Position Paper: A Case for Exposing Extra-Architectural ...
Transcript of Position Paper: A Case for Exposing Extra-Architectural ...
![Page 1: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/1.jpg)
POSITION PAPER:
A CASE FOR EXPOSING
EXTRA-ARCHITECTURAL STATE
IN THE ISAJason Lowe-Power, Venkatesh Akella, Matthew K. Farrens, Samuel T. King, Christopher J. Nitta
@JasonLowePower
![Page 2: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/2.jpg)
Specify speculationin the ISA?
“Invisible” behavior hidessecurity vulnerabilities
Need to include all stateNot only “architectural” state
We want to reason aboutsecurity of processors
2
registers
memory data
interrupts
Architectural state
cached addresses
branchpredictor
phys. register mapping?
Extra-architecturalstate
ISA 2.0?
![Page 3: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/3.jpg)
3
Deep dive into Spectre Details on how speculation works
Applying traditional speculationrecovery to extra-arch. state
Rethinking the whole system
![Page 4: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/4.jpg)
void victim_function(size_t x) {if (x < array1_size) {temp &= array2[array1[x] * 512];
}}
4https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
![Page 5: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/5.jpg)
5https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
void victim_function(size_t x) {if (x < array1_size) {temp &= array2[array1[x] * 512];
}}
000000000040105e <victim_function>:40105e: push %rbp40105f: mov %rsp,%rbp401062: mov %rdi,-0x8(%rbp)401066: mov 0x2bf014(%rip),%eax40106c: mov %eax,%eax40106e: cmp -0x8(%rbp),%rax401072: jbe 40109f <victim_function+0x41>401074: mov -0x8(%rbp),%rax401078: add $0x6c00a0,%rax40107e: movzbl (%rax),%eax401081: movzbl %al,%eax401084: shl $0x9,%eax401087: cltq401089: movzbl 0x6c1d80(%rax),%edx401090: movzbl 0x2e0ce9(%rip),%eax401097: and %edx,%eax401099: mov %al,0x2e0ce1(%rip)40109f: pop %rbp4010a0: retq
![Page 6: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/6.jpg)
000000000040105e <victim_function>:40105e: push %rbp40105f: mov %rsp,%rbp401062: mov %rdi,-0x8(%rbp)401066: mov 0x2bf014(%rip),%eax40106c: mov %eax,%eax40106e: cmp -0x8(%rbp),%rax401072: jbe 40109f <victim_function+0x41>401074: mov -0x8(%rbp),%rax401078: add $0x6c00a0,%rax40107e: movzbl (%rax),%eax401081: movzbl %al,%eax401084: shl $0x9,%eax401087: cltq401089: movzbl 0x6c1d80(%rax),%edx401090: movzbl 0x2e0ce9(%rip),%eax401097: and %edx,%eax401099: mov %al,0x2e0ce1(%rip)40109f: pop %rbp4010a0: retq
6
401072: jbe 40109f <victim_function+0x41>
401089: movzbl 0x6c1d80(%rax),%edx
40107e: movzbl (%rax),%eax
if (x < array1_size)
load array1_size
load array1[x]
load array2[array1[x] * 512]
Modifies addresses present in L1 cache
401066: mov 0x2bf014(%rip),%eax
void victim_function(size_t x) {if (x < array1_size) {temp &= array2[array1[x] * 512];
}}
![Page 7: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/7.jpg)
Time
if (x < array1_size)
load array1_size
load array2[array1[x] * 512]load array1[x]
Branch correctly predicted
http://bit.ly/gem5-spectre
![Page 8: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/8.jpg)
Time Branch incorrectly predicted
8
if (x < array1_size)
load array1_size
load array2[array1[x] * 512]load array1[x]
![Page 9: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/9.jpg)
Back to basics
How to keep architectural stateconsistent
9
Preventspeculative state changes
Undospeculative state changes
Specifyspeculative state changes
![Page 10: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/10.jpg)
10
Preventspeculative state changes
Undospeculative state changes
Specifyspeculative state changes
Ex: Store buffer
“Undo” a store?
Wait until commit to send to memory
Ex: Register writes
Checkpoint the RF
Physical register file & rename tables
Ex: Relaxed consistency
Description of allowed ld/st interleavings
Formal specifications
![Page 11: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/11.jpg)
Spectre
Architectural state is unaffectedbut... the cache state changes
Not part of the architectural statePart of the
11
extra-architectural state
![Page 12: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/12.jpg)
Extra-architectural state
Any state that is not specified in the ISA but perceivable
Cached addresses
Branch predictor state
Values in unmapped physical registers???
Physical to logical register mappings???
. . .
Need to apply same three techniques: Prevent Undo Specify
12
extra-architectural state
![Page 13: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/13.jpg)
Spectre: Prevent EA-state change
Obvious strawmanPrevent all speculation2.4x-24x slowdown
Slightly betterOnly prevent speculative loadsCloses the cache and memory side channel1.7x-9.8x slowdown
13
![Page 14: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/14.jpg)
SpeculativeLoad buffer
Commit!Prevent cache changes
Only on cache misses will the state change
Buffer all missed loads until commit
Only up to 1.9x slowdown
14
Load/storequeue
Data cache
Speculative loads Data
Insert onresponse
Speculative missto memory
Non-speculativesend on commit
![Page 15: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/15.jpg)
Spectre: Undo EA-state change
“Undo” the cache change
Checkpoint the cache?
Squash the insert: Insert-side SLB
Limited performance impact
Doesn’t mitigate SpectrePrime
15
SpeculativeLoad buffer
Load/storequeue
Data cache
Speculative loads Data
Response frommemory
Data
Insert oncommit
Speculative missto memory
![Page 16: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/16.jpg)
Spectre: Specify EA-State change
16https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf
![Page 17: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/17.jpg)
Spectre: Specify EA-State change
17https://riscv.org/specifications/
![Page 18: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/18.jpg)
ISA: Contract between hardware and software
Our job is to create this contract
Allow designers flexibility.If it’s imperceivably, no need to specify.
Rethink the interface for securitythe μarch, the operating system, the compiler, etc.
Give security researchers formal specifications
18
![Page 19: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/19.jpg)
Conclusions
“Invisible” performance optimizations are great
Need to rigorously document potential side-effects(extra-architectural state changes)
Find the right balance between truly invisible and documented effectsISA 2.0?
Need a new formalism for speculation
19
![Page 20: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/20.jpg)
More details on Spectre+gem5http://bit.ly/gem5-spectre
![Page 21: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/21.jpg)
Spectre-v4
Load/store disambiguation
(I think) Current gem5 doesn’t suffer from this
When there’s a possible alias, gem5’s OOO CPU stalls
SLB still worksWhen speculation recovers, no changes to cache state
21
![Page 22: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/22.jpg)
Potential formalism for caches
From CCI-Check: Value in cache lifetime (ViCL)
ViCL create: Time when something is inserted
ViCL expire: Time when evicted or data changes
Need to add a new notion of “speculation order” that includes non-program order instructions
Loads can be issued in speculation order unless preceded by a speculation fence
22
![Page 23: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/23.jpg)
Spectre: Prevent EA-state change
23
Average 4.4x-14x slowdown for SPECfloat
Average 2.8x-7.7x slowdown for SPECint
![Page 24: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/24.jpg)
Spectre: Prevent EA-state change
24
Average 1.3x slowdown for SPECfloat
Average 1.1x slowdown for SPECint
![Page 25: Position Paper: A Case for Exposing Extra-Architectural ...](https://reader034.fdocuments.us/reader034/viewer/2022052001/62858bdd89556654210cebb3/html5/thumbnails/25.jpg)
Time
25
if (x < array1_size) load array1_size
load array2[array1[x] * 512]load array1[x]