SlideShare a Scribd company logo

Meltdown & spectre

S
Sergio Shevchenko

Meltdown and Spectre: two most important hardware level vulnerabilities that changed the world.

Software
1 of 39
Download to read offline
Meltdown & Spectre Mitigate the unmitigable Based on ● Meltdown: Reading Kernel Memory from User Space ● Spectre Attacks: Exploiting Speculative Execution
HELLO! We are 2 Sergiy Shevchenko Marco Cipriano
● What are them? ○ Vulnerabilities in most modern CPU, due to poorly understood interactions between speculative execution and side effects ● When? ○ Discovered in june/july of 2017 but leaked on 4th of january 2018 by Google’s Project Zero ● Effects? ○ Need to modify: ■ CPU Memory ■ OS Virtual memory handling ■ Compilers ■ Hypervisors ■ Browsers ○ Real solution: change CPU DESIGN 3 Are considered the greatest hardware vulnerabilities in computer history
Today’s Agenda 1. Speculative Execution 2. Meltdown attack 3. Spectre attack 4
1. Speculative Execution Let’s start from the beginning Presented by Sergiy Shevchenko
Basic memory model of modern CPU ❑ Each CPU has 3 caches*: ❏ L1 with access latency ~ 5 cycles (1.2 ns) ❏ L2 with access latency ~ 10 cycles (4.2 ns) ❏ L3 with access latency ~ 40 cycles (20 ns) ❏ DRAM (100 ns) *Modern Core i7 Xeon Server Edition 6
Fetch-decode-execute parallelism ❑ On a non-pipelined CPU, when a instruction is being processed at a particular stage, the other stages are at an idle state ❑ On a pipelined CPU, all the stages work in parallel: ❏ When the 1st instruction is being decoded by the Decoder Unit, the 2nd instruction is being fetched by the Fetch Unit. It only takes 5 clock cycles to execute 2 instructions on a pipelined CPU. Image source: https://stackpointer.io/hardware/how-pipelining-improves-cpu-performance/113/ 7
Intel SkyLake CPU Microarchitecture ❑ Simplified illustration of a single core of the Intel’s Skylake microarchitecture ❑ Instructions are decoded into µOPs and executed out-of-order in the execution engine by individual execution units Figure from MeltDown by Lipp https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf 8
Out-of-order processing 1 op per cycle 9 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
Out-of-order processing 1 op per cycle 10 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
Out-of-order processing 11 ❑ t = a + b, u = c + d ❑ v = e + f ❑ w = v + g, x = h + i ❑ y = j + k ❑ t = a + b, u = c + d ❑ v = e + f, y = j + k ❑ w = v + g, x = h + i 3 clock cycles, 2 op per cycle and out-of-order execution
Fast in a straight line not so good on corners
Branch prediction 13 ❑ Pipelining, superscalar and out-of-order execution only helps if you know what instructions are coming next ❑ Conditionals are a problem - we don’t know what to load into a pipeline until conditional IF is clear Branch prediction will help: let's guess ❑ If the guess is right, great ❑ If the guess is wrong, clear pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf B1 B2 ?
Branch prediction + Speculative execution 14 ❑ Cache misses cause long delay in data extraction ❑ Speculative execution: ❏ Execute instructions on predicted branch ❏ If prediction was right - great! ❏ If prediction was wrong - undo all effects of running in speculative mode and flush pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf
Example of branch prediction with speculation 15 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } Without speculation can’t reorder anything
Example of branch prediction with speculation 16 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } With speculation 1. C = A + B; _J = H + I; 2. E = C + D; _L = _J + K; 3. G = E + F; _N = _L + M; 4. if (G == 0){ 5. J =_J; L =_L; N=_N; 6. } Only make results available if G equals 0 ALU 1 ALU 2 ALU 1
Virtual memory ❑ Virtual memory is divided into Kernel and User space ❑ Page table handles mappings ❑ Kernel space pages have an extra bit ❑ If user code tries accessing kernel space a trap will occur 17 Kernel space User space Physical memory Page table
2. Meltdown attack Explained Presented by Sergiy Shevchenko
Meltdown Abstract 19 Meltdown exploits side effects of out-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. ...read memory of process or virtual machines in the cloud without any permissions or privileges. CVE-2017-5754
Meltdown attack: side channel 20 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. Z = G + Y 5. if (Z == 0){ 6. J = kernel_mem[addr]; 7. L = J & 0x01; 8. N = L * 4096; 9. M = user_mem[N]; 10. } 1. C = A + B; _J = kernel_mem[addr]; 2. E = C + D; _L = _J & 0x01; 3. G = E + F; _N = _L * 4096; 4. Z = G + Y; _M = user_mem[_N]; 5. if (Z == 0){ 6. J =_J; L =_L; N =_N; M =_M; 7. } 8. t1 = get_time(); 9. V = user_mem[0]; 10. t2 = get_time(); 11. delta = t2 - t1; ALU 1 ALU 2 Predictor thinks this is true Normally, this should receive segmentation fault, but not in speculative case As this will never being executed, _J, _L and _N will be never revealed If the difference is < 10 cycles the 1st bit of kernel_mem[addr] = 0 Side channel magic here
Meltdown attack performance 21 ❑ Core i7-8700K: ❏ 582 KB/s error 0.003% ❑ Core i7-6700K: ❏ 569 KB/s error 0.002% ❑ Intel Xeon E5-1630: ❏ 491 KB/s error 10.7% * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
Meltdown mitigation 22 ❑ Why do operating systems map kernel memory into global address space? ❏ ...making in this way Meltdown possible.. ❑ .. because of memory page caching named TLB (translation lookaside buffer) ❏ Page table is stored in memory itself, so accessing it costs a lot * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
TLB 23 ❑ A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location, it is a part of MMU ❑ If you try accessing page which is not in TLB need to traverse all page table to find where the physical page is ❏ Cost is near 300-600 cycles! * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf Kernel space User space Physical memory MMU TLB
KPTI - Kernel Page Table Isolation 24 ❑ Only have user space memory mapping in the page table ❏ So meltdown can “physically” read kernel memory ❑ Some additional line of code in kernel to handle userspace and kernel space page table switching
KPTI - Kernel Page Table Isolation 25 ❑ Complete mitigation of meltdown ❑ Changing page tables requires flushing TLB ❑ Big impact on performance (this will happen on each OS Call!) ❑ In some cases > 50% slowdown ❑ Newer Intel CPU has association Process Context ID with TLB ❏ This allows flushing only part of TLB
3. Spectre attack A really hard part Presented by Marco Cipriano
Spectre Abstract 27 ❏ Spectre Variant 1: Bound Check Bypass ❏ Exploiting Conditional Branches ❏ CVE-2017-5753 ❏ Spectre Variant 2: Branch Target Injection ❏ Exploiting Indirect Branches ❏ CVE-2017-5715 Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and wich leak victim’s confidential information via a side channel to the adversary
Differences 28
Concepts 29
Spectre attack: Overview 30 ❑ Setup Phase: Minstrain the CPU ❑ Speculative Execution of Instructions that leak sensitive information to side channel ❑ Recovering sensitive instruction from side channel using: ❏ Flush + Reload ❏ Evict + Reload Yarom, Y., and Fakner, K. - FLUSH+RELOAD: A HIGH RESOLUTION, LOW NOISE, L3 CACHE SIDE-CHANNEL ATTACK, - in Usenix Security Symposium (2014). transitories
Variant 1 : Bound Check Bypass 31 1. array a = …; // size 400 2. array b = …; // size 512 3. offset = …; // user input 4. if (offset < size(a)){ 5. v = a[offset]; 6. i = (v & 0x01) * 4096; 7. x = b[i]; 8. }
Variant 2 : Poisoning Indirect Branches ❏ Indirect branch instructions have ability to jump to more than two possible target addresses. ❏ X86 example ❏ jmp eax: Address in register ❏ jmp [eax]: Address in memory location ❏ jmp dword ptr [0x12345678] ❏ Address from the stack (“ret”) ❏ MIPS example ❏ jr $ra 32
How can we use this? ❏ Find unsafe user code [unlikely] ❏ Use JIT Compiler of user code [highly likely] ❏ Google PoC uses BPF (packet filter in JIT) in Linux kernel ❏ Microsoft PoC uses Javascript ❏ Potentially any visited website can access all your RAM memory 33
Attack Variations 34
Attack Variation 1 : Evict + Time 35 Selecting bit to analyze Measuring access time If data is on CPU cache saving it
Mitigation Options 36
Preventing Speculative Execution Inserting speculative execution blocking instructions ❏ Degrades performance if used too extensively ❏ Use static analysis to find out optimum placement of blocking instructions ❏ Requires code recompilation 37 ❏ Intel Processors: ❏ add lfence before IF in bound checks (prevent speculation) ❏ ARM Processors: ❏ add build_in_no_speculate() to your compilation process
Conclusion ❏ Software Isolation techniques are widely deployed ❏ A fundamental security assumption underpinning all of these is that the CPU will faithfully execute software, including its safety checks ❏ Speculative execution violates this assumption that allow adversaries to determine the contents of memory and register ❏ Trade-offs between security and performance 38
THANKS! Any questions? Sergiy Shevchenko s.shevchenko @studenti.unisa.it Marco Cipriano m.cipriano12 @studenti.unisa.it

Recommended

Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectre
yeokm1
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
Le chiffrement
Le chiffrementLe chiffrement
Le chiffrement
Hanen Gazel
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Présentation Cryptographie
Présentation CryptographiePrésentation Cryptographie
Présentation Cryptographie
Cynapsys It Hotspot
 

Recommended

Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectre
yeokm1
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
Le chiffrement
Le chiffrementLe chiffrement
Le chiffrement
Hanen Gazel
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Présentation Cryptographie
Présentation CryptographiePrésentation Cryptographie
Présentation Cryptographie
Cynapsys It Hotspot
 
Practical Byzantine Fault Tolernace
Practical Byzantine Fault TolernacePractical Byzantine Fault Tolernace
Practical Byzantine Fault Tolernace
YongraeJo
 
Sécurité des Systèmes Répartis- Partie 1
Sécurité des Systèmes Répartis- Partie 1 Sécurité des Systèmes Répartis- Partie 1
Sécurité des Systèmes Répartis- Partie 1
Lilia Sfaxi
 
CDAC CCAT examination important question
CDAC CCAT examination important questionCDAC CCAT examination important question
CDAC CCAT examination important question
prabhatjon
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
Midhun Sankar
 
Performance Comparison of Mutex, RWLock and Atomic types in Rust
Performance Comparison of Mutex, RWLock and Atomic types in RustPerformance Comparison of Mutex, RWLock and Atomic types in Rust
Performance Comparison of Mutex, RWLock and Atomic types in Rust
Mitsunori Komatsu
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
Christoph Matthies
 
Mutual exclusion and sync
Mutual exclusion and syncMutual exclusion and sync
Mutual exclusion and sync
Dr. C.V. Suresh Babu
 
How2heap
How2heap How2heap
How2heap
Seonghwan Cho
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
Vadim Nikitin
 
Odoo development
Odoo developmentOdoo development
Odoo development
Ramzi Hajjaji
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
Gopal Sakarkar
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
Sim Janghoon
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
Platonov Sergey
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 

More Related Content

What's hot

CDAC CCAT examination important question
CDAC CCAT examination important questionCDAC CCAT examination important question
CDAC CCAT examination important question
prabhatjon
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
Sim Janghoon
 

What's hot (20)

Practical Byzantine Fault Tolernace
Practical Byzantine Fault TolernacePractical Byzantine Fault Tolernace
Practical Byzantine Fault Tolernace
 
Sécurité des Systèmes Répartis- Partie 1
Sécurité des Systèmes Répartis- Partie 1 Sécurité des Systèmes Répartis- Partie 1
Sécurité des Systèmes Répartis- Partie 1
 
CDAC CCAT examination important question
CDAC CCAT examination important questionCDAC CCAT examination important question
CDAC CCAT examination important question
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
 
Performance Comparison of Mutex, RWLock and Atomic types in Rust
Performance Comparison of Mutex, RWLock and Atomic types in RustPerformance Comparison of Mutex, RWLock and Atomic types in Rust
Performance Comparison of Mutex, RWLock and Atomic types in Rust
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Mutual exclusion and sync
Mutual exclusion and syncMutual exclusion and sync
Mutual exclusion and sync
 
How2heap
How2heap How2heap
How2heap
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Memory management in Linux kernel
Memory management in Linux kernelMemory management in Linux kernel
Memory management in Linux kernel
 
Odoo development
Odoo developmentOdoo development
Odoo development
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 

Similar to Meltdown & spectre

Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
corehard_by
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
Yung-Yu Chen
 
Alto Desempenho com Java
Alto Desempenho com JavaAlto Desempenho com Java
Alto Desempenho com Java
codebits
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
Kinson Chan
 

Similar to Meltdown & spectre (20)

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Data race
Data raceData race
Data race
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Gpu and The Brick Wall
Gpu and The Brick WallGpu and The Brick Wall
Gpu and The Brick Wall
 
Java gpu computing
Java gpu computingJava gpu computing
Java gpu computing
 
Memory model
Memory modelMemory model
Memory model
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
 
Troubleshooting .net core on linux
Troubleshooting .net core on linuxTroubleshooting .net core on linux
Troubleshooting .net core on linux
 
OS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switchOS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switch
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
 
Alto Desempenho com Java
Alto Desempenho com JavaAlto Desempenho com Java
Alto Desempenho com Java
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
 

More from Sergio Shevchenko

Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Sergio Shevchenko
 

More from Sergio Shevchenko (12)

Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
 
Kubernetes - from sketch to production
Kubernetes - from sketch to productionKubernetes - from sketch to production
Kubernetes - from sketch to production
 
The Google file system
The Google file systemThe Google file system
The Google file system
 
μ-Kernel Evolution
μ-Kernel Evolutionμ-Kernel Evolution
μ-Kernel Evolution
 
Burrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabasesBurrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabases
 
Presentazione CERT-CHECK
Presentazione CERT-CHECKPresentazione CERT-CHECK
Presentazione CERT-CHECK
 
Design patterns: Creational patterns
Design patterns: Creational patternsDesign patterns: Creational patterns
Design patterns: Creational patterns
 
Bitcoin and blockchain
Bitcoin and blockchainBitcoin and blockchain
Bitcoin and blockchain
 
Qt Multiplatform development
Qt Multiplatform developmentQt Multiplatform development
Qt Multiplatform development
 
Qt for beginners
Qt for beginnersQt for beginners
Qt for beginners
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Mobile Factor App
Mobile Factor AppMobile Factor App
Mobile Factor App
 

Recently uploaded

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Recently uploaded (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 

Meltdown & spectre

  • 1. Meltdown & Spectre Mitigate the unmitigable Based on ● Meltdown: Reading Kernel Memory from User Space ● Spectre Attacks: Exploiting Speculative Execution
  • 3. ● What are them? ○ Vulnerabilities in most modern CPU, due to poorly understood interactions between speculative execution and side effects ● When? ○ Discovered in june/july of 2017 but leaked on 4th of january 2018 by Google’s Project Zero ● Effects? ○ Need to modify: ■ CPU Memory ■ OS Virtual memory handling ■ Compilers ■ Hypervisors ■ Browsers ○ Real solution: change CPU DESIGN 3 Are considered the greatest hardware vulnerabilities in computer history
  • 4. Today’s Agenda 1. Speculative Execution 2. Meltdown attack 3. Spectre attack 4
  • 5. 1. Speculative Execution Let’s start from the beginning Presented by Sergiy Shevchenko
  • 6. Basic memory model of modern CPU ❑ Each CPU has 3 caches*: ❏ L1 with access latency ~ 5 cycles (1.2 ns) ❏ L2 with access latency ~ 10 cycles (4.2 ns) ❏ L3 with access latency ~ 40 cycles (20 ns) ❏ DRAM (100 ns) *Modern Core i7 Xeon Server Edition 6
  • 7. Fetch-decode-execute parallelism ❑ On a non-pipelined CPU, when a instruction is being processed at a particular stage, the other stages are at an idle state ❑ On a pipelined CPU, all the stages work in parallel: ❏ When the 1st instruction is being decoded by the Decoder Unit, the 2nd instruction is being fetched by the Fetch Unit. It only takes 5 clock cycles to execute 2 instructions on a pipelined CPU. Image source: https://stackpointer.io/hardware/how-pipelining-improves-cpu-performance/113/ 7
  • 8. Intel SkyLake CPU Microarchitecture ❑ Simplified illustration of a single core of the Intel’s Skylake microarchitecture ❑ Instructions are decoded into µOPs and executed out-of-order in the execution engine by individual execution units Figure from MeltDown by Lipp https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf 8
  • 9. Out-of-order processing 1 op per cycle 9 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
  • 10. Out-of-order processing 1 op per cycle 10 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
  • 11. Out-of-order processing 11 ❑ t = a + b, u = c + d ❑ v = e + f ❑ w = v + g, x = h + i ❑ y = j + k ❑ t = a + b, u = c + d ❑ v = e + f, y = j + k ❑ w = v + g, x = h + i 3 clock cycles, 2 op per cycle and out-of-order execution
  • 12. Fast in a straight line not so good on corners
  • 13. Branch prediction 13 ❑ Pipelining, superscalar and out-of-order execution only helps if you know what instructions are coming next ❑ Conditionals are a problem - we don’t know what to load into a pipeline until conditional IF is clear Branch prediction will help: let's guess ❑ If the guess is right, great ❑ If the guess is wrong, clear pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf B1 B2 ?
  • 14. Branch prediction + Speculative execution 14 ❑ Cache misses cause long delay in data extraction ❑ Speculative execution: ❏ Execute instructions on predicted branch ❏ If prediction was right - great! ❏ If prediction was wrong - undo all effects of running in speculative mode and flush pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf
  • 15. Example of branch prediction with speculation 15 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } Without speculation can’t reorder anything
  • 16. Example of branch prediction with speculation 16 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } With speculation 1. C = A + B; _J = H + I; 2. E = C + D; _L = _J + K; 3. G = E + F; _N = _L + M; 4. if (G == 0){ 5. J =_J; L =_L; N=_N; 6. } Only make results available if G equals 0 ALU 1 ALU 2 ALU 1
  • 17. Virtual memory ❑ Virtual memory is divided into Kernel and User space ❑ Page table handles mappings ❑ Kernel space pages have an extra bit ❑ If user code tries accessing kernel space a trap will occur 17 Kernel space User space Physical memory Page table
  • 19. Meltdown Abstract 19 Meltdown exploits side effects of out-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. ...read memory of process or virtual machines in the cloud without any permissions or privileges. CVE-2017-5754
  • 20. Meltdown attack: side channel 20 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. Z = G + Y 5. if (Z == 0){ 6. J = kernel_mem[addr]; 7. L = J & 0x01; 8. N = L * 4096; 9. M = user_mem[N]; 10. } 1. C = A + B; _J = kernel_mem[addr]; 2. E = C + D; _L = _J & 0x01; 3. G = E + F; _N = _L * 4096; 4. Z = G + Y; _M = user_mem[_N]; 5. if (Z == 0){ 6. J =_J; L =_L; N =_N; M =_M; 7. } 8. t1 = get_time(); 9. V = user_mem[0]; 10. t2 = get_time(); 11. delta = t2 - t1; ALU 1 ALU 2 Predictor thinks this is true Normally, this should receive segmentation fault, but not in speculative case As this will never being executed, _J, _L and _N will be never revealed If the difference is < 10 cycles the 1st bit of kernel_mem[addr] = 0 Side channel magic here
  • 21. Meltdown attack performance 21 ❑ Core i7-8700K: ❏ 582 KB/s error 0.003% ❑ Core i7-6700K: ❏ 569 KB/s error 0.002% ❑ Intel Xeon E5-1630: ❏ 491 KB/s error 10.7% * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
  • 22. Meltdown mitigation 22 ❑ Why do operating systems map kernel memory into global address space? ❏ ...making in this way Meltdown possible.. ❑ .. because of memory page caching named TLB (translation lookaside buffer) ❏ Page table is stored in memory itself, so accessing it costs a lot * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
  • 23. TLB 23 ❑ A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location, it is a part of MMU ❑ If you try accessing page which is not in TLB need to traverse all page table to find where the physical page is ❏ Cost is near 300-600 cycles! * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf Kernel space User space Physical memory MMU TLB
  • 24. KPTI - Kernel Page Table Isolation 24 ❑ Only have user space memory mapping in the page table ❏ So meltdown can “physically” read kernel memory ❑ Some additional line of code in kernel to handle userspace and kernel space page table switching
  • 25. KPTI - Kernel Page Table Isolation 25 ❑ Complete mitigation of meltdown ❑ Changing page tables requires flushing TLB ❑ Big impact on performance (this will happen on each OS Call!) ❑ In some cases > 50% slowdown ❑ Newer Intel CPU has association Process Context ID with TLB ❏ This allows flushing only part of TLB
  • 26. 3. Spectre attack A really hard part Presented by Marco Cipriano
  • 27. Spectre Abstract 27 ❏ Spectre Variant 1: Bound Check Bypass ❏ Exploiting Conditional Branches ❏ CVE-2017-5753 ❏ Spectre Variant 2: Branch Target Injection ❏ Exploiting Indirect Branches ❏ CVE-2017-5715 Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and wich leak victim’s confidential information via a side channel to the adversary
  • 30. Spectre attack: Overview 30 ❑ Setup Phase: Minstrain the CPU ❑ Speculative Execution of Instructions that leak sensitive information to side channel ❑ Recovering sensitive instruction from side channel using: ❏ Flush + Reload ❏ Evict + Reload Yarom, Y., and Fakner, K. - FLUSH+RELOAD: A HIGH RESOLUTION, LOW NOISE, L3 CACHE SIDE-CHANNEL ATTACK, - in Usenix Security Symposium (2014). transitories
  • 31. Variant 1 : Bound Check Bypass 31 1. array a = …; // size 400 2. array b = …; // size 512 3. offset = …; // user input 4. if (offset < size(a)){ 5. v = a[offset]; 6. i = (v & 0x01) * 4096; 7. x = b[i]; 8. }
  • 32. Variant 2 : Poisoning Indirect Branches ❏ Indirect branch instructions have ability to jump to more than two possible target addresses. ❏ X86 example ❏ jmp eax: Address in register ❏ jmp [eax]: Address in memory location ❏ jmp dword ptr [0x12345678] ❏ Address from the stack (“ret”) ❏ MIPS example ❏ jr $ra 32
  • 33. How can we use this? ❏ Find unsafe user code [unlikely] ❏ Use JIT Compiler of user code [highly likely] ❏ Google PoC uses BPF (packet filter in JIT) in Linux kernel ❏ Microsoft PoC uses Javascript ❏ Potentially any visited website can access all your RAM memory 33
  • 35. Attack Variation 1 : Evict + Time 35 Selecting bit to analyze Measuring access time If data is on CPU cache saving it
  • 37. Preventing Speculative Execution Inserting speculative execution blocking instructions ❏ Degrades performance if used too extensively ❏ Use static analysis to find out optimum placement of blocking instructions ❏ Requires code recompilation 37 ❏ Intel Processors: ❏ add lfence before IF in bound checks (prevent speculation) ❏ ARM Processors: ❏ add build_in_no_speculate() to your compilation process
  • 38. Conclusion ❏ Software Isolation techniques are widely deployed ❏ A fundamental security assumption underpinning all of these is that the CPU will faithfully execute software, including its safety checks ❏ Speculative execution violates this assumption that allow adversaries to determine the contents of memory and register ❏ Trade-offs between security and performance 38