Timeline of a Vulnerability
|
|
- Reynard Norris
- 5 years ago
- Views:
Transcription
1
2 Introduction
3 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years 2 Michael Schwarz (@misc0110)
4 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before 2 Michael Schwarz (@misc0110)
5 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months 2 Michael Schwarz (@misc0110)
6 Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months Let s create an evidence board 2 Michael Schwarz (@misc0110)
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in Michael Schwarz (@misc0110)
24 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before 3 Michael Schwarz (@misc0110)
25 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area 3 Michael Schwarz (@misc0110)
26 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area The bug was ripe a consequence of research in this area 3 Michael Schwarz (@misc0110)
27 Timeline of a Vulnerability Not a conspiracy Tools to detect the bug only invented in 2014 No broad interest in microarchitectural attacks before Discovering teams quite knowledgeable in this area The bug was ripe a consequence of research in this area bug collision nearly inevitable 3 Michael Schwarz (@misc0110)
28 The Fallout You realize it is something big when... 4 Michael Schwarz (@misc0110)
29 The Fallout You realize it is something big when... it is in the news, all over the world 4 Michael Schwarz (@misc0110)
30 The Fallout You realize it is something big when... it is in the news, all over the world 4 Michael Schwarz (@misc0110)
31 The Fallout You realize it is something big when... it is in the news, all over the world 4 Michael Schwarz (@misc0110)
32 The Fallout You realize it is something big when... it is in the news, all over the world 4 Michael Schwarz (@misc0110)
33 The Fallout You realize it is something big when... it is in the news, all over the world 4 Michael Schwarz (@misc0110)
34 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 4 Michael Schwarz (@misc0110)
35 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 4 Michael Schwarz (@misc0110)
36 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 4 Michael Schwarz (@misc0110)
37 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 4 Michael Schwarz (@misc0110)
38 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 4 Michael Schwarz (@misc0110)
39 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 4 Michael Schwarz (@misc0110)
40 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 4 Michael Schwarz (@misc0110)
41 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 4 Michael Schwarz (@misc0110)
42
43 The Core of Meltdown Kernel is isolated from user space Userspace Kernelspace Applications Operating System Memory 5 Michael Schwarz (@misc0110)
44 The Core of Meltdown Kernel is isolated from user space This isolation is a combination of hardware and software Userspace Kernelspace Applications Operating System Memory 5 Michael Schwarz (@misc0110)
45 The Core of Meltdown Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel Userspace Kernelspace Applications Operating System Memory 5 Michael Schwarz (@misc0110)
46 The Core of Meltdown Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel There is only a well-defined interface syscalls Userspace Applications Kernelspace Operating System Memory 5 Michael Schwarz (@misc0110)
47 Meltdown Briefing Breaks isolation between applications and kernel 6 Michael Schwarz (@misc0110)
48 Meltdown Briefing Breaks isolation between applications and kernel User applications can access kernel addresses 6 Michael Schwarz (@misc0110)
49 Meltdown Briefing Breaks isolation between applications and kernel User applications can access kernel addresses Entire physical memory is mapped in the kernel 6 Michael Schwarz (@misc0110)
50 Meltdown Briefing Breaks isolation between applications and kernel User applications can access kernel addresses Entire physical memory is mapped in the kernel Meltdown can read whole DRAM 6 Michael Schwarz (@misc0110)
51 Meltdown Requirements Only on Intel CPUs and some ARMs (Cortex A75) 7 Michael Schwarz (@misc0110)
52 Meltdown Requirements Only on Intel CPUs and some ARMs (Cortex A75) AMD and other ARMs seem to be unaffected 7 Michael Schwarz (@misc0110)
53 Meltdown Requirements Only on Intel CPUs and some ARMs (Cortex A75) AMD and other ARMs seem to be unaffected Common cause: permission check done in parallel to load instruction 7 Michael Schwarz (@misc0110)
54 Meltdown Requirements Only on Intel CPUs and some ARMs (Cortex A75) AMD and other ARMs seem to be unaffected Common cause: permission check done in parallel to load instruction Race condition between permission check and dependent operation(s) 7 Michael Schwarz (@misc0110)
55
56
57
58
59 Revolutionary concept! Store your food at home, never go to the grocery store during cooking. Can store ALL kinds of food. ONLY TODAY INSTEAD OF $1,300 ORDER VIA PHONE:
60 CPU Cache printf("%d", i); printf("%d", i); 8 Michael Schwarz (@misc0110)
61 CPU Cache printf("%d", i); printf("%d", i); Cache miss 8 Michael Schwarz (@misc0110)
62 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request 8 Michael Schwarz (@misc0110)
63 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request Response 8 Michael Schwarz (@misc0110)
64 CPU Cache printf("%d", i); printf("%d", i); Cache miss i Request Response 8 Michael Schwarz (@misc0110)
65 CPU Cache printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 8 Michael Schwarz (@misc0110)
66 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 8 Michael Schwarz (@misc0110)
67 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i No DRAM access, much faster Request Response 8 Michael Schwarz (@misc0110)
68 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 9 Michael Schwarz (@misc0110)
69 Flush+Reload ATTACKER Shared Memory VICTIM flush access cached Shared Memory cached access 9 Michael Schwarz (@misc0110)
70 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 9 Michael Schwarz (@misc0110)
71 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 9 Michael Schwarz (@misc0110)
72 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 9 Michael Schwarz (@misc0110)
73 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 9 Michael Schwarz (@misc0110)
74 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 9 Michael Schwarz (@misc0110)
75 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access fast if victim accessed data, slow otherwise 9 Michael Schwarz (@misc0110)
76 Back to Work
77
78
79 Wait for an hour
80 Wait for an hour LATENCY
81
82 Dependency Parallelize
83 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; printf("area %d x %d = %d\n", width, height, area); 10 Michael Schwarz (@misc0110)
84 Out-of-order Execution Dependency int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; Parallelize printf("area %d x %d = %d\n", width, height, area); 10 Michael Schwarz (@misc0110)
85 Building the Code Find something human readable, e.g., the Linux version # sudo grep linux_banner /proc/kallsyms ffffffff81a000e0 R linux_banner 11 Michael Schwarz (@misc0110)
86 Building the Code char data = *(char*)0xffffffff81a000e0; printf("%c\n", data); 12 Michael Schwarz (@misc0110)
87 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader 13 Michael Schwarz (@misc0110)
88 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible 13 Michael Schwarz (@misc0110)
89 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible Any invalid access throws an exception segmentation fault 13 Michael Schwarz (@misc0110)
90 Building the Code Just catch the segmentation fault! 14 Michael Schwarz
91 Building the Code Just catch the segmentation fault! We can simply install a signal handler 14 Michael Schwarz (@misc0110)
92 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue 14 Michael Schwarz (@misc0110)
93 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value 14 Michael Schwarz (@misc0110)
94 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value Sounds like a good idea 14 Michael Schwarz (@misc0110)
95 Building the Code Still no kernel memory 15 Michael Schwarz
96 Building the Code Still no kernel memory Maybe it is not that straight forward 15 Michael Schwarz
97 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work 15 Michael Schwarz
98 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work Are privilege checks also done when executing instructions out of order? 15 Michael Schwarz
99 Building the Code Still no kernel memory Maybe it is not that straight forward Privilege checks seem to work Are privilege checks also done when executing instructions out of order? Problem: out-of-order instructions are not visible 15 Michael Schwarz
100 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; 16 Michael Schwarz (@misc0110)
101 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; 16 Michael Schwarz (@misc0110)
102 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; Static code analyzer is still not happy warning : D e r e f e r e n c e o f n u l l p o i n t e r ( v o l a t i l e char ) 0 ; 16 Michael Schwarz (@misc0110)
103 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed 17 Michael Schwarz (@misc0110)
104 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed Exception was only thrown afterwards 17 Michael Schwarz (@misc0110)
105 Building the Code Out-of-order instructions leave microarchitectural traces 18 Michael Schwarz
106 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache 18 Michael Schwarz
107 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions 18 Michael Schwarz (@misc0110)
108 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions We can indirectly observe the execution of transient instructions 18 Michael Schwarz (@misc0110)
109 Building the Code Maybe there is no permission check in transient instructions Michael Schwarz
110 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them 19 Michael Schwarz
111 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*)0xffffffff81a000e0; array[data * 4096] = 0; 19 Michael Schwarz (@misc0110)
112 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*)0xffffffff81a000e0; array[data * 4096] = 0; Then check whether any part of array is cached 19 Michael Schwarz (@misc0110)
113 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data 20 Michael Schwarz (@misc0110)
114 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data Permission check is in some cases not fast enough 20 Michael Schwarz (@misc0110)
115
116 And now?...
117 Take the kernel addresses... Kernel addresses in user space are a problem 22 Michael Schwarz (@misc0110)
118 Take the kernel addresses... Kernel addresses in user space are a problem Why don t we take the kernel addresses Michael Schwarz (@misc0110)
119 ...and remove them...and remove them if not needed? 23 Michael Schwarz
120 ...and remove them...and remove them if not needed? User accessible check in hardware is not reliable 23 Michael Schwarz
121 Idea Let s just unmap the kernel in user space 24 Michael Schwarz (@misc0110)
122 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present 24 Michael Schwarz (@misc0110)
123 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present Memory which is not mapped cannot be accessed at all 24 Michael Schwarz (@misc0110)
124
125 Kernel Address Isolation to have Side channels Efficiently Removed
126 KAISER /ˈkʌɪzə/ 1. [german] Emperor, ruler of an empire 2. largest penguin, emperor penguin Kernel Address Isolation to have Side channels Efficiently Removed
127 Userspace Kernelspace Applications Operating System Memory
128 Kernel View User View Userspace Kernelspace Userspace Kernelspace Applications Operating System Memory Applications context switch
129 Kernel Address Space Isolation We published KAISER in July Michael Schwarz
130 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) 25 Michael Schwarz
131 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows Michael Schwarz
132 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map 25 Michael Schwarz
133 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map All share the same idea: switching address spaces on context switch 25 Michael Schwarz
134
135 Performance Depends on how often you need to switch between kernel and user space 26 Michael Schwarz
136 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware 26 Michael Schwarz
137 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features 26 Michael Schwarz
138 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features Performance overhead on average below 2% 26 Michael Schwarz
139 Meltdown and Spectre 27 Michael Schwarz
140 Meltdown and Spectre 27 Michael Schwarz
141
142 Spectre Briefing Mistrains branch prediction 28 Michael Schwarz
143 Spectre Briefing Mistrains branch prediction CPU speculatively executes code which should not be executed 28 Michael Schwarz
144 Spectre Briefing Mistrains branch prediction CPU speculatively executes code which should not be executed Can also mistrain indirect calls 28 Michael Schwarz
145 Spectre Briefing Mistrains branch prediction CPU speculatively executes code which should not be executed Can also mistrain indirect calls Spectre convinces program to execute code 28 Michael Schwarz
146 Spectre Requirements On Intel and AMD CPUs 29 Michael Schwarz
147 Spectre Requirements On Intel and AMD CPUs Some ARMs (Cortex R and Cortex A) are also affected 29 Michael Schwarz (@misc0110)
148 Spectre Requirements On Intel and AMD CPUs Some ARMs (Cortex R and Cortex A) are also affected Common cause: speculative execution of branches 29 Michael Schwarz (@misc0110)
149 Spectre Requirements On Intel and AMD CPUs Some ARMs (Cortex R and Cortex A) are also affected Common cause: speculative execution of branches Speculative execution leaves microarchitectural traces which leak secret 29 Michael Schwarz (@misc0110)
150
151 Prosciutto
152 Funghi
153 Diavolo
154 Diavolo
155 Diavolo
156 Diavolo
157 »A table for 6 please«
158
159 Speculative Cooking
160 »A table for 6 please«
161
162
163
164
165
166 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
167 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
168 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
169 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
170 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
171 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
172 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
173 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
174 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
175 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
176 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
177 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
178 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
179 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
180 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
181 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
182 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
183 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
184 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
185 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
186 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
187 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
188 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
189 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
190 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
191 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 30 Michael Schwarz (@misc0110)
192 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) Speculate th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
193 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 30 0 Michael Schwarz (@misc0110)
194 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
195 Spectre (variant 2) Animal* a = bird; a->move() () swim() fly sw Speculate im () Prediction LUT[data[index] * 4096] 31 0 Michael Schwarz (@misc0110)
196 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
197 Spectre (variant 2) Animal* a = bird; a->move() Execute () fly swim() sw im () Prediction LUT[data[index] * 4096] 31 0 Michael Schwarz (@misc0110)
198 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
199 Spectre (variant 2) Animal* a = bird; a->move() Speculate () fly fly() sw im () Prediction LUT[data[index] * 4096] 31 0 Michael Schwarz (@misc0110)
200 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
201 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
202 Spectre (variant 2) Animal* a = fish; a->move() Speculate ) ( fly fly() sw im () Prediction LUT[data[index] * 4096] 31 0 Michael Schwarz (@misc0110)
203 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
204 Spectre (variant 2) Animal* a = fish; a->move() () fly() fly Execute sw im () Prediction LUT[data[index] * 4096] 31 0 Michael Schwarz (@misc0110)
205 Spectre (variant 2) Animal* a = fish; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 31 Michael Schwarz (@misc0110)
206 Spectre Read own memory (e.g., sandbox escape) 32 Michael Schwarz
207 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets 32 Michael Schwarz
208 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret 32 Michael Schwarz (@misc0110)
209 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret Much harder to fix, KAISER does not help 32 Michael Schwarz (@misc0110)
210 Spectre Read own memory (e.g., sandbox escape) Convince other programs to reveal their secrets Again, a cache attack (Flush+Reload) is used to read the secret Much harder to fix, KAISER does not help Ongoing effort to patch via microcode update and compiler extensions 32 Michael Schwarz (@misc0110)
211 Spectre Trivial approach: disable speculative execution 33 Michael Schwarz
212 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation 33 Michael Schwarz
213 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! 33 Michael Schwarz
214 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? 33 Michael Schwarz
215 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? Speculative execution is deeply integrated into CPU 33 Michael Schwarz
216 Spectre Variant 1 Mitigations 34 Michael Schwarz (@misc0110)
217 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation 34 Michael Schwarz (@misc0110)
218 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check 34 Michael Schwarz (@misc0110)
219 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check x86: LFENCE, ARM: CSDB 34 Michael Schwarz (@misc0110)
220 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check x86: LFENCE, ARM: CSDB Available on all Intel CPUs, retrofitted to existing ARMv7 and ARMv8 34 Michael Schwarz (@misc0110)
221 Spectre Variant 1 Mitigations 35 Michael Schwarz (@misc0110)
222 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported 35 Michael Schwarz (@misc0110)
223 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC 35 Michael Schwarz (@misc0110)
224 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable 35 Michael Schwarz (@misc0110)
225 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable Explicit use by programmer: builtin load no speculate 35 Michael Schwarz (@misc0110)
226 Spectre Variant 1 Mitigations 36 Michael Schwarz (@misc0110)
227 Spectre Variant 1 Mitigations 36 Michael Schwarz (@misc0110)
228 Spectre Variant 1 Mitigations 37 Michael Schwarz (@misc0110)
229 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known 37 Michael Schwarz (@misc0110)
230 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability 37 Michael Schwarz (@misc0110)
231 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable 37 Michael Schwarz (@misc0110)
232 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable Non-negligible performance overhead of barriers 37 Michael Schwarz (@misc0110)
233 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): 38 Michael Schwarz (@misc0110)
234 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode 38 Michael Schwarz (@misc0110)
235 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions 38 Michael Schwarz (@misc0110)
236 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): 38 Michael Schwarz (@misc0110)
237 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer 38 Michael Schwarz (@misc0110)
238 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer Single Thread Indirect Branch Predictors (STIBP): 38 Michael Schwarz (@misc0110)
239 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer Single Thread Indirect Branch Predictors (STIBP): Isolates branch prediction state between two hyperthreads 38 Michael Schwarz (@misc0110)
240 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 39 Michael Schwarz (@misc0110)
241 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop 39 Michael Schwarz (@misc0110)
242 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function 39 Michael Schwarz (@misc0110)
243 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? 39 Michael Schwarz (@misc0110)
244 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: 39 Michael Schwarz (@misc0110)
245 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction 39 Michael Schwarz (@misc0110)
246 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) push <call_target> call 1f 2: ; speculation will continue here lfence ; speculation barrier jmp 2b ; endless loop 1: lea 8(%rsp), %rsp ; restore stack pointer ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction microcode patches to prevent that 39 Michael Schwarz (@misc0110)
247 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel 40 Michael Schwarz (@misc0110)
248 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch 40 Michael Schwarz (@misc0110)
249 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL) Michael Schwarz (@misc0110)
250 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) 40 Michael Schwarz (@misc0110)
251 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) Non-negligible performance overhead ( ns) 40 Michael Schwarz (@misc0110)
252 What does not work Prevent access to high-resolution timer 41 Michael Schwarz
253 What does not work Prevent access to high-resolution timer Own timer using timing thread 41 Michael Schwarz
254 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged 41 Michael Schwarz
255 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses 41 Michael Schwarz
256 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses Just move secrets into secure world 41 Michael Schwarz
257 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses Just move secrets into secure world Spectre works on secure enclaves 41 Michael Schwarz
258 What do we learn from it? We have ignored software side-channels for many many years: 42 Michael Schwarz
259 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto 42 Michael Schwarz
260 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed 42 Michael Schwarz
261 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR 42 Michael Schwarz
262 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway 42 Michael Schwarz
263 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone 42 Michael Schwarz
264 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model 42 Michael Schwarz
265 What do we learn from it? We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model for years we solely optimized for performance 42 Michael Schwarz
266 When you read the Intel manuals... After learning about a side channel you realize: 43 Michael Schwarz (@misc0110)
267 When you read the Intel manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual 43 Michael Schwarz (@misc0110)
268 When you read the Intel manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual only now we understand the implications 43 Michael Schwarz (@misc0110)
269 What do we learn from it? Motor Vehicle Deaths in U.S. by Year 44 Michael Schwarz
270 A unique chance A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) find good trade-offs between security and performance 45 Michael Schwarz (@misc0110)
271 Conclusion Underestimated microarchitectural attacks for a long time Basic techniques were there for years Industry and customers must embrace security mechanisms Run through the same development (for security) as the automobile industry (for safety) It should not be performance first, but security first 46 Michael Schwarz (@misc0110)
272 Fact or Fiction?
273 Fact or Fiction? FAc tt
274 Any Questions?
275
Timeline of a Vulnerability
Timeline of a Vulnerability Is this all a conspiracy? Vulnerability existed for many years 1 Daniel Gruss, Moritz Lipp, Michael Schwarz www.iaik.tugraz.at Timeline of a Vulnerability Is this all a conspiracy?
More informationAdministrivia. Course Objectives. Overview. Lecture Notes Week markem/cs333/ 2. Staff. 3. Prerequisites. 4. Grading. 1. Theory and application
Administrivia 1. markem/cs333/ 2. Staff 3. Prerequisites 4. Grading Course Objectives 1. Theory and application 2. Benefits 3. Labs TAs Overview 1. What is a computer system? CPU PC ALU System bus Memory
More informationEffective Entropy for Memory Randomization Defenses
Effective Entropy for Memory Randomization Defenses William Herlands, Thomas Hobson, Paula Donovan 7 th Workshop on Cyber Security Experimentation and Test 18 August 2014 This work is sponsored by Assistant
More informationComputer Architecture
Computer Architecture QtSpim, a Mips simulator S. Coudert and R. Pacalet January 4, 2018..................... Memory Mapping 0xFFFF000C 0xFFFF0008 0xFFFF0004 0xffff0000 0x90000000 0x80000000 0x7ffff4d4
More informationECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University
ECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University Prof. Mi Lu TA: Ehsan Rohani Laboratory Exercise #4 MIPS Assembly and Simulation
More informationICS 233 Computer Architecture & Assembly Language
ICS 233 Computer Architecture & Assembly Language Assignment 6 Solution 1. Identify all of the RAW data dependencies in the following code. Which dependencies are data hazards that will be resolved by
More informationGo Tutorial. Ian Lance Taylor. Introduction. Why? Language. Go Tutorial. Ian Lance Taylor. GCC Summit, October 27, 2010
GCC Summit, October 27, 2010 Go Go is a new experimental general purpose programming language. Main developers are: Russ Cox Robert Griesemer Rob Pike Ken Thompson It was released as free software in November
More informationIssue = Select + Wakeup. Out-of-order Pipeline. Issue. Issue = Select + Wakeup. OOO execution (2-wide) OOO execution (2-wide)
Out-of-order Pipeline Buffer of instructions Issue = Select + Wakeup Select N oldest, read instructions N=, xor N=, xor and sub Note: ma have execution resource constraints: i.e., load/store/fp Fetch Decode
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationINF2270 Spring Philipp Häfliger. Lecture 8: Superscalar CPUs, Course Summary/Repetition (1/2)
INF2270 Spring 2010 Philipp Häfliger Summary/Repetition (1/2) content From Scalar to Superscalar Lecture Summary and Brief Repetition Binary numbers Boolean Algebra Combinational Logic Circuits Encoder/Decoder
More informationComp 11 Lectures. Mike Shah. July 26, Tufts University. Mike Shah (Tufts University) Comp 11 Lectures July 26, / 40
Comp 11 Lectures Mike Shah Tufts University July 26, 2017 Mike Shah (Tufts University) Comp 11 Lectures July 26, 2017 1 / 40 Please do not distribute or host these slides without prior permission. Mike
More informationCS 700: Quantitative Methods & Experimental Design in Computer Science
CS 700: Quantitative Methods & Experimental Design in Computer Science Sanjeev Setia Dept of Computer Science George Mason University Logistics Grade: 35% project, 25% Homework assignments 20% midterm,
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 09/10, Jan., 2018 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 43 Most Essential Assumptions for Real-Time Systems Upper
More informationWorst-Case Execution Time Analysis. LS 12, TU Dortmund
Worst-Case Execution Time Analysis Prof. Dr. Jian-Jia Chen LS 12, TU Dortmund 02, 03 May 2016 Prof. Dr. Jian-Jia Chen (LS 12, TU Dortmund) 1 / 53 Most Essential Assumptions for Real-Time Systems Upper
More informationNCU EE -- DSP VLSI Design. Tsung-Han Tsai 1
NCU EE -- DSP VLSI Design. Tsung-Han Tsai 1 Multi-processor vs. Multi-computer architecture µp vs. DSP RISC vs. DSP RISC Reduced-instruction-set Register-to-register operation Higher throughput by using
More informationCSE. 1. In following code. addi. r1, skip1 xor in r2. r3, skip2. counter r4, top. taken): PC1: PC2: PC3: TTTTTT TTTTTT
CSE 560 Practice Problem Set 4 Solution 1. In this question, you will examine several different schemes for branch prediction, using the following code sequence for a simple load store ISA with no branch
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationSimple Instruction-Pipelining (cont.) Pipelining Jumps
6.823, L9--1 Simple ruction-pipelining (cont.) + Interrupts Updated March 6, 2000 Laboratory for Computer Science M.I.T. http://www.csg.lcs.mit.edu/6.823 Src1 ( j / ~j ) Src2 ( / Ind) Pipelining Jumps
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2019
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2019 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationMeasurement & Performance
Measurement & Performance Timers Performance measures Time-based metrics Rate-based metrics Benchmarking Amdahl s law Topics 2 Page The Nature of Time real (i.e. wall clock) time = User Time: time spent
More informationOperating Systems. VII. Synchronization
Operating Systems VII. Synchronization Ludovic Apvrille ludovic.apvrille@telecom-paristech.fr Eurecom, office 470 http://soc.eurecom.fr/os/ @OS Eurecom Outline Synchronization issues 2/22 Fall 2017 Institut
More informationMeasurement & Performance
Measurement & Performance Topics Timers Performance measures Time-based metrics Rate-based metrics Benchmarking Amdahl s law 2 The Nature of Time real (i.e. wall clock) time = User Time: time spent executing
More informationLecture 16 More Profiling: gperftools, systemwide tools: oprofile, perf, DTrace, etc.
Lecture 16 More Profiling: gperftools, systemwide tools: oprofile, perf, DTrace, etc. ECE 459: Programming for Performance March 6, 2014 Part I gperftools 2 / 49 Introduction to gperftools Google Performance
More informationUnit 6: Branch Prediction
CIS 501: Computer Architecture Unit 6: Branch Prediction Slides developed by Joe Devie/, Milo Mar4n & Amir Roth at Upenn with sources that included University of Wisconsin slides by Mark Hill, Guri Sohi,
More informationSt art. rp m. Km /h 1: : : : : : : : : : : : :5 2.5.
modified 22/05/14 t 3:5 2.5 3:5 5.0 3:5 7.5 4:0 0.0 4:0 2.5 4:0 5.0 4:0 7.5 4:1 0.0 4:1 2.5 4:1 5.0 4:1 7.5 4:2 0.0 Km /h 0 25 50 75 100 125 150 175 200 225 rp m 0 250 0 500 0 750 0 100 00 125 00 1 2 3
More informationPerformance Metrics for Computer Systems. CASS 2018 Lavanya Ramapantulu
Performance Metrics for Computer Systems CASS 2018 Lavanya Ramapantulu Eight Great Ideas in Computer Architecture Design for Moore s Law Use abstraction to simplify design Make the common case fast Performance
More informationAccelerating Decoupled Look-ahead to Exploit Implicit Parallelism
Accelerating Decoupled Look-ahead to Exploit Implicit Parallelism Raj Parihar Advisor: Prof. Michael C. Huang March 22, 2013 Raj Parihar Accelerating Decoupled Look-ahead to Exploit Implicit Parallelism
More informationCyrus: Unintrusive Application-Level Record-Replay for Replay Parallelism
Cyrus: Unintrusive Application-Level Record-Replay for Replay Parallelism Nima Honarmand, Nathan Dautenhahn, Josep Torrellas and Samuel T. King (UIUC) Gilles Pokam and Cristiano Pereira (Intel) iacoma.cs.uiuc.edu
More informationE23: Hotel Management System Wen Yunlu Hu Xing Chen Ke Tang Haoyuan Module: EEE 101
E23: Hotel Management System Author: 1302509 Zhao Ruimin 1301478 Wen Yunlu 1302575 Hu Xing 1301911 Chen Ke 1302599 Tang Haoyuan Module: EEE 101 Lecturer: Date: Dr.Lin December/22/2014 Contents Contents
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2018 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationRandom Number Generation Is Getting Harder It s Time to Pay Attention
SESSION ID: PDAC-F03 Random Number Generation Is Getting Harder It s Time to Pay Attention Richard Moulds General Manager Whitewood Richard Hughes Laboratory Fellow (Retired) Los Alamos National Laboratory
More informationvsyscall and vdso Adrien «schischi» Schildknecht vsyscall and vdso March 17, 2014
March 17, 2014 Section 1 Introduction Goal In computing, a system call is how a program requests a service from an operating system s kernel. This may include hardware related services (e.g. accessing
More informationCSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018
CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis Ruth Anderson Winter 2018 Today Algorithm Analysis What do we care about? How to compare two algorithms Analyzing Code Asymptotic Analysis
More informationPossible Prelab Questions.
Possible Prelab Questions. Read Lab 2. Study the Analysis section to make sure you have a firm grasp of what is required for this lab. 1) A car is travelling with constant acceleration along a straight
More informationComputer Algorithms CISC4080 CIS, Fordham Univ. Outline. Last class. Instructor: X. Zhang Lecture 2
Computer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2 Outline Introduction to algorithm analysis: fibonacci seq calculation counting number of computer steps recursive formula
More informationComputer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2
Computer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2 Outline Introduction to algorithm analysis: fibonacci seq calculation counting number of computer steps recursive formula
More informationFormal Verification of Mathematical Algorithms
Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing
More informationPortland State University ECE 587/687. Branch Prediction
Portland State University ECE 587/687 Branch Prediction Copyright by Alaa Alameldeen and Haitham Akkary 2015 Branch Penalty Example: Comparing perfect branch prediction to 90%, 95%, 99% prediction accuracy,
More informationNICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Gerwin Klein Formal Methods 1 ORGANISATORIALS When Mon 14:00 15:30 Wed 10:30 12:00 7 weeks ends Mon, 20.9.2004 Exceptions Mon
More informationNEC PerforCache. Influence on M-Series Disk Array Behavior and Performance. Version 1.0
NEC PerforCache Influence on M-Series Disk Array Behavior and Performance. Version 1.0 Preface This document describes L2 (Level 2) Cache Technology which is a feature of NEC M-Series Disk Array implemented
More informationSystem Data Bus (8-bit) Data Buffer. Internal Data Bus (8-bit) 8-bit register (R) 3-bit address 16-bit register pair (P) 2-bit address
Intel 8080 CPU block diagram 8 System Data Bus (8-bit) Data Buffer Registry Array B 8 C Internal Data Bus (8-bit) F D E H L ALU SP A PC Address Buffer 16 System Address Bus (16-bit) Internal register addressing:
More informationECE 571 Advanced Microprocessor-Based Design Lecture 9
ECE 571 Advanced Microprocessor-Based Design Lecture 9 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 20 February 2018 Announcements HW#4 was posted. About branch predictors Don
More informationDETERMINING THE VARIABLE QUANTUM TIME (VQT) IN ROUND ROBIN AND IT S IMPORTANCE OVER AVERAGE QUANTUM TIME METHOD
D DETERMINING THE VARIABLE QUANTUM TIME (VQT) IN ROUND ROBIN AND IT S IMPORTANCE OVER AVERAGE QUANTUM TIME METHOD Yashasvini Sharma 1 Abstract The process scheduling, is one of the most important tasks
More informationChe-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University
Che-Wei Chang chewei@mail.cgu.edu.tw Department of Computer Science and Information Engineering, Chang Gung University } 2017/11/15 Midterm } 2017/11/22 Final Project Announcement 2 1. Introduction 2.
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationSearching, mainly via Hash tables
Data structures and algorithms Part 11 Searching, mainly via Hash tables Petr Felkel 26.1.2007 Topics Searching Hashing Hash function Resolving collisions Hashing with chaining Open addressing Linear Probing
More informationCache-Oblivious Algorithms
Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm C program gcc Object code linux Execution Can be executed on machines with a specific class of CPUs Algorithm Java program
More informationStatic Program Analysis
Static Program Analysis Xiangyu Zhang The slides are compiled from Alex Aiken s Michael D. Ernst s Sorin Lerner s A Scary Outline Type-based analysis Data-flow analysis Abstract interpretation Theorem
More informationCache-Oblivious Algorithms
Cache-Oblivious Algorithms 1 Cache-Oblivious Model 2 The Unknown Machine Algorithm C program gcc Object code linux Execution Can be executed on machines with a specific class of CPUs Algorithm Java program
More informationMICROPROCESSOR REPORT. THE INSIDER S GUIDE TO MICROPROCESSOR HARDWARE
MICROPROCESSOR www.mpronline.com REPORT THE INSIDER S GUIDE TO MICROPROCESSOR HARDWARE ENERGY COROLLARIES TO AMDAHL S LAW Analyzing the Interactions Between Parallel Execution and Energy Consumption By
More informationSafety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem
Safety and Liveness Properties defined over an execution of a program Thread Synchronization: Too Much Milk Safety: nothing bad happens holds in every finite execution prefix Windows never crashes No patient
More informationThis ensures that we walk downhill. For fixed λ not even this may be the case.
Gradient Descent Objective Function Some differentiable function f : R n R. Gradient Descent Start with some x 0, i = 0 and learning rate λ repeat x i+1 = x i λ f(x i ) until f(x i+1 ) ɛ Line Search Variant
More informationThe conceptual view. by Gerrit Muller University of Southeast Norway-NISE
by Gerrit Muller University of Southeast Norway-NISE e-mail: gaudisite@gmail.com www.gaudisite.nl Abstract The purpose of the conceptual view is described. A number of methods or models is given to use
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationPwning ARM Debug Components for Sec-Related Stuff (HardBlare project)
Pwning ARM Debug Components for Sec-Related Stuff (HardBlare project) HITB COMMSEC Muhammad Abdul WAHAB, Pascal COTRET April 14, 2017 CentraleSupélec Who am I? 2 nd year PhD Student at CentraleSuplec E-mail:
More informationPhysics 100. Today. Finish Chapter 5: Newton s 3 rd Law. Chapter 6: Momentum
Physics 100 Today Finish Chapter 5: Newton s 3 rd Law Chapter 6: Momentum Momentum = inertia in motion Specifically, momentum = mass x velocity = m v Eg. Just as a truck and a roller skate have different
More informationHigh Performance Computing
Master Degree Program in Computer Science and Networking, 2014-15 High Performance Computing 2 nd appello February 11, 2015 Write your name, surname, student identification number (numero di matricola),
More informationBOFH meets SystemTap: rootkits made trivial
BOFH meets SystemTap: rootkits made trivial Adrien Kunysz adrien@kunysz.be FOSDEM, Brussels, Belgium 5 February 2011 Who is Adrien Kunysz? Krunch on Freenode I like to look at core files, to read code,
More informationSpeculative Parallelism in Cilk++
Speculative Parallelism in Cilk++ Ruben Perez & Gregory Malecha MIT May 11, 2010 Ruben Perez & Gregory Malecha (MIT) Speculative Parallelism in Cilk++ May 11, 2010 1 / 33 Parallelizing Embarrassingly Parallel
More informationCMP N 301 Computer Architecture. Appendix C
CMP N 301 Computer Architecture Appendix C Outline Introduction Pipelining Hazards Pipelining Implementation Exception Handling Advanced Issues (Dynamic Scheduling, Out of order Issue, Superscalar, etc)
More informationB629 project - StreamIt MPI Backend. Nilesh Mahajan
B629 project - StreamIt MPI Backend Nilesh Mahajan March 26, 2013 Abstract StreamIt is a language based on the dataflow model of computation. StreamIt consists of computation units called filters connected
More informationTDDI04, K. Arvidsson, IDA, Linköpings universitet CPU Scheduling. Overview: CPU Scheduling. [SGG7] Chapter 5. Basic Concepts.
TDDI4 Concurrent Programming, Operating Systems, and Real-time Operating Systems CPU Scheduling Overview: CPU Scheduling CPU bursts and I/O bursts Scheduling Criteria Scheduling Algorithms Multiprocessor
More informationCosmic Ray Detector Software
Cosmic Ray Detector Software Studying cosmic rays has never been easier Matthew Jones Purdue University 2012 QuarkNet Summer Workshop 1 Brief History First cosmic ray detector built at Purdue in about
More informationCIS 371 Computer Organization and Design
CIS 371 Computer Organization and Design Unit 13: Power & Energy Slides developed by Milo Mar0n & Amir Roth at the University of Pennsylvania with sources that included University of Wisconsin slides by
More informationWRF performance tuning for the Intel Woodcrest Processor
WRF performance tuning for the Intel Woodcrest Processor A. Semenov, T. Kashevarova, P. Mankevich, D. Shkurko, K. Arturov, N. Panov Intel Corp., pr. ak. Lavrentieva 6/1, Novosibirsk, Russia, 630090 {alexander.l.semenov,tamara.p.kashevarova,pavel.v.mankevich,
More informationMAHAPATRA218FALL12 ( MPMAHAPATRA218FALL12 )
Logged in as Rupak Mahapatra, Instructor Help Log Out MAHAPATRA218FALL12 ( MPMAHAPATRA218FALL12 ) My Courses Course Settings Course Home Assignments Roster Gradebook Item Library University Physics with
More informationLecture 3, Performance
Repeating some definitions: Lecture 3, Performance CPI MHz MIPS MOPS Clocks Per Instruction megahertz, millions of cycles per second Millions of Instructions Per Second = MHz / CPI Millions of Operations
More informationCompiling Techniques
Lecture 11: Introduction to 13 November 2015 Table of contents 1 Introduction Overview The Backend The Big Picture 2 Code Shape Overview Introduction Overview The Backend The Big Picture Source code FrontEnd
More informationFall 2008 CSE Qualifying Exam. September 13, 2008
Fall 2008 CSE Qualifying Exam September 13, 2008 1 Architecture 1. (Quan, Fall 2008) Your company has just bought a new dual Pentium processor, and you have been tasked with optimizing your software for
More informationCSE370: Introduction to Digital Design
CSE370: Introduction to Digital Design Course staff Gaetano Borriello, Brian DeRenzi, Firat Kiyak Course web www.cs.washington.edu/370/ Make sure to subscribe to class mailing list (cse370@cs) Course text
More informationCS187 - Science Gateway Seminar for CS and Math
CS187 - Science Gateway Seminar for CS and Math Fall 2013 Class 3 Sep. 10, 2013 What is (not) Computer Science? Network and system administration? Playing video games? Learning to use software packages?
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationAP Physics 1 Summer Assignment
Name: Email address (write legibly): AP Physics 1 Summer Assignment Packet 3 The assignments included here are to be brought to the first day of class to be submitted. They are: Problems from Conceptual
More informationCHAPTER 5 - PROCESS SCHEDULING
CHAPTER 5 - PROCESS SCHEDULING OBJECTIVES To introduce CPU scheduling, which is the basis for multiprogrammed operating systems To describe various CPU-scheduling algorithms To discuss evaluation criteria
More informationLecture 3, Performance
Lecture 3, Performance Repeating some definitions: CPI Clocks Per Instruction MHz megahertz, millions of cycles per second MIPS Millions of Instructions Per Second = MHz / CPI MOPS Millions of Operations
More informationRecap. CS514: Intermediate Course in Operating Systems. What time is it? This week. Reminder: Lamport s approach. But what does time mean?
CS514: Intermediate Course in Operating Systems Professor Ken Birman Vivek Vishnumurthy: TA Recap We ve started a process of isolating questions that arise in big systems Tease out an abstract issue Treat
More informationCSE 331 Winter 2018 Reasoning About Code I
CSE 331 Winter 2018 Reasoning About Code I Notes by Krysta Yousoufian Original lectures by Hal Perkins Additional contributions from Michael Ernst, David Notkin, and Dan Grossman These notes cover most
More informationR E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.
R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H. 5 S O F T W A R E E N G I N E E R I N G B Y S O M M E R V I L L E S E
More informationITI Introduction to Computing II
(with contributions from R. Holte) School of Electrical Engineering and Computer Science University of Ottawa Version of January 11, 2015 Please don t print these lecture notes unless you really need to!
More informationExperimenting with Forces
A mother hears a loud crash in the living room. She walks into the room to see her seven-year-old son looking at a broken vase on the floor. How did that happen? she asks. I don t know. The vase just fell
More informationECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University
ECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University Prof. Sunil P Khatri (Lab exercise created and tested by Ramu Endluri, He Zhou and Sunil P
More informationDeadlock. CSE 2431: Introduction to Operating Systems Reading: Chap. 7, [OSC]
Deadlock CSE 2431: Introduction to Operating Systems Reading: Chap. 7, [OSC] 1 Outline Resources Deadlock Deadlock Prevention Deadlock Avoidance Deadlock Detection Deadlock Recovery 2 Review: Synchronization
More informationPerformance, Power & Energy. ELEC8106/ELEC6102 Spring 2010 Hayden Kwok-Hay So
Performance, Power & Energy ELEC8106/ELEC6102 Spring 2010 Hayden Kwok-Hay So Recall: Goal of this class Performance Reconfiguration Power/ Energy H. So, Sp10 Lecture 3 - ELEC8106/6102 2 PERFORMANCE EVALUATION
More informationUnit 8: Sequ. ential Circuits
CPSC 121: Models of Computation Unit 8: Sequ ential Circuits Based on slides by Patrice Be lleville and Steve Wolfman Pre-Class Learning Goals By the start of class, you s hould be able to Trace the operation
More informationThe Euler Method for the Initial Value Problem
The Euler Method for the Initial Value Problem http://people.sc.fsu.edu/ jburkardt/isc/week10 lecture 18.pdf... ISC3313: Introduction to Scientific Computing with C++ Summer Semester 2011... John Burkardt
More informationVäxjö University. Software Security Testing. A Flexible Architecture for Security Testing. School of Mathematics and System Engineering
School of Mathematics and System Engineering Reports from MSI - Rapporter från MSI Växjö University Software Security Testing A Flexible Architecture for Security Testing Martin Andersson Aug 2008 MSI
More informationIsaac Newton was a British scientist whose accomplishments
E8 Newton s Laws of Motion R EA D I N G Isaac Newton was a British scientist whose accomplishments included important discoveries about light, motion, and gravity. You may have heard the legend about how
More informationHigh-Performance Scientific Computing
High-Performance Scientific Computing Instructor: Randy LeVeque TA: Grady Lemoine Applied Mathematics 483/583, Spring 2011 http://www.amath.washington.edu/~rjl/am583 World s fastest computers http://top500.org
More informationChapter 4: Forces and Newton's Laws of Motion Tuesday, September 17, :00 PM
Ch4 Page 1 Chapter 4: Forces and Newton's Laws of Motion Tuesday, September 17, 2013 10:00 PM In the first three chapters of this course the emphasis is on kinematics, the mathematical description of motion.
More informationLecture Notes Week 4. Once the CPU is up and running, the routine scheduler() is never called again except in the routine sched().
1 XV6 Scheduler The xv6 scheduler user pure Round Robin It definitely as starvation and is definitely non-optimal The xv6 scheduler is in procc Two routines comprise the scheduler: scheduler() and sched()
More informationThe Geo Web: Enabling GIS on the Internet IT4GIS Keith T. Weber, GISP GIS Director ISU GIS Training and Research Center.
The Geo Web: Enabling GIS on the Internet IT4GIS Keith T. Weber, GISP GIS Director ISU GIS Training and Research Center In the Beginning GIS was independent The GIS analyst or manager was typically a oneperson
More informationVirtualization. Introduction. G. Lettieri A/A 2014/15. Dipartimento di Ingegneria dell Informazione Università di Pisa. G. Lettieri Virtualization
Introduction G. Lettieri Dipartimento di Ingegneria dell Informazione Università di Pisa A/A 2014/15 G. Lettieri Folk definition What do people mean when they talk about virtualization w.r.t. computers?
More informationReal-Time Scheduling and Resource Management
ARTIST2 Summer School 2008 in Europe Autrans (near Grenoble), France September 8-12, 2008 Real-Time Scheduling and Resource Management Lecturer: Giorgio Buttazzo Full Professor Scuola Superiore Sant Anna
More informationOBEUS. (Object-Based Environment for Urban Simulation) Shareware Version. Itzhak Benenson 1,2, Slava Birfur 1, Vlad Kharbash 1
OBEUS (Object-Based Environment for Urban Simulation) Shareware Version Yaffo model is based on partition of the area into Voronoi polygons, which correspond to real-world houses; neighborhood relationship
More informationIntroduction The Nature of High-Performance Computation
1 Introduction The Nature of High-Performance Computation The need for speed. Since the beginning of the era of the modern digital computer in the early 1940s, computing power has increased at an exponential
More informationPorting RSL to C++ Ryusuke Villemin, Christophe Hery. Pixar Technical Memo 12-08
Porting RSL to C++ Ryusuke Villemin, Christophe Hery Pixar Technical Memo 12-08 1 Introduction In a modern renderer, relying on recursive ray-tracing, the number of shader calls increases by one or two
More informationECE/CS 250 Computer Architecture
ECE/CS 250 Computer Architecture Basics of Logic Design: Boolean Algebra, Logic Gates (Combinational Logic) Tyler Bletsch Duke University Slides are derived from work by Daniel J. Sorin (Duke), Alvy Lebeck
More information