldeen and Haitham Akkary 2015 Branch Penalty Example: Comparing perfect branch prediction to 90%, 95%, 99% prediction accuracy,
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationComp 11 Lectures. Mike Shah. July 26, Tufts University. Mike Shah (Tufts University) Comp 11 Lectures July 26, / 40
Comp 11 Lectures Mike Shah Tufts University July 26, 2017 Mike Shah (Tufts University) Comp 11 Lectures July 26, 2017 1 / 40 Please do not distribute or host these slides without prior permission. Mike
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationPerformance Metrics for Computer Systems. CASS 2018 Lavanya Ramapantulu
Performance Metrics for Computer Systems CASS 2018 Lavanya Ramapantulu Eight Great Ideas in Computer Architecture Design for Moore s Law Use abstraction to simplify design Make the common case fast Performance
More informationFall 2008 CSE Qualifying Exam. September 13, 2008
Fall 2008 CSE Qualifying Exam September 13, 2008 1 Architecture 1. (Quan, Fall 2008) Your company has just bought a new dual Pentium processor, and you have been tasked with optimizing your software for
More informationLecture 16 More Profiling: gperftools, systemwide tools: oprofile, perf, DTrace, etc.
Lecture 16 More Profiling: gperftools, systemwide tools: oprofile, perf, DTrace, etc. ECE 459: Programming for Performance March 6, 2014 Part I gperftools 2 / 49 Introduction to gperftools Google Performance
More informationExperimenting with Forces
A mother hears a loud crash in the living room. She walks into the room to see her seven-year-old son looking at a broken vase on the floor. How did that happen? she asks. I don t know. The vase just fell
More informationCache-Oblivious Algorithms
Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm C program gcc Object code linux Execution Can be executed on machines with a specific class of CPUs Algorithm Java program
More informationMICROPROCESSOR REPORT. THE INSIDER S GUIDE TO MICROPROCESSOR HARDWARE
MICROPROCESSOR www.mpronline.com REPORT THE INSIDER S GUIDE TO MICROPROCESSOR HARDWARE ENERGY COROLLARIES TO AMDAHL S LAW Analyzing the Interactions Between Parallel Execution and Energy Consumption By
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2019
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2019 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationCache-Oblivious Algorithms
Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm C program gcc Object code linux Execution Can be executed on machines with a specific class of CPUs Algorithm Java program
More informationE23: Hotel Management System Wen Yunlu Hu Xing Chen Ke Tang Haoyuan Module: EEE 101
E23: Hotel Management System Author: 1302509 Zhao Ruimin 1301478 Wen Yunlu 1302575 Hu Xing 1301911 Chen Ke 1302599 Tang Haoyuan Module: EEE 101 Lecturer: Date: Dr.Lin December/22/2014 Contents Contents
More informationChe-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University
Che-Wei Chang chewei@mail.cgu.edu.tw Department of Computer Science and Information Engineering, Chang Gung University } 2017/11/15 Midterm } 2017/11/22 Final Project Announcement 2 1. Introduction 2.
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationMeasurement & Performance
Measurement & Performance Timers Performance measures Time-based metrics Rate-based metrics Benchmarking Amdahl s law Topics 2 Page The Nature of Time real (i.e. wall clock) time = User Time: time spent
More informationMeasurement & Performance
Measurement & Performance Topics Timers Performance measures Time-based metrics Rate-based metrics Benchmarking Amdahl s law 2 The Nature of Time real (i.e. wall clock) time = User Time: time spent executing
More informationThe conceptual view. by Gerrit Muller University of Southeast Norway-NISE
by Gerrit Muller University of Southeast Norway-NISE e-mail: gaudisite@gmail.com www.gaudisite.nl Abstract The purpose of the conceptual view is described. A number of methods or models is given to use
More informationNCU EE -- DSP VLSI Design. Tsung-Han Tsai 1
NCU EE -- DSP VLSI Design. Tsung-Han Tsai 1 Multi-processor vs. Multi-computer architecture µp vs. DSP RISC vs. DSP RISC Reduced-instruction-set Register-to-register operation Higher throughput by using
More informationSpecial Nodes for Interface
fi fi Special Nodes for Interface SW on processors Chip-level HW Board-level HW fi fi C code VHDL VHDL code retargetable compilation high-level synthesis SW costs HW costs partitioning (solve ILP) cluster
More informationVäxjö University. Software Security Testing. A Flexible Architecture for Security Testing. School of Mathematics and System Engineering
School of Mathematics and System Engineering Reports from MSI - Rapporter från MSI Växjö University Software Security Testing A Flexible Architecture for Security Testing Martin Andersson Aug 2008 MSI
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2018 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationHigh Performance Computing
Master Degree Program in Computer Science and Networking, 2014-15 High Performance Computing 2 nd appello February 11, 2015 Write your name, surname, student identification number (numero di matricola),
More informationNICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Gerwin Klein Formal Methods 1 ORGANISATORIALS When Mon 14:00 15:30 Wed 10:30 12:00 7 weeks ends Mon, 20.9.2004 Exceptions Mon
More informationA Control Flow Integrity Based Trust Model. Ge Zhu Akhilesh Tyagi Iowa State University
A Control Flow Integrity Based Trust Model Ge Zhu Akhilesh Tyagi Iowa State University Trust Model Many definitions of trust. Typically transaction level trust propagation/policy. Self-assessment of trust.
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2018 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationSafety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem
Safety and Liveness Properties defined over an execution of a program Thread Synchronization: Too Much Milk Safety: nothing bad happens holds in every finite execution prefix Windows never crashes No patient
More informationIntroducing Inspector Tippington
Introducing Inspector Tippington Inspector Tippington is a world-famous detective who is retired from Scotland Yard. He is also an expert in world history. He has spent his life traveling around the world
More informationRandom Number Generation Is Getting Harder It s Time to Pay Attention
SESSION ID: PDAC-F03 Random Number Generation Is Getting Harder It s Time to Pay Attention Richard Moulds General Manager Whitewood Richard Hughes Laboratory Fellow (Retired) Los Alamos National Laboratory
More informationECE/CS 250 Computer Architecture
ECE/CS 250 Computer Architecture Basics of Logic Design: Boolean Algebra, Logic Gates (Combinational Logic) Tyler Bletsch Duke University Slides are derived from work by Daniel J. Sorin (Duke), Alvy Lebeck
More informationTDDI04, K. Arvidsson, IDA, Linköpings universitet CPU Scheduling. Overview: CPU Scheduling. [SGG7] Chapter 5. Basic Concepts.
TDDI4 Concurrent Programming, Operating Systems, and Real-time Operating Systems CPU Scheduling Overview: CPU Scheduling CPU bursts and I/O bursts Scheduling Criteria Scheduling Algorithms Multiprocessor
More informationThis Unit: Scheduling (Static + Dynamic) CIS 501 Computer Architecture. Readings. Review Example
This Unit: Scheduling (Static + Dnamic) CIS 50 Computer Architecture Unit 8: Static and Dnamic Scheduling Application OS Compiler Firmware CPU I/O Memor Digital Circuits Gates & Transistors! Previousl:!
More informationThis ensures that we walk downhill. For fixed λ not even this may be the case.
Gradient Descent Objective Function Some differentiable function f : R n R. Gradient Descent Start with some x 0, i = 0 and learning rate λ repeat x i+1 = x i λ f(x i ) until f(x i+1 ) ɛ Line Search Variant
More informationNEC PerforCache. Influence on M-Series Disk Array Behavior and Performance. Version 1.0
NEC PerforCache Influence on M-Series Disk Array Behavior and Performance. Version 1.0 Preface This document describes L2 (Level 2) Cache Technology which is a feature of NEC M-Series Disk Array implemented
More informationSimple Instruction-Pipelining (cont.) Pipelining Jumps
6.823, L9--1 Simple ruction-pipelining (cont.) + Interrupts Updated March 6, 2000 Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 Src1 ( j / ~j ) Src2 ( / Ind) Pipelining Jumps
More informationCSE370: Introduction to Digital Design
CSE370: Introduction to Digital Design Course staff Gaetano Borriello, Brian DeRenzi, Firat Kiyak Course web www.cs.washington.edu/370/ Make sure to subscribe to class mailing list (cse370@cs) Course text
More informationINF2270 Spring Philipp Häfliger. Lecture 8: Superscalar CPUs, Course Summary/Repetition (1/2)
INF2270 Spring 2010 Philipp Häfliger Summary/Repetition (1/2) content From Scalar to Superscalar Lecture Summary and Brief Repetition Binary numbers Boolean Algebra Combinational Logic Circuits Encoder/Decoder
More informationcsci 210: Data Structures Program Analysis
csci 210: Data Structures Program Analysis Summary Topics commonly used functions analysis of algorithms experimental asymptotic notation asymptotic analysis big-o big-omega big-theta READING: GT textbook
More informationLecture 3, Performance
Repeating some definitions: Lecture 3, Performance CPI MHz MIPS MOPS Clocks Per Instruction megahertz, millions of cycles per second Millions of Instructions Per Second = MHz / CPI Millions of Operations
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationAccelerating Decoupled Look-ahead to Exploit Implicit Parallelism
Accelerating Decoupled Look-ahead to Exploit Implicit Parallelism Raj Parihar Advisor: Prof. Michael C. Huang March 22, 2013 Raj Parihar Accelerating Decoupled Look-ahead to Exploit Implicit Parallelism
More informationCMP N 301 Computer Architecture. Appendix C
CMP N 301 Computer Architecture Appendix C Outline Introduction Pipelining Hazards Pipelining Implementation Exception Handling Advanced Issues (Dynamic Scheduling, Out of order Issue, Superscalar, etc)
More informationSystem Data Bus (8-bit) Data Buffer. Internal Data Bus (8-bit) 8-bit register (R) 3-bit address 16-bit register pair (P) 2-bit address
Intel 8080 CPU block diagram 8 System Data Bus (8-bit) Data Buffer Registry Array B 8 C Internal Data Bus (8-bit) F D E H L ALU SP A PC Address Buffer 16 System Address Bus (16-bit) Internal register addressing:
More informationPhysics 100. Today. Finish Chapter 5: Newton s 3 rd Law. Chapter 6: Momentum
Physics 100 Today Finish Chapter 5: Newton s 3 rd Law Chapter 6: Momentum Momentum = inertia in motion Specifically, momentum = mass x velocity = m v Eg. Just as a truck and a roller skate have different
More informationReducing NVM Writes with Optimized Shadow Paging
Reducing NVM Writes with Optimized Shadow Paging Yuanjiang Ni, Jishen Zhao, Daniel Bittman, Ethan L. Miller Center for Research in Storage Systems University of California, Santa Cruz Emerging Technology
More informationTO THE TEACHER CONTENTS
TO THE TEACHER The short, high-interest reading passages in this book were written to capture the interest of readers who are not reading at grade level. The engaging mini mystery format encourages the
More informationAlgorithm Analysis, Asymptotic notations CISC4080 CIS, Fordham Univ. Instructor: X. Zhang
Algorithm Analysis, Asymptotic notations CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Last class Introduction to algorithm analysis: fibonacci seq calculation counting number of computer steps recursive
More informationLecture 3, Performance
Lecture 3, Performance Repeating some definitions: CPI Clocks Per Instruction MHz megahertz, millions of cycles per second MIPS Millions of Instructions Per Second = MHz / CPI MOPS Millions of Operations
More informationHigh-Performance Scientific Computing
High-Performance Scientific Computing Instructor: Randy LeVeque TA: Grady Lemoine Applied Mathematics 483/583, Spring 2011 http://www.amath.washington.edu/~rjl/am583 World s fastest computers http://top500.org
More informationOperating Systems. VII. Synchronization
Operating Systems VII. Synchronization Ludovic Apvrille ludovic.apvrille@telecom-paristech.fr Eurecom, office 470 http://soc.eurecom.fr/os/ @OS Eurecom Outline Synchronization issues 2/22 Fall 2017 Institut
More informationB629 project - StreamIt MPI Backend. Nilesh Mahajan
B629 project - StreamIt MPI Backend Nilesh Mahajan March 26, 2013 Abstract StreamIt is a language based on the dataflow model of computation. StreamIt consists of computation units called filters connected
More informationVirtualization. Introduction. G. Lettieri A/A 2014/15. Dipartimento di Ingegneria dell Informazione Università di Pisa. G. Lettieri Virtualization
Introduction G. Lettieri Dipartimento di Ingegneria dell Informazione Università di Pisa A/A 2014/15 G. Lettieri Folk definition What do people mean when they talk about virtualization w.r.t. computers?
More informationComp 11 Lectures. Mike Shah. July 12, Tufts University. Mike Shah (Tufts University) Comp 11 Lectures July 12, / 33
Comp 11 Lectures Mike Shah Tufts University July 12, 2017 Mike Shah (Tufts University) Comp 11 Lectures July 12, 2017 1 / 33 Please do not distribute or host these slides without prior permission. Mike
More informationFormal Verification of Mathematical Algorithms
Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing
More informationcsci 210: Data Structures Program Analysis
csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-o big-omega big-theta asymptotic notation commonly used functions discrete math refresher READING:
More informationDiscrete Event Simulation
Discrete Event Simulation Henry Z. Lo June 9, 2014 1 Motivation Suppose you were a branch manager of a bank. How many tellers should you staff to keep customers happy? With prior knowledge of how often
More informationDeadlock. CSE 2431: Introduction to Operating Systems Reading: Chap. 7, [OSC]
Deadlock CSE 2431: Introduction to Operating Systems Reading: Chap. 7, [OSC] 1 Outline Resources Deadlock Deadlock Prevention Deadlock Avoidance Deadlock Detection Deadlock Recovery 2 Review: Synchronization
More informationECE/CS 250: Computer Architecture. Basics of Logic Design: Boolean Algebra, Logic Gates. Benjamin Lee
ECE/CS 250: Computer Architecture Basics of Logic Design: Boolean Algebra, Logic Gates Benjamin Lee Slides based on those from Alvin Lebeck, Daniel Sorin, Andrew Hilton, Amir Roth, Gershon Kedem Admin
More informationThe Basics COPYRIGHTED MATERIAL. chapter. Algebra is a very logical way to solve
chapter 1 The Basics Algebra is a very logical way to solve problems both theoretically and practically. You need to know a number of things. You already know arithmetic of whole numbers. You will review
More informationTHE UTP SUITE YOUR ALL-IN-ONE SOLUTION FOR BUILDING MODERN TEST SYSTEM SOFTWARE
THE UTP SUITE YOUR ALL-IN-ONE SOLUTION FOR BUILDING MODERN TEST SYSTEM SOFTWARE UTP Suite THE UTP SUITE DEVELOPING A STANDARD Increasing customer requirements, shorter product cycles and higher time to
More informationOBEUS. (Object-Based Environment for Urban Simulation) Shareware Version. Itzhak Benenson 1,2, Slava Birfur 1, Vlad Kharbash 1
OBEUS (Object-Based Environment for Urban Simulation) Shareware Version Yaffo model is based on partition of the area into Voronoi polygons, which correspond to real-world houses; neighborhood relationship
More informationQuantum Computing Approach to V&V of Complex Systems Overview
Quantum Computing Approach to V&V of Complex Systems Overview Summary of Quantum Enabled V&V Technology June, 04 Todd Belote Chris Elliott Flight Controls / VMS Integration Discussion Layout I. Quantum
More informationBio 1M: The evolution of apes. 1 Example. 2 Patterns of evolution. Similarities and differences. History
Bio 1M: The evolution of apes 1 Example Humans are an example of a biological species that has evolved Possibly of interest, since many of your friends are probably humans Humans seem unique: How do they
More informationThe Geo Web: Enabling GIS on the Internet IT4GIS Keith T. Weber, GISP GIS Director ISU GIS Training and Research Center.
The Geo Web: Enabling GIS on the Internet IT4GIS Keith T. Weber, GISP GIS Director ISU GIS Training and Research Center In the Beginning GIS was independent The GIS analyst or manager was typically a oneperson
More informationCSCI-564 Advanced Computer Architecture
CSCI-564 Advanced Computer Architecture Lecture 8: Handling Exceptions and Interrupts / Superscalar Bo Wu Colorado School of Mines Branch Delay Slots (expose control hazard to software) Change the ISA
More informationECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University
ECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University Prof. Sunil P Khatri (Lab exercise created and tested by Ramu Endluri, He Zhou and Sunil P
More informationSpeculative Parallelism in Cilk++
Speculative Parallelism in Cilk++ Ruben Perez & Gregory Malecha MIT May 11, 2010 Ruben Perez & Gregory Malecha (MIT) Speculative Parallelism in Cilk++ May 11, 2010 1 / 33 Parallelizing Embarrassingly Parallel
More informationTDDB68 Concurrent programming and operating systems. Lecture: CPU Scheduling II
TDDB68 Concurrent programming and operating systems Lecture: CPU Scheduling II Mikael Asplund, Senior Lecturer Real-time Systems Laboratory Department of Computer and Information Science Copyright Notice:
More informationECE 571 Advanced Microprocessor-Based Design Lecture 9
ECE 571 Advanced Microprocessor-Based Design Lecture 9 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 20 February 2018 Announcements HW#4 was posted. About branch predictors Don
More informationLast class: Today: Threads. CPU Scheduling
1 Last class: Threads Today: CPU Scheduling 2 Resource Allocation In a multiprogramming system, we need to share resources among the running processes What are the types of OS resources? Question: Which
More informationECE 250 / CPS 250 Computer Architecture. Basics of Logic Design Boolean Algebra, Logic Gates
ECE 250 / CPS 250 Computer Architecture Basics of Logic Design Boolean Algebra, Logic Gates Benjamin Lee Slides based on those from Andrew Hilton (Duke), Alvy Lebeck (Duke) Benjamin Lee (Duke), and Amir
More information2.6 Complexity Theory for Map-Reduce. Star Joins 2.6. COMPLEXITY THEORY FOR MAP-REDUCE 51
2.6. COMPLEXITY THEORY FOR MAP-REDUCE 51 Star Joins A common structure for data mining of commercial data is the star join. For example, a chain store like Walmart keeps a fact table whose tuples each
More informationThe Euler Method for the Initial Value Problem
The Euler Method for the Initial Value Problem http://people.sc.fsu.edu/ jburkardt/isc/week10 lecture 18.pdf... ISC3313: Introduction to Scientific Computing with C++ Summer Semester 2011... John Burkardt
More informationR E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.
R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H. 5 S O F T W A R E E N G I N E E R I N G B Y S O M M E R V I L L E S E
More informationModule 9: "Introduction to Shared Memory Multiprocessors" Lecture 17: "Introduction to Cache Coherence Protocols" Invalidation vs.
Invalidation vs. Update Sharing patterns Migratory hand-off States of a cache line Stores MSI protocol MSI example MESI protocol MESI example MOESI protocol Hybrid inval+update file:///e /parallel_com_arch/lecture17/17_1.htm[6/13/2012
More information1 Trees. Listing 1: Node with two child reference. public class ptwochildnode { protected Object data ; protected ptwochildnode l e f t, r i g h t ;
1 Trees The next major set of data structures belongs to what s called Trees. They are called that, because if you try to visualize the structure, it kind of looks like a tree (root, branches, and leafs).
More informationCMU Introduction to Computer Architecture, Spring 2015 HW 2: ISA Tradeoffs, Microprogramming and Pipelining
CMU 18-447 Introduction to Computer Architecture, Spring 2015 HW 2: ISA Tradeoffs, Microprogramming and Pipelining Instructor: Prof Onur Mutlu TAs: Rachata Ausavarungnirun, Kevin Chang, Albert Cho, Jeremie
More informationWRF performance tuning for the Intel Woodcrest Processor
WRF performance tuning for the Intel Woodcrest Processor A. Semenov, T. Kashevarova, P. Mankevich, D. Shkurko, K. Arturov, N. Panov Intel Corp., pr. ak. Lavrentieva 6/1, Novosibirsk, Russia, 630090 {alexander.l.semenov,tamara.p.kashevarova,pavel.v.mankevich,
More informationSt art. rp m. Km /h 1: : : : : : : : : : : : :5 2.5.
modified 22/05/14 t 3:5 2.5 3:5 5.0 3:5 7.5 4:0 0.0 4:0 2.5 4:0 5.0 4:0 7.5 4:1 0.0 4:1 2.5 4:1 5.0 4:1 7.5 4:2 0.0 Km /h 0 25 50 75 100 125 150 175 200 225 rp m 0 250 0 500 0 750 0 100 00 125 00 1 2 3
More informationCIS 371 Computer Organization and Design
CIS 371 Computer Organization and Design Unit 13: Power & Energy Slides developed by Milo Mar0n & Amir Roth at the University of Pennsylvania with sources that included University of Wisconsin slides by
More informationPipelining. Traditional Execution. CS 365 Lecture 12 Prof. Yih Huang. add ld beq CS CS 365 2
Pipelining CS 365 Lecture 12 Prof. Yih Huang CS 365 1 Traditional Execution 1 2 3 4 1 2 3 4 5 1 2 3 add ld beq CS 365 2 1 Pipelined Execution 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5
More information