Daniel Gruss PDF

Recent Developments in Microarchitectural
Attacks: Meltdown, Spectre, and Rowhammer
Daniel Gruss
September 19, 2018
Graz University of Technology
1 Daniel Gruss — Graz University of Technology

CPU Cache www.tugraz.at
printf("%d", i);
printf("%d", i);

h e miss
Cac
printf("%d", i);
printf("%d", i);

h e miss Req
uest
Cac
printf("%d", i);
printf("%d", i);

h e miss Req
uest
Cac
printf("%d", i);
onse
printf("%d", i); Resp

h e miss Req
uest
Cac
printf("%d", i);
i onse

h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach

ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach

ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach
o D R A M access,
N
er
much fast
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM
ca
flush ch e d access
e d ch
ca
Shared Memory
access

Shared Memory
ATTACKER VICTIM
flush Shared Memory access

access

Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM

access

Shared Memory
ATTACKER VICTIM

access

Shared Memory
ATTACKER VICTIM

access
fast if victim accessed data,

slow otherwise
Memory Access Latency www.tugraz.at
Cache Hits
107
Number of accesses
104
101
50 100 150 200 250 300 350 400

Access time [CPU cycles]

Memory Access Latency www.tugraz.at
Cache Hits Cache Misses
107
Number of accesses
104
101
50 100 150 200 250 300 350 400

Access time [CPU cycles]

Out-of-order Execution www.tugraz.at
int width = 10 , height = 5;
float diagonal = sqrt ( width * width

+ height * height ) ;
int area = width * height ;
printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

Out-of-order Execution www.tugraz.at
Parallelize
ency
int width = 10 , height = 5;

Depend
float diagonal = sqrt ( width * width

+ height * height ) ;
int area = width * height ;
printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

Out-of-Order Execution www.tugraz.at
ITLB
L1 Instruction Cache
Branch Instruction Fetch & PreDecode

Frontend
Predictor
Instruction Queue
µOP Cache 4-Way Decode

µOPs µOP µOP µOP µOP
MUX
Allocation Queue
µOP µOP µOP µOP
Instructions are
CDB Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
• fetched and decoded in the front-end
Execution Engine
Scheduler
ALU, FMA, . . .
ALU, AES, . . .
ALU, Vect, . . .
Store data
Load data
Load data
ALU, Branch
AGU
Execution Units
Load Buffer Store Buffer

Subsystem
Memory
DTLB STLB
L1 Data Cache
L2 Cache

ITLB

Frontend
Predictor
Instruction Queue

MUX
Allocation Queue
µOP µOP µOP µOP
Instructions are
CDB Reorder buffer
Execution Engine
Scheduler
• dispatched to the backend

ALU, FMA, . . .
ALU, AES, . . .
ALU, Vect, . . .
Store data
Load data
Load data
ALU, Branch
AGU
Execution Units

Subsystem
Memory
DTLB STLB
L1 Data Cache
L2 Cache

ITLB

Frontend
Predictor
Instruction Queue

MUX
Allocation Queue
µOP µOP µOP µOP
Instructions are
CDB Reorder buffer
Execution Engine
Scheduler
• dispatched to the backend

ALU, FMA, . . .
ALU, AES, . . .
ALU, Vect, . . .
Store data
Load data
Load data
ALU, Branch
AGU
• processed by individual execution units

Execution Units

Subsystem
Memory
DTLB STLB
L1 Data Cache
L2 Cache

Building Meltdown www.tugraz.at
char data = *( char *) 0 xffffffff81a000e0 ;

printf ( " % c \ n " , data ) ;


printf ( " % c \ n " , data ) ;
segfault at ffffffff81a000e0 ip
0000000000400535
sp 00007 ffce4a80610 error 5 in reader

Adapted code
*( volatile char *) 0;
array [84 * 4096] = 0; // unreachable

Flush+Reload over all pages of the array
Access time
500
[cycles]
400
300
0 50 100 150 200 250

Page

Flush+Reload over all pages of the array
Access time
500
[cycles]
400
300
0 50 100 150 200 250

Page
This also works on AMD and ARM!

• Out-of-order instructions leave microarchitectural traces


• We can see them for example through the cache


• Give such instructions a name: transient instructions


• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient instructions

• Combine the two things

array [ data * 4096] = 0;

Flush+Reload again...
Access time
500
[cycles]
400
300
0 50 100 150 200 250

Page
... Meltdown actually works.

• Flush+Reload over all pages of the array
Access time
500
[cycles]
400
300
0 50 100 150 200 250

Page
• Index of cache hit reveals data

• Flush+Reload over all pages of the array
Access time
500
[cycles]
400
300
0 50 100 150 200 250

Page
• Index of cache hit reveals data

• Permission check is in some cases not fast enough

Kernel Address Isolation to have Side channels Efficiently Removed
KAISER /ˈkʌɪzə/
1. [german] Emperor,
ruler of an empire
2. largest penguin,
emperor penguin
Kernel Address Isolation to have Side channels Efficiently Removed

KAISER Illustration www.tugraz.at
Without KAISER:
Shared address space
User memory Kernel memory
0 −1
context switch

KAISER Illustration www.tugraz.at
Without KAISER:
Shared address space
User memory Kernel memory
0 −1
context switch
With KAISER:
User address space
User memory Not mapped
0 −1
addr. space
switch
context switch Interrupt
dispatcher
SMAP + SMEP Kernel memory

0 −1
Kernel address space

Foreshadow / Foreshadow-NG1 [Van+18; Wei+18] www.tugraz.at
1
Jo Van Bulck et al. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient
Out-of-Order Execution. In: USENIX Security Symposium. 2018.
L1TF/Foreshadow Demo
Mitigating L1TF/Foreshadow www.tugraz.at
Either:

Either:
• hyperthreading: only schedule mutually trusting threads on
same physical core

Either:
same physical core
• context switch: flush L1 when switching to guest

Either:
same physical core
Or:

Either:
same physical core
Or:
• disable EPTs

Spectre (variant 1) www.tugraz.at
index = 0;
char* data = "textKEY";
if (index < 4)
els
en e
th
Prediction
LUT[data[index] * 4096] 0
index = 0;
if (index < 4)
els
en e
th
Prediction
index = 0;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 0;
if (index < 4)
Execute
els
en e
th
Prediction
index = 1;
if (index < 4)
els
en e
th
Prediction
index = 1;
if (index < 4)
els
en e
th
Prediction
index = 1;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 1;
if (index < 4)
els
en e
th
Prediction
index = 2;
if (index < 4)
els
en e
th
Prediction
index = 2;
if (index < 4)
els
en e
th
Prediction
index = 2;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 2;
if (index < 4)
els
en e
th
Prediction
index = 3;
if (index < 4)
els
en e
th
Prediction
index = 3;
if (index < 4)
els
en e
th
Prediction
index = 3;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 3;
if (index < 4)
els
en e
th
Prediction
index = 4;
if (index < 4)
els
en e
th
Prediction
index = 4;
if (index < 4)
els
en e
th
Prediction
index = 4;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 4;
if (index < 4)
Execute
els
en e
th
Prediction
index = 5;
if (index < 4)
els
en e
th
Prediction
index = 5;
if (index < 4)
els
en e
th
Prediction
index = 5;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 5;
if (index < 4)
Execute
els
en e
th
Prediction
index = 6;
if (index < 4)
els
en e
th
Prediction
index = 6;
if (index < 4)
els
en e
th
Prediction
index = 6;
if (index < 4)
Speculate
els
en e
th
Prediction
index = 6;
if (index < 4)
Execute
els
en e
th
Prediction
index = 0;
index = index & 0x3; // sanitization

er ig
no
sid re
con
Prediction
LUT[data[index] * 4096] LUT[data[index] * 4096]

index = 0;

er ig
no
sid re
con
Prediction

index = 0;

Speculate
er ig
id no
s re
con
Prediction

index = 0;

er ig
no
sid re
con
Prediction

index = 1;

er ig
no
sid re
con
Prediction

index = 1;

er ig
no
sid re
con
Prediction

index = 1;

Speculate
er ig
id no
s re
con
Prediction

index = 1;

er ig
no
sid re
con
Prediction

index = 2;

er ig
no
sid re
con
Prediction

index = 2;

er ig
no
sid re
con
Prediction

index = 2;

Speculate
er ig
id no
s re
con
Prediction

index = 2;

er ig
no
sid re
con
Prediction

index = 3;

er ig
no
sid re
con
Prediction

index = 3;

er ig
no
sid re
con
Prediction

index = 3;

Speculate
er ig
id no
s re
con
Prediction

index = 3;

er ig
no
sid re
con
Prediction

index = 4;

er ig
no
sid re
con
Prediction

index = 4;

er ig
no
sid re
con
Prediction

index = 4;

Speculate
er ig
id no
s re
con
Prediction

index = 4;

Execute 0 ig
= no
x re
nde
i Prediction

index = 5;

er ig
no
sid re
con
Prediction

index = 5;

er ig
no
sid re
con
Prediction

index = 5;

Speculate
er ig
id no
s re
con
Prediction

index = 5;

Execute 1 ig
= no
x re
nde
i Prediction

index = 6;

er ig
no
sid re
con
Prediction

index = 6;

er ig
no
sid re
con
Prediction

index = 6;

Speculate
er ig
id no
s re
con
Prediction

index = 6;

Execute 2 ig
= no
x re
nde
i Prediction

Spectre (variant 1.1) www.tugraz.at
“Speculative Buffer Overflows”
• Speculatively write to memory locations

→ Many more gadgets than previously anticipated
• Very interesting for sandboxes
• Causes some protection mechanisms to fail

Spectre (variant 1.2) www.tugraz.at
“Speculative Buffer Overflows”
• Speculatively write to memory locations which are not writable

• Actually a variant of Meltdown
• A permission bit is ignored during out-of-order execution
• But no scenario where it makes sense without speculative execution?

Animal* a = bird;
a->move()
sw
) im
fl y( swim()
()
Prediction
Animal* a = bird;
a->move()
Speculate
sw
() swim() im
fly ()
Prediction
Animal* a = bird;
a->move()
sw
) im
fl y( swim()
()
Prediction
Animal* a = bird;
a->move()
Execute sw
) im
fl y( swim()
()
Prediction
Animal* a = bird;
a->move()
sw
) im
fl y( fly()
()
Prediction
Animal* a = bird;
a->move()
Speculate
sw
) im
fl y( fly()
()
Prediction
Animal* a = bird;
a->move()
sw
) im
fl y( fly()
()
Prediction
Animal* a = fish;
a->move()
sw
) im
fl y( fly()
()
Prediction
Animal* a = fish;
a->move()
Speculate
sw
) im
fl y( fly()
()
Prediction
Animal* a = fish;
a->move()
sw
) im
fl y( fly()
()
Prediction
Animal* a = fish;
a->move()
sw Execute
() fly() i m
fly ()
Prediction
Animal* a = fish;
a->move()
sw
) im
fl y( swim()
()
Prediction
• “SpectreRSB”
• Similar to Spectre variant 2:
• Redirect an indirect branch (a return in this case)
• Fill buffer with “wrong” values

Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution


• No wrong speculation if there is no speculation


• Problem: massive performance hit!


• Also: How to disable it?


• Also: How to disable it?
• Speculative execution is deeply integrated into CPU

Spectre Variant 1 Mitigations www.tugraz.at

• Workaround: insert instructions stopping

speculation


speculation
→ insert after every bounds check


speculation
• x86: LFENCE, ARM: CSDB


speculation
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8


• Speculation barrier requires compiler supported


• Already implemented in GCC, LLVM, and MSVC


• Can be automated (MSVC) → not really reliable


• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate

Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates

• Indirect Branch Restricted Speculation (IBRS):


• Do not speculate based on anything before entering IBRS mode


→ lesser privileged code cannot influence predictions


• Indirect Branch Predictor Barrier (IBPB):


• Flush branch-target buffer


• Single Thread Indirect Branch Predictors (STIBP):


• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads

Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)


push < call_target >
call 1 f
2: lfence ; speculation barrier
jmp 2 b ; endless loop
1: lea 8(% rsp ) , % rsp ; restore stack pointer
ret ; the actual call to <
call_target >
→ always predict to enter an endless loop


call 1 f
call_target >

• instead of the correct (or wrong) target function


call 1 f
call_target >

• instead of the correct (or wrong) target function →
performance?


call 1 f
call_target >

performance?
• ret may fall-back to the BTB for prediction


call 1 f
call_target >

performance?
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that



• Disable store-to-load-forward speculation
• Performance impact of 2–8%

• Already implicitly patched on some architectures

• RSB stuffing (part of retpoline)

What does not work www.tugraz.at
• Prevent access to high-resolution timer


→ Own timer using timing thread


• Flush instruction only privileged


→ Cache eviction through memory accesses


• Just move secrets into secure world


• Just move secrets into secure world
→ Spectre works on secure enclaves

Meltdown vs. Spectre www.tugraz.at
Meltdown attacks Spectre attacks


• Meltdown, LazyFP (v3.1), • v1, v1.1, v2, v4, SpectreRSB (v5)
Foreshadow, Foreshadow-NG, ...


Foreshadow, Foreshadow-NG, ... • Speculative Execution ⊂
• Out-of-Order Execution Out-of-Order Execution


• no prediction required • fundamentally rely on prediction


→ melt down isolation by ignoring access • difficult to mitigate because it does
permissions (e.g., page table bits) not violate access permissions


→ melt down isolation by ignoring access • difficult to mitigate because it does
permissions (e.g., page table bits) not violate access permissions
• practical mitigation in software (e.g.,
KAISER)

What if we want to modify data?
DRAM organization www.tugraz.at

channel 0
channel 1

back of DIMM: rank 1
channel 0
front of DIMM:
rank 0
channel 1

back of DIMM: rank 1
channel 0
front of DIMM:
rank 0
chip
channel 1

bank 0
chip
row 0
row 1
row 2
...
row 32767
row buffer

bank 0
chip
row 0
row 1
row 2
...
row 32767 64k cells
1 capacitor,
row buffer
1 transitor each

Rowhammer www.tugraz.at
DRAM bank
• Cells leak → repetitive refresh
11111111111111
necessary
11111111111111
11111111111111
• Maximum interval between
11111111111111 refreshes to guarantee data
... integrity
11111111111111
• Cells leak faster upon
proximate accesses →
row buffer
Rowhammer

DRAM bank
11111111111111
necessary
activate
11111111111111
11111111111111
... copy integrity
11111111111111
row buffer
Rowhammer

DRAM bank
11111111111111
necessary
11111111111111
11111111111111
activate
... integrity
11111111111111 copy
row buffer
Rowhammer

DRAM bank
11111111111111
necessary
activate
11111111111111
11111111111111
... copy integrity
11111111111111
row buffer
Rowhammer

DRAM bank
11111111111111
necessary
11111111111111
11111111111111
activate
... integrity
11111111111111 copy
row buffer
Rowhammer

DRAM bank
11111111111111 bit flips in row 2! necessary
11111111111111
10111110101111
... integrity
11111111111111
row buffer
Rowhammer

Hammering techniques www.tugraz.at
• There are two different hammering techniques


• #1: Hammer one row next to victim row and other random rows


• #2: Hammer two rows neighboring victim row

• There are three different hammering techniques

• #2: Hammer two rows neighboring victim row
• #3: Hammer only one row next to victim row

#1 - Single-sided hammering www.tugraz.at
DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
activate
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111 bit flips

11111111111111
10111110101111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

#2 - Double-sided hammering www.tugraz.at
DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111 bit flips

activate
11111111111111
10111110101111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

#3 - One-location hammering www.tugraz.at
DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111
11111111111111
11111111111111
activate
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

DRAM bank
11111111111111 bit flips

11111111111111
10111110101111
11111111111111
11111111111111
11111111111111
11111111111111
11111111111111

How to exploit random bit flips? www.tugraz.at



• They are not random → highly reproducible flip pattern!


1. Choose a data structure that you can place at arbitrary memory
locations


locations
2. Scan for “good” flips


locations
3. Place data structure there


locations
3. Place data structure there
4. Trigger bit flip again

What if we cannot target kernel pages? www.tugraz.at



• Many applications perform actions as root



• They can be used by unprivileged users as well




• sudo

Opcode Flipping - Conditional Jump www.tugraz.at
JE HLT
0 1 1 1 0 1 0 0 1 1 1 1 0 1 0 0

JE XORB
0 1 1 1 0 1 0 0 0 0 1 1 0 1 0 0

JE PUSHQ
0 1 1 1 0 1 0 0 0 1 0 1 0 1 0 0

JE <prefix>
0 1 1 1 0 1 0 0 0 1 1 0 0 1 0 0

JE JL
0 1 1 1 0 1 0 0 0 1 1 1 1 1 0 0

JE JO
0 1 1 1 0 1 0 0 0 1 1 1 0 0 0 0

JE JBE
0 1 1 1 0 1 0 0 0 1 1 1 0 1 1 0

JE JNE
0 1 1 1 0 1 0 0 0 1 1 1 0 1 0 1

Page Cache www.tugraz.at
• If a binary is loaded the first time, it is loaded to the memory


• It stays in memory (in the page cache) even after execution


• Only evicted if page cache is full


• Only evicted if page cache is full
• Page cache is huge - usually all unused memory

Memory Waylaying www.tugraz.at
(1) Start
B
X

(2) Evict Page Cache

(3) Access Binary

(4) Evict + Access

B

(5) Evict + Access

(6) Stop if target reached
X
B

How well does it work? www.tugraz.at
• New pages cover most of the physical memory

How well does it work? www.tugraz.at
• Great advantage over memory massaging: only negligible memory footprint

Rowhammer + SGX = Cheap Denial of Service
Intel SGX www.tugraz.at
• Instruction-set extension
• Integrity and confidentiality of code and data in untrusted
environments
• Run with user privileges and restricted, e.g., no system calls
• Run programs in enclaves using protected areas of memory

SGX Encrypted Memory www.tugraz.at
EPC (128 MB)

Physical Memory
0 GB 16 GB

SGX Encrypted Memory www.tugraz.at
EPC (128 MB)

Physical Memory
0 GB 16 GB

Bit Flips in the EPC www.tugraz.at
• What happens if a bit flips in the EPC?


• Integrity check will fail!


→ Locks up the memory controller


→ Not a single further memory access!


→ System halts immediately


→ System halts immediately

• If a malicious enclave induces a bit flip, . . .


• . . . the entire machine halts


• . . . including co-located tenants


• . . . including co-located tenants
• Denial-of-Service Attacks in the Cloud [Gru+18; Jan+17]

SGX + One-location Hammering + Opcode Flipping =
Undetectable Exploit
(Ab)using SGX Protection www.tugraz.at
• SGX protects software from malicious environments


• Thwarts static and dynamic (= performance counters) analysis


• Thwarts static and dynamic (= performance counters) analysis
• Hammering from SGX defeats countermeasures relying on this

Bypassing the Defenses www.tugraz.at
n er
s
nter
Patt
t
imit
Cou
prin
cess
sis
Prox
foot
ance
naly
y Ac
ic A
ory
orm
sica
or
Mem
Mem
Stat
Perf
Phy
Defense Class
Bypass
Intel SGX
One-location hammering
Opcode flipping
Memory waylaying
Defense class defeated

Just comparing some performance numbers... www.tugraz.at


• ≥ 43 000 hammering attempts (within 64 ms) for a bit flip [GMM16]


= 671 875 accesses per second


• Network packets access memory location up to 6 times
(depending on kernel)


→ 111 979 packets per second


• Network packets are a least 64 B


= 7 166 656 B/s = 7 MB/s = 57 Mb/s


= 7 166 656 B/s = 7 MB/s = 57 Mb/s
→ That sounds doable on “modern” networks


= 7 166 656 B/s = 7 MB/s = 57 Mb/s
→ That sounds doable on “modern” networks

Nethammer www.tugraz.at


Inducing bit flips:

Inducing bit flips:

• Network stacks on ARM often use uncached memory
(perfect for hammering)

Inducing bit flips:

• Intel recommends Intel CAT for QoS (perfect for hammering)

Inducing bit flips:

• Intel recommends Intel CAT for QoS (perfect for hammering)
• Network reachable code might use clflush or non-temporal
stores
(both great for hammering)

How did we get here? www.tugraz.at
We have ignored microarchitectural attacks for many years:


• attacks on crypto


• attacks on crypto → “software should be fixed”


• attacks on ASLR


• attacks on ASLR → “ASLR is broken anyway”


• attacks on SGX and TrustZone


• attacks on SGX and TrustZone → “not part of the threat model”


• Rowhammer


• Rowhammer → “only affects cheap sub-standard modules”


• Rowhammer → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance

... and we’re still optimizing for performance www.tugraz.at
• lower refresh rate = lower energy but more bit flips


• ECC memory → fewer bit flips


→ it’s an optimization problem


• what if “too aggressive” changes over time?


• what if “too aggressive” changes over time?
→ difficult to optimize with an intelligent adversary

Conclusions www.tugraz.at
A unique chance to
• rethink processor design

A unique chance to
• many problems to solve around microarchitectural attacks

A unique chance to
• many problems to solve around microarchitectural attacks
• dedicate more time into identifying problems and not solely in
mitigating known problems

Recent Developments in Microarchitectural
Attacks: Meltdown, Spectre, and Rowhammer
Daniel Gruss
September 19, 2018
Graz University of Technology

Daniel Gruss PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Daniel Gruss PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Recent Developments in Microarchitectural

Attacks: Meltdown, Spectre, and Rowhammer

1 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

3 Daniel Gruss — Graz University of Technology

3 Daniel Gruss — Graz University of Technology

flush Shared Memory access

3 Daniel Gruss — Graz University of Technology

3 Daniel Gruss — Graz University of Technology

3 Daniel Gruss — Graz University of Technology

flush Shared Memory access

3 Daniel Gruss — Graz University of Technology

flush Shared Memory access

3 Daniel Gruss — Graz University of Technology

flush Shared Memory access

fast if victim accessed data,

50 100 150 200 250 300 350 400

4 Daniel Gruss — Graz University of Technology

Cache Hits Cache Misses

50 100 150 200 250 300 350 400

4 Daniel Gruss — Graz University of Technology

int width = 10 , height = 5;

float diagonal = sqrt ( width * width

printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

5 Daniel Gruss — Graz University of Technology

int width = 10 , height = 5;

float diagonal = sqrt ( width * width

printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

5 Daniel Gruss — Graz University of Technology

Branch Instruction Fetch & PreDecode

µOP Cache 4-Way Decode

Load Buffer Store Buffer

6 Daniel Gruss — Graz University of Technology

Branch Instruction Fetch & PreDecode

µOP Cache 4-Way Decode

• dispatched to the backend

Load Buffer Store Buffer

6 Daniel Gruss — Graz University of Technology

Branch Instruction Fetch & PreDecode

µOP Cache 4-Way Decode

• dispatched to the backend

• processed by individual execution units

Load Buffer Store Buffer

6 Daniel Gruss — Graz University of Technology

char data = *( char *) 0 xffffffff81a000e0 ;

7 Daniel Gruss — Graz University of Technology

char data = *( char *) 0 xffffffff81a000e0 ;

7 Daniel Gruss — Graz University of Technology

8 Daniel Gruss — Graz University of Technology

Flush+Reload over all pages of the array

0 50 100 150 200 250

9 Daniel Gruss — Graz University of Technology

Flush+Reload over all pages of the array

0 50 100 150 200 250

This also works on AMD and ARM!

9 Daniel Gruss — Graz University of Technology

• Out-of-order instructions leave microarchitectural traces

char data = ( char ) 0 xffffffff81a000e0 ;

char data = ( char ) 0 xffffffff81a000e0 ;

char data = ( char ) 0 xffffffff81a000e0 ;