Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz...
Transcript of Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz...
![Page 1: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/1.jpg)
![Page 2: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/2.jpg)
Who am I?
Moritz LippPhD student @ Graz University of Technology
@mlqxyz
1 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 3: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/3.jpg)
Who am I?
Michael SchwarzPhD student @ Graz University of Technology
@misc0110
2 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 4: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/4.jpg)
Who am I?
Daniel GrussPostDoc @ Graz University of Technology
@lavados
3 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 5: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/5.jpg)
Team
• Anders Fogh
• Daniel Genkin
• Werner Haas
• Mike Hamburg
• Jann Horn
• Paul Kocher
• Stefan Mangard
• Thomas Prescher
• Yuval Yarom
4 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 6: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/6.jpg)
Let’s Read Kernel Memory from User Space!
![Page 7: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/7.jpg)
Virtual Memory
Kernel Addresses
Non-canonical Addresses
User Addresses
Virtual Address Space
5 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 8: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/8.jpg)
Building the Code
• Find something human readable, e.g., the Linux version
# sudo grep linux_banner /proc/kallsymsffffffff81a000e0 R linux_banner
6 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 9: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/9.jpg)
Building the Code
char data = *(char*) 0xffffffff81a000e0;printf("%c\n", data);
7 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 10: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/10.jpg)
Building the Code
• Compile and run
segfault at ffffffff81a000e0 ip 0000000000400535sp 00007ffce4a80610 error 5 in reader
• Kernel addresses are of course not accessible
• Any invalid access throws an exception → segmentation
fault
8 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 11: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/11.jpg)
Building the Code
• Compile and run
segfault at ffffffff81a000e0 ip 0000000000400535sp 00007ffce4a80610 error 5 in reader
• Kernel addresses are of course not accessible
• Any invalid access throws an exception → segmentation
fault
8 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 12: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/12.jpg)
Building the Code
• Compile and run
segfault at ffffffff81a000e0 ip 0000000000400535sp 00007ffce4a80610 error 5 in reader
• Kernel addresses are of course not accessible
• Any invalid access throws an exception → segmentation
fault
8 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 13: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/13.jpg)
Building the Code
• Compile and run
segfault at ffffffff81a000e0 ip 0000000000400535sp 00007ffce4a80610 error 5 in reader
• Kernel addresses are of course not accessible
• Any invalid access throws an exception → segmentation
fault
8 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 14: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/14.jpg)
Building the Code
• Just catch the segmentation fault!
• We can simply install a signal handler
• And if an exception occurs, just jump back and continue
• Then we can read the value
9 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 15: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/15.jpg)
Building the Code
• Just catch the segmentation fault!
• We can simply install a signal handler
• And if an exception occurs, just jump back and continue
• Then we can read the value
9 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 16: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/16.jpg)
Building the Code
• Just catch the segmentation fault!
• We can simply install a signal handler
• And if an exception occurs, just jump back and continue
• Then we can read the value
9 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 17: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/17.jpg)
Building the Code
• Just catch the segmentation fault!
• We can simply install a signal handler
• And if an exception occurs, just jump back and continue
• Then we can read the value
9 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 18: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/18.jpg)
![Page 19: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/19.jpg)
Building the Code
• Still no kernel memory
• Privilege checks seem to work
• Maybe it is not that straight forward
• Back to the drawing board
10 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 20: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/20.jpg)
Building the Code
• Still no kernel memory
• Privilege checks seem to work
• Maybe it is not that straight forward
• Back to the drawing board
10 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 21: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/21.jpg)
Building the Code
• Still no kernel memory
• Privilege checks seem to work
• Maybe it is not that straight forward
• Back to the drawing board
10 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 22: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/22.jpg)
Building the Code
• Still no kernel memory
• Privilege checks seem to work
• Maybe it is not that straight forward
• Back to the drawing board
10 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 23: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/23.jpg)
Operating Systems 101
![Page 24: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/24.jpg)
Memory Isolation
Userspace Kernelspace
ApplicationsOperatingSystem Memory
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
11 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 25: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/25.jpg)
Memory Isolation
Userspace Kernelspace
ApplicationsOperatingSystem Memory
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
11 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 26: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/26.jpg)
Memory Isolation
Userspace Kernelspace
ApplicationsOperatingSystem Memory
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
11 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 27: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/27.jpg)
Paging
• CPU support virtual address spaces to isolate
processes
• Physical memory is organized in page frames
• Virtual memory pages are mapped to page frames
using page tables
12 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 28: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/28.jpg)
Paging
• CPU support virtual address spaces to isolate
processes
• Physical memory is organized in page frames
• Virtual memory pages are mapped to page frames
using page tables
12 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 29: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/29.jpg)
Paging
• CPU support virtual address spaces to isolate
processes
• Physical memory is organized in page frames
• Virtual memory pages are mapped to page frames
using page tables
12 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 30: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/30.jpg)
Address Translation on x86-64
PML4I (9 b) PDPTI (9 b) PDI (9 b) PTI (9 b) Offset (12 b)
48-bit virtual address
CR3PML4
PML4E 0
PML4E 1···#PML4I···
PML4E 511
PDPT
PDPTE 0
PDPTE 1···#PDPTI···
PDPTE 511
Page Directory
PDE 0
PDE 1···
PDE #PDI···
PDE 511
Page Table
PTE 0
PTE 1···
PTE #PTI···
PTE 511
4 KiB Page
Byte 0
Byte 1···
Offset···
Byte 4095
13 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 31: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/31.jpg)
Address Translation on x86-64
PML4I (9 b) PDPTI (9 b) PDI (9 b) PTI (9 b) Offset (12 b)
48-bit virtual address
CR3PML4
PML4E 0
PML4E 1···#PML4I···
PML4E 511
PDPT
PDPTE 0
PDPTE 1···#PDPTI···
PDPTE 511
Page Directory
PDE 0
PDE 1···
PDE #PDI···
PDE 511
Page Table
PTE 0
PTE 1···
PTE #PTI···
PTE 511
4 KiB Page
Byte 0
Byte 1···
Offset···
Byte 4095
13 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 32: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/32.jpg)
Page Table Entry
P RW US WT UC R D S G Ignored
Physical Page Number
Ignored X
• User/Supervisor bit defines in which privilege level the page can be
accessed
14 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 33: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/33.jpg)
Direct-physical map
Physical memory
0 max
User
0 247
Kernel
−247 −1
• Kernel is typically mapped into every address space
• Entire physical memory is mapped in the kernel
15 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 34: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/34.jpg)
Direct-physical map
Physical memory
0 max
User
0 247
Kernel
−247 −1
• Kernel is typically mapped into every address space
• Entire physical memory is mapped in the kernel
15 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 35: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/35.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 36: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/36.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 37: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/37.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 38: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/38.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 39: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/39.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 40: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/40.jpg)
Loading an address
16 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 41: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/41.jpg)
Side-channel Attacks
![Page 42: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/42.jpg)
Side-channel Attacks
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• Exploit unintentional information leakage by side-effects
Power
consumption
Execution
timeCPU caches
17 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 43: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/43.jpg)
Side-channel Attacks
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• Exploit unintentional information leakage by side-effects
Power
consumption
Execution
timeCPU caches
17 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 44: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/44.jpg)
Side-channel Attacks
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• Exploit unintentional information leakage by side-effects
Power
consumption
Execution
timeCPU caches
17 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 45: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/45.jpg)
Side-channel Attacks
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• Exploit unintentional information leakage by side-effects
Power
consumption
Execution
timeCPU caches
17 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 46: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/46.jpg)
Caches and Cache Attacks
![Page 47: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/47.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 48: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/48.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 49: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/49.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 50: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/50.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 51: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/51.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 52: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/52.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 53: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/53.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 54: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/54.jpg)
CPU Cache
18 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 55: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/55.jpg)
Memory Access Latency
0 100 200 300 400 500 600 700 800 900 1,000 1,100 1,200
1
2
3
·104
Measured access time (CPU cycles)
Numberofaccesses Cache hit
Cache miss
19 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 56: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/56.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 57: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/57.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 58: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/58.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 59: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/59.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 60: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/60.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 61: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/61.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 62: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/62.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 63: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/63.jpg)
Flush+Reload
20 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 64: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/64.jpg)
Microarchitecture
![Page 65: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/65.jpg)
Architecture and Microarchitecture
• Instruction Set Architecture (ISA) is an abstract model of a
computer (x86, ARMv8, SPARC, …)
• Serves as the interface between hardware and software
• Microarchitecture is an actual implementation of the ISA
21 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 66: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/66.jpg)
Architecture and Microarchitecture
• Instruction Set Architecture (ISA) is an abstract model of a
computer (x86, ARMv8, SPARC, …)
• Serves as the interface between hardware and software
• Microarchitecture is an actual implementation of the ISA
21 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 67: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/67.jpg)
Architecture and Microarchitecture
• Instruction Set Architecture (ISA) is an abstract model of a
computer (x86, ARMv8, SPARC, …)
• Serves as the interface between hardware and software
• Microarchitecture is an actual implementation of the ISA
21 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 68: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/68.jpg)
Architecture and Microarchitecture
• Instruction Set Architecture (ISA) is an abstract model of a
computer (x86, ARMv8, SPARC, …)
• Serves as the interface between hardware and software
• Microarchitecture is an actual implementation of the ISA
21 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 69: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/69.jpg)
In-Order Execution
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
• Instructions are...
• fetched (IF) from the L1 Instruction Cache
• decoded (ID)• executed (EX) by execution units
• Memory access is performed (MEM)• Architectural register file is updated (WB)
22 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 70: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/70.jpg)
In-Order Execution
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
• Instructions are...
• fetched (IF) from the L1 Instruction Cache
• decoded (ID)
• executed (EX) by execution units
• Memory access is performed (MEM)• Architectural register file is updated (WB)
22 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 71: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/71.jpg)
In-Order Execution
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
• Instructions are...
• fetched (IF) from the L1 Instruction Cache
• decoded (ID)• executed (EX) by execution units
• Memory access is performed (MEM)• Architectural register file is updated (WB)
22 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 72: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/72.jpg)
In-Order Execution
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
• Instructions are...
• fetched (IF) from the L1 Instruction Cache
• decoded (ID)• executed (EX) by execution units
• Memory access is performed (MEM)
• Architectural register file is updated (WB)
22 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 73: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/73.jpg)
In-Order Execution
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
IF ID EX MEM WB
• Instructions are...
• fetched (IF) from the L1 Instruction Cache
• decoded (ID)• executed (EX) by execution units
• Memory access is performed (MEM)• Architectural register file is updated (WB)
22 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 74: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/74.jpg)
In-Order Execution
• Instructions are executed in-order
• Pipeline stalls when stages are not ready
• If data is not cached, we need to wait
23 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 75: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/75.jpg)
In-Order Execution
• Instructions are executed in-order
• Pipeline stalls when stages are not ready
• If data is not cached, we need to wait
23 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 76: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/76.jpg)
In-Order Execution
• Instructions are executed in-order
• Pipeline stalls when stages are not ready
• If data is not cached, we need to wait
23 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 77: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/77.jpg)
Out-of-order Execution
int width = 10, height = 5;
float diagonal = sqrt(width * width+ height * height);
int area = width * height;
printf("Area %d x %d = %d\n", width, height, area);
24 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 78: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/78.jpg)
Out-of-order Execution
int width = 10, height = 5;
float diagonal = sqrt(width * width+ height * height);
int area = width * height;
printf("Area %d x %d = %d\n", width, height, area);
24 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 79: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/79.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions are
• fetched and decoded in the front-end
• dispatched to the backend
• processed by individual execution units
25 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 80: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/80.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions are
• fetched and decoded in the front-end
• dispatched to the backend
• processed by individual execution units
25 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 81: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/81.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions are
• fetched and decoded in the front-end
• dispatched to the backend
• processed by individual execution units
25 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 82: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/82.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 83: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/83.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 84: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/84.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 85: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/85.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 86: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/86.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 87: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/87.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 88: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/88.jpg)
Out-of-Order ExecutionE
xecu
tion
Eng
ine
Reorder buffer
µOP µOP µOP µOP µOP µOP µOP µOP
Scheduler
Execution Units
AL
U,A
ES,
...
AL
U,F
MA
,...
AL
U,V
ect,
...
AL
U,B
ranc
h
Loa
dda
ta
Loa
dda
ta
Stor
eda
ta
AG
U
µOP µOP µOP µOP µOP µOP µOP µOP
CDB
Mem
ory
Subs
yste
m Load Buffer Store Buffer
L1 Data CacheDTLB STLB
L2 Cache
Fron
tend
Allocation Queue
µOP µOP µOP µOP
MUX
4-Way Decode
µOP µOP µOP µOP
Instruction Queue
Instruction Fetch & PreDecode
µOP Cache
µOPs
BranchPredictor
L1 Instruction CacheITLB
Instructions
• are executed out-of-order
• wait until their dependencies are ready
• Later instructions might execute prior earlier
instructions
• retire in-order
• State becomes architecturally visible
• Exceptions are checked during retirement
• Flush pipeline and recover state
26 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 89: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/89.jpg)
The state does not become architecturally visible but …
![Page 90: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/90.jpg)
The state does not become architecturally visible but …
![Page 91: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/91.jpg)
Building the Code
• New code
*(volatile char*) 0;array[84 * 4096] = 0;
• volatile because compiler was not happy
warning : statement with no e f f e c t [−Wunused−value ]
* ( char * ) 0 ;
• Static code analyzer is still not happy
warning : Dereference of nu l l pointer
* ( vo l a t i l e char * ) 0 ;
27 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 92: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/92.jpg)
Building the Code
• New code
*(volatile char*) 0;array[84 * 4096] = 0;
• volatile because compiler was not happy
warning : statement with no e f f e c t [−Wunused−value ]
* ( char * ) 0 ;
• Static code analyzer is still not happy
warning : Dereference of nu l l pointer
* ( vo l a t i l e char * ) 0 ;
27 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 93: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/93.jpg)
Building the Code
• New code
*(volatile char*) 0;array[84 * 4096] = 0;
• volatile because compiler was not happy
warning : statement with no e f f e c t [−Wunused−value ]
* ( char * ) 0 ;
• Static code analyzer is still not happy
warning : Dereference of nu l l pointer
* ( vo l a t i l e char * ) 0 ;
27 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 94: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/94.jpg)
Building the Code
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
PageAccess
time
[cycles]
• “Unreachable” code line was actually executed
• Exception was only thrown afterwards
28 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 95: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/95.jpg)
Building the Code
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
PageAccess
time
[cycles]
• “Unreachable” code line was actually executed
• Exception was only thrown afterwards
28 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 96: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/96.jpg)
Building the Code
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
PageAccess
time
[cycles]
• “Unreachable” code line was actually executed
• Exception was only thrown afterwards
28 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 97: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/97.jpg)
Building the Code
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient
instructions
29 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 98: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/98.jpg)
Building the Code
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient
instructions
29 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 99: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/99.jpg)
Building the Code
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient
instructions
29 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 100: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/100.jpg)
Building the Code
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient
instructions
29 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 101: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/101.jpg)
Building the Code
30 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 102: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/102.jpg)
Building the Code
30 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 103: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/103.jpg)
Building the Code
• Add another layer of indirection to test
char data = *(char*) 0xffffffff81a000e0;array[data * 4096] = 0;
• Then check whether any part of array is cached
31 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 104: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/104.jpg)
Building the Code
• Add another layer of indirection to test
char data = *(char*) 0xffffffff81a000e0;array[data * 4096] = 0;
• Then check whether any part of array is cached
31 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 105: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/105.jpg)
Building the Code
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
PageAccess
time
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
32 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 106: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/106.jpg)
Building the Code
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
PageAccess
time
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
32 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 107: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/107.jpg)
![Page 108: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/108.jpg)
Meltdown
• Using out-of-order execution, we can read data at any address
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
• Entire physical memory is typically accessible through kernel
space
33 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 109: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/109.jpg)
Meltdown
• Using out-of-order execution, we can read data at any address
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
• Entire physical memory is typically accessible through kernel
space
33 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 110: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/110.jpg)
Meltdown
• Using out-of-order execution, we can read data at any address
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
• Entire physical memory is typically accessible through kernel
space
33 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 111: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/111.jpg)
Meltdown
• Using out-of-order execution, we can read data at any address
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
• Entire physical memory is typically accessible through kernel
space
33 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 112: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/112.jpg)
![Page 113: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/113.jpg)
Demo
![Page 114: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/114.jpg)
Details: Exception Handling
• Basic Meltdown code leads to a crash (segfault)
• How to prevent the crash?
Fault
Handling
Fault
Suppression
Fault
Prevention
34 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 115: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/115.jpg)
Details: Exception Handling
• Basic Meltdown code leads to a crash (segfault)
• How to prevent the crash?
Fault
Handling
Fault
Suppression
Fault
Prevention
34 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 116: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/116.jpg)
Details: Exception Handling
• Basic Meltdown code leads to a crash (segfault)
• How to prevent the crash?
Fault
Handling
Fault
Suppression
Fault
Prevention
34 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 117: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/117.jpg)
Meltdown with Fault Suppression
• Intel TSX to suppress exceptions instead of signal handler
if(xbegin() == XBEGIN_STARTED) {char secret = *(char*) 0xffffffff81a000e0;array[secret * 4096] = 0;xend();
}
for (size_t i = 0; i < 256; i++) {if (flush_and_reload(array + i * 4096) == CACHE_HIT) {printf("%c\n", i);
}}
35 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 118: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/118.jpg)
Meltdown with Fault Prevention
• Speculative execution to prevent exceptions
int speculate = rand() % 2;size_t address = (0xffffffff81a000e0 * speculate) +
((size_t)&zero * (1 - speculate));if(!speculate) {char secret = *(char*) address;array[secret * 4096] = 0;
}
for (size_t i = 0; i < 256; i++) {if (flush_and_reload(array + i * 4096) == CACHE_HIT) {printf("%c\n", i);
}}
36 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 119: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/119.jpg)
Make it faster
• Improve the performance with a NULL pointer dereference
if(xbegin() == XBEGIN_STARTED) {*(volatile char*) 0;char secret = *(char*) 0xffffffff81a000e0;array[secret * 4096] = 0;xend();
}
37 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 120: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/120.jpg)
Make it faster
• Improve the performance with a NULL pointer dereference
if(xbegin() == XBEGIN_STARTED) {*(volatile char*) 0;char secret = *(char*) 0xffffffff81a000e0;array[secret * 4096] = 0;xend();
}
37 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 121: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/121.jpg)
![Page 122: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/122.jpg)
![Page 123: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/123.jpg)
Uncached memory
• Assumed that one can only read data stored in the L1 with
Meltdown
• Experiment where a thread flushes the value constantly
and a thread on a different core reloads the value
• Target data is not in the L1 cache of the attacking core
• We can still leak the data at a lower reading rate
• Meltdown might implicitly cache the data
38 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 124: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/124.jpg)
Uncached memory
• Assumed that one can only read data stored in the L1 with
Meltdown
• Experiment where a thread flushes the value constantly
and a thread on a different core reloads the value
• Target data is not in the L1 cache of the attacking core
• We can still leak the data at a lower reading rate
• Meltdown might implicitly cache the data
38 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 125: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/125.jpg)
Uncached memory
• Assumed that one can only read data stored in the L1 with
Meltdown
• Experiment where a thread flushes the value constantly
and a thread on a different core reloads the value
• Target data is not in the L1 cache of the attacking core
• We can still leak the data at a lower reading rate
• Meltdown might implicitly cache the data
38 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 126: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/126.jpg)
Uncached memory
• Assumed that one can only read data stored in the L1 with
Meltdown
• Experiment where a thread flushes the value constantly
and a thread on a different core reloads the value
• Target data is not in the L1 cache of the attacking core
• We can still leak the data at a lower reading rate
• Meltdown might implicitly cache the data
38 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 127: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/127.jpg)
Uncached memory
• Assumed that one can only read data stored in the L1 with
Meltdown
• Experiment where a thread flushes the value constantly
and a thread on a different core reloads the value
• Target data is not in the L1 cache of the attacking core
• We can still leak the data at a lower reading rate
• Meltdown might implicitly cache the data
38 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 128: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/128.jpg)
Uncachable memory
• Mark pages in page tables as UC (uncachable)
• Every read or write operation will go to main memory
• If the attacker can trigger a legitimate load (system call, …)
on the same CPU core, the data still can be leaked
• Meltdown might read the data from one of the fill buffers
• as they are shared between threads running on the same
core
39 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 129: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/129.jpg)
Uncachable memory
• Mark pages in page tables as UC (uncachable)
• Every read or write operation will go to main memory
• If the attacker can trigger a legitimate load (system call, …)
on the same CPU core, the data still can be leaked
• Meltdown might read the data from one of the fill buffers
• as they are shared between threads running on the same
core
39 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 130: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/130.jpg)
Uncachable memory
• Mark pages in page tables as UC (uncachable)
• Every read or write operation will go to main memory
• If the attacker can trigger a legitimate load (system call, …)
on the same CPU core, the data still can be leaked
• Meltdown might read the data from one of the fill buffers
• as they are shared between threads running on the same
core
39 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 131: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/131.jpg)
Uncachable memory
• Mark pages in page tables as UC (uncachable)
• Every read or write operation will go to main memory
• If the attacker can trigger a legitimate load (system call, …)
on the same CPU core, the data still can be leaked
• Meltdown might read the data from one of the fill buffers
• as they are shared between threads running on the same
core
39 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 132: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/132.jpg)
Uncachable memory
• Mark pages in page tables as UC (uncachable)
• Every read or write operation will go to main memory
• If the attacker can trigger a legitimate load (system call, …)
on the same CPU core, the data still can be leaked
• Meltdown might read the data from one of the fill buffers
• as they are shared between threads running on the same
core
39 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 133: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/133.jpg)
So you can dump the entire memory.
But it takes ages?
![Page 134: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/134.jpg)
So you can dump the entire memory. But it takes ages?
![Page 135: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/135.jpg)
Practical attacks
• Dumping the entire physical memory takes some time
• Not very practical in most scenarios
• Can we mount more targeted attacks?
40 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 136: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/136.jpg)
Practical attacks
• Dumping the entire physical memory takes some time
• Not very practical in most scenarios
• Can we mount more targeted attacks?
40 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 137: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/137.jpg)
Practical attacks
• Dumping the entire physical memory takes some time
• Not very practical in most scenarios
• Can we mount more targeted attacks?
40 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 138: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/138.jpg)
VeraCrypt
• Open-source utility for disk encryption
• Fork of TrueCrypt
• Cryptographic keys are stored in RAM
• With Meltdown, we can extract the keys from DRAM
41 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 139: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/139.jpg)
VeraCrypt
• Open-source utility for disk encryption
• Fork of TrueCrypt
• Cryptographic keys are stored in RAM
• With Meltdown, we can extract the keys from DRAM
41 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 140: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/140.jpg)
VeraCrypt
• Open-source utility for disk encryption
• Fork of TrueCrypt
• Cryptographic keys are stored in RAM
• With Meltdown, we can extract the keys from DRAM
41 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 141: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/141.jpg)
VeraCrypt
• Open-source utility for disk encryption
• Fork of TrueCrypt
• Cryptographic keys are stored in RAM
• With Meltdown, we can extract the keys from DRAM
41 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 142: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/142.jpg)
Demo
![Page 143: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/143.jpg)
Breaking KASLR
• De-randomize KASLR to access internal kernel structures
• Locate a known value inside the kernel, e.g., Linux banner
• Start at the default address according to the symbol table
of the running kernel
• Linux KASLR has an entropy of 6 bits ⇒ only 64 possible
randomization offsets
• Difference between the found address and the
non-randomized base address is the randomization offset
42 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 144: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/144.jpg)
Breaking KASLR
• De-randomize KASLR to access internal kernel structures
• Locate a known value inside the kernel, e.g., Linux banner
• Start at the default address according to the symbol table
of the running kernel
• Linux KASLR has an entropy of 6 bits ⇒ only 64 possible
randomization offsets
• Difference between the found address and the
non-randomized base address is the randomization offset
42 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 145: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/145.jpg)
Breaking KASLR
• De-randomize KASLR to access internal kernel structures
• Locate a known value inside the kernel, e.g., Linux banner
• Start at the default address according to the symbol table
of the running kernel
• Linux KASLR has an entropy of 6 bits ⇒ only 64 possible
randomization offsets
• Difference between the found address and the
non-randomized base address is the randomization offset
42 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 146: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/146.jpg)
Breaking KASLR
• De-randomize KASLR to access internal kernel structures
• Locate a known value inside the kernel, e.g., Linux banner
• Start at the default address according to the symbol table
of the running kernel
• Linux KASLR has an entropy of 6 bits ⇒ only 64 possible
randomization offsets
• Difference between the found address and the
non-randomized base address is the randomization offset
42 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 147: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/147.jpg)
Breaking KASLR
• De-randomize KASLR to access internal kernel structures
• Locate a known value inside the kernel, e.g., Linux banner
• Start at the default address according to the symbol table
of the running kernel
• Linux KASLR has an entropy of 6 bits ⇒ only 64 possible
randomization offsets
• Difference between the found address and the
non-randomized base address is the randomization offset
42 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 148: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/148.jpg)
Locating the victim process
• Linux manages all processes in a linked list
• Head of the list is stored at init_task structure
• At a fixed offset that varies only among kernel builds
• Each task list structure contains a pointer to the next task
and
• PID of the task
• name of the task
• Root of the multi-level page table
43 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 149: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/149.jpg)
Locating the victim process
• Linux manages all processes in a linked list
• Head of the list is stored at init_task structure
• At a fixed offset that varies only among kernel builds
• Each task list structure contains a pointer to the next task
and
• PID of the task
• name of the task
• Root of the multi-level page table
43 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 150: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/150.jpg)
Locating the victim process
• Linux manages all processes in a linked list
• Head of the list is stored at init_task structure
• At a fixed offset that varies only among kernel builds
• Each task list structure contains a pointer to the next task
and
• PID of the task
• name of the task
• Root of the multi-level page table
43 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 151: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/151.jpg)
Locating the victim process
• Linux manages all processes in a linked list
• Head of the list is stored at init_task structure
• At a fixed offset that varies only among kernel builds
• Each task list structure contains a pointer to the next task
and
• PID of the task
• name of the task
• Root of the multi-level page table
43 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 152: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/152.jpg)
Dumping memory content
• Resolve physical address using paging structures
• Read the content using the direct-physical map
• Enumerate all mapped pages and dump entire process
memory
• Location of the key known, we can just dump the key
directly
44 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 153: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/153.jpg)
Dumping memory content
• Resolve physical address using paging structures
• Read the content using the direct-physical map
• Enumerate all mapped pages and dump entire process
memory
• Location of the key known, we can just dump the key
directly
44 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 154: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/154.jpg)
Dumping memory content
• Resolve physical address using paging structures
• Read the content using the direct-physical map
• Enumerate all mapped pages and dump entire process
memory
• Location of the key known, we can just dump the key
directly
44 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 155: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/155.jpg)
Dumping memory content
• Resolve physical address using paging structures
• Read the content using the direct-physical map
• Enumerate all mapped pages and dump entire process
memory
• Location of the key known, we can just dump the key
directly
44 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 156: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/156.jpg)
Final steps
• aeskeyfind to extract AES keys from the memory dump
• pytruecrypt to decrypt disk image using the extracted
key
• Affects every application that stores its secret in DRAM
45 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 157: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/157.jpg)
Final steps
• aeskeyfind to extract AES keys from the memory dump
• pytruecrypt to decrypt disk image using the extracted
key
• Affects every application that stores its secret in DRAM
45 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 158: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/158.jpg)
Final steps
• aeskeyfind to extract AES keys from the memory dump
• pytruecrypt to decrypt disk image using the extracted
key
• Affects every application that stores its secret in DRAM
45 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 159: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/159.jpg)
Who is affected?
![Page 160: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/160.jpg)
Affected by Meltdown
• Intel: Almost every CPU
• AMD: Seems not to be affected
• ARM: Only the Cortex-A75
• IBM: System Z, Power Architecture, POWER8 and POWER9
• Apple: All Mac and iOS devices
46 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 161: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/161.jpg)
Affected by Meltdown
• Intel: Almost every CPU
• AMD: Seems not to be affected
• ARM: Only the Cortex-A75
• IBM: System Z, Power Architecture, POWER8 and POWER9
• Apple: All Mac and iOS devices
46 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 162: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/162.jpg)
Affected by Meltdown
• Intel: Almost every CPU
• AMD: Seems not to be affected
• ARM: Only the Cortex-A75
• IBM: System Z, Power Architecture, POWER8 and POWER9
• Apple: All Mac and iOS devices
46 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 163: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/163.jpg)
Affected by Meltdown
• Intel: Almost every CPU
• AMD: Seems not to be affected
• ARM: Only the Cortex-A75
• IBM: System Z, Power Architecture, POWER8 and POWER9
• Apple: All Mac and iOS devices
46 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 164: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/164.jpg)
Affected by Meltdown
• Intel: Almost every CPU
• AMD: Seems not to be affected
• ARM: Only the Cortex-A75
• IBM: System Z, Power Architecture, POWER8 and POWER9
• Apple: All Mac and iOS devices
46 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 165: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/165.jpg)
Affected by Meltdown
• But there are other CPU manufacturers as well …
47 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 166: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/166.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Exynos Mongoose M1 CPU Architecture
• Custom CPU core in the Exynos 8 Octa (8890)
• Perceptron Branch Prediction
• Full Out-of-Order Instruction Execution
• Full Out-of-Order loads and stores
48 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 167: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/167.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Exynos Mongoose M1 CPU Architecture
• Custom CPU core in the Exynos 8 Octa (8890)
• Perceptron Branch Prediction
• Full Out-of-Order Instruction Execution
• Full Out-of-Order loads and stores
48 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 168: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/168.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Exynos Mongoose M1 CPU Architecture
• Custom CPU core in the Exynos 8 Octa (8890)
• Perceptron Branch Prediction
• Full Out-of-Order Instruction Execution
• Full Out-of-Order loads and stores
48 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 169: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/169.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Exynos Mongoose M1 CPU Architecture
• Custom CPU core in the Exynos 8 Octa (8890)
• Perceptron Branch Prediction
• Full Out-of-Order Instruction Execution
• Full Out-of-Order loads and stores
48 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 170: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/170.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Exynos Mongoose M1 CPU Architecture
• Custom CPU core in the Exynos 8 Octa (8890)
• Perceptron Branch Prediction
• Full Out-of-Order Instruction Execution
• Full Out-of-Order loads and stores
48 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 171: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/171.jpg)
Demo
![Page 172: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/172.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Luckily they already fixed it
• With their latest update on July 10, 2018
49 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 173: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/173.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Luckily they already fixed it
• With their latest update
on July 10, 2018
49 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 174: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/174.jpg)
Samsung Galaxy S7
Samsung Galaxy S7
• Luckily they already fixed it
• With their latest update on July 10, 2018
49 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 175: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/175.jpg)
Affected by Meltdown
• But there are other CPU manufacturers as well …
• …which are affected
• Need to evaluate the attack on other CPUs as well
• Notify the users …
• …and custom ROM developers, e.g., LineageOS
50 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 176: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/176.jpg)
But wait, what about privileged registers?
![Page 177: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/177.jpg)
Variant 3a
• ARM found a closely related Meltdown variant
• Read of system registers that are not accessible from
current exception level
• ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable
• Impact: breaking KASLR and pointer authentication
51 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 178: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/178.jpg)
Variant 3a
• ARM found a closely related Meltdown variant
• Read of system registers that are not accessible from
current exception level
• ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable
• Impact: breaking KASLR and pointer authentication
51 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 179: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/179.jpg)
Variant 3a
• ARM found a closely related Meltdown variant
• Read of system registers that are not accessible from
current exception level
• ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable
• Impact: breaking KASLR and pointer authentication
51 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 180: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/180.jpg)
Variant 3a
• ARM found a closely related Meltdown variant
• Read of system registers that are not accessible from
current exception level
• ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable
• Impact: breaking KASLR and pointer authentication
51 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 181: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/181.jpg)
Demo
![Page 182: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/182.jpg)
Variant 3a
• Intel is affected too (May 21, 2018)
• Almost every CPU (Core i3/i5/i7, 2nd-8th Intel Core, Xeon,
Atom, Pentium, …)
• Rogue System Register Read (RSRE) (CVE-2018-3640)
52 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 183: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/183.jpg)
Variant 3a
• Intel is affected too (May 21, 2018)
• Almost every CPU (Core i3/i5/i7, 2nd-8th Intel Core, Xeon,
Atom, Pentium, …)
• Rogue System Register Read (RSRE) (CVE-2018-3640)
52 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 184: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/184.jpg)
Variant 3a
• Intel is affected too (May 21, 2018)
• Almost every CPU (Core i3/i5/i7, 2nd-8th Intel Core, Xeon,
Atom, Pentium, …)
• Rogue System Register Read (RSRE) (CVE-2018-3640)
52 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 185: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/185.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 186: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/186.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 187: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/187.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 188: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/188.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 189: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/189.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 190: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/190.jpg)
Is Meltdown (or Spectre) a side-channel attack?
No.
• We read the data directly
• We use a side channel internally for transmission
→ does not make the entire thing a side-channel attack
53 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 191: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/191.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 192: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/192.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 193: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/193.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 194: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/194.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 195: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/195.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 196: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/196.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 197: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/197.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 198: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/198.jpg)
Is Meltdown a variant of Spectre? Is it speculative execution?
No.
• Often heard: “Meltdown is speculating beyond faulting
instructions”
→ That’s not speculative execution
• “Speculating beyond faulting instructions” - not even the
actual problem
• AMD does that - but is not affected!
→ Actual problem: fetching & using real values for
instructions after faulting ones
54 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 199: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/199.jpg)
How can this all be fixed?
![Page 200: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/200.jpg)
Meltdown Mitigation
• Problem is rooted in hardware
• Race condition between the memory fetch and
corresponding permission check
• Serialize both of them
• Hard split of user space and kernel space
• New bit in control register
• Fix the hardware → long-term solution
• Can we fix it in software?
55 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 201: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/201.jpg)
Meltdown Mitigation
• Problem is rooted in hardware
• Race condition between the memory fetch and
corresponding permission check
• Serialize both of them
• Hard split of user space and kernel space
• New bit in control register
• Fix the hardware → long-term solution
• Can we fix it in software?
55 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 202: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/202.jpg)
Meltdown Mitigation
• Problem is rooted in hardware
• Race condition between the memory fetch and
corresponding permission check
• Serialize both of them
• Hard split of user space and kernel space
• New bit in control register
• Fix the hardware → long-term solution
• Can we fix it in software?
55 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 203: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/203.jpg)
Meltdown Mitigation
• Problem is rooted in hardware
• Race condition between the memory fetch and
corresponding permission check
• Serialize both of them
• Hard split of user space and kernel space
• New bit in control register
• Fix the hardware → long-term solution
• Can we fix it in software?
55 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 204: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/204.jpg)
Meltdown Mitigation
• Problem is rooted in hardware
• Race condition between the memory fetch and
corresponding permission check
• Serialize both of them
• Hard split of user space and kernel space
• New bit in control register
• Fix the hardware → long-term solution
• Can we fix it in software?
55 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 205: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/205.jpg)
Meltdown Mitigation
• Kernel addresses in user space are a
problem
• Why don’t we take the kernel
addresses...
56 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 206: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/206.jpg)
Meltdown Mitigation
• Kernel addresses in user space are a
problem
• Why don’t we take the kernel
addresses...
56 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 207: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/207.jpg)
Meltdown Mitigation
• ...and remove them if not needed?
• User accessible check in hardware is
not reliable
57 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 208: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/208.jpg)
Meltdown Mitigation
• ...and remove them if not needed?
• User accessible check in hardware is
not reliable
57 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 209: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/209.jpg)
Meltdown Mitigation
• Unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
58 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 210: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/210.jpg)
Meltdown Mitigation
• Unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
58 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 211: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/211.jpg)
Meltdown Mitigation
• Unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
58 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 212: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/212.jpg)
KAISER
Userspace Kernelspace
ApplicationsOperatingSystem Memory
59 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 213: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/213.jpg)
KAISER
Userspace Kernelspace
ApplicationsOperatingSystem Memory
Userspace Kernelspace
Applications
Kernel View User View
context switch
60 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 214: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/214.jpg)
KAISER
• We published KAISER in May 2017 …
• …as a countermeasure against other side-channel attacks
• Inadvertently defeats Meltdown as well
• PoC implementation for the Linux kernel
61 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 215: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/215.jpg)
KAISER
• We published KAISER in May 2017 …
• …as a countermeasure against other side-channel attacks
• Inadvertently defeats Meltdown as well
• PoC implementation for the Linux kernel
61 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 216: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/216.jpg)
KAISER
• We published KAISER in May 2017 …
• …as a countermeasure against other side-channel attacks
• Inadvertently defeats Meltdown as well
• PoC implementation for the Linux kernel
61 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 217: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/217.jpg)
KAISER
• We published KAISER in May 2017 …
• …as a countermeasure against other side-channel attacks
• Inadvertently defeats Meltdown as well
• PoC implementation for the Linux kernel
61 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 218: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/218.jpg)
KAISER
• Hardware interrupt while running in user mode
• Kernel needs to deal with interrupt but does not exist
anymore in address space
• Traps, NMI, system calls, …
• Must map some kernel code in user space
62 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 219: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/219.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
User
Kernel
PGD User
PGD Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 220: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/220.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
User
Kernel
PGD User
PGD Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 221: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/221.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
User
Kernel
PGD User
PGD Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 222: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/222.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
User
Kernel
PGD User
PGD Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 223: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/223.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
PGD User
PGD Kernel
User
Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 224: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/224.jpg)
KAISER
• Need to update CR3 in order to switch to other address space
• How can we do this efficiently?
• Instead of one PGD, two PGDs are allocated
• 8k in size and 8k aligned
• Trick: Just flip bit 12 in the pointer to swap between both halves
CR3 Pair
CR3 + 0x1000
CR3
PGD User
PGD Kernel
User
Kernel
CR3[12]=1
CR3[12]=0
63 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 225: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/225.jpg)
Kernel Page-table Isolation
• Intel and others improved KAISER
• Merged it into upstream as KPTI (Kernel Page-table
Isolation)
• Kernel patches are available for arm64 as well
64 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 226: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/226.jpg)
Kernel Page-table Isolation
• Intel and others improved KAISER
• Merged it into upstream as KPTI (Kernel Page-table
Isolation)
• Kernel patches are available for arm64 as well
64 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 227: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/227.jpg)
Kernel Page-table Isolation
• Intel and others improved KAISER
• Merged it into upstream as KPTI (Kernel Page-table
Isolation)
• Kernel patches are available for arm64 as well
64 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 228: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/228.jpg)
Apple
• Apple released updates in iOS 11.2, macOS 10.13.2 and tvOS
11.2 to mitigate Meltdown
• Boot option: -no-shared-cr3• Unmaps the user space while running in kernel mode
• But not vice versa
65 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 229: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/229.jpg)
KVA Shadow
• Kernel Virtual Address (KVA) Shadow
• Meltdown Mitigation for Microsoft Windows
66 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 230: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/230.jpg)
Implementing
• Introducing such a fundamental change to the operating
system is extremely challenging
• Our PoC implementation contained many bugs as well
67 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 231: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/231.jpg)
Total Meltdown
• Discovered by Ulf Frisk (@ulffrisk) in the 2018-02 security
update
• CVE-2018-1038
• Modified the PML4 entry of 0x1ed to allow to access page
from user-mode
• On Windows 7 and Server 2018 R2: Self-Referencing Entry
• Allows to read and modify entire physical memory
68 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 232: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/232.jpg)
What now?
![Page 233: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/233.jpg)
Future
• More attacks exploiting performance optimizations in
hardware
• New variants are disclosed frequently
69 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 234: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/234.jpg)
A unique chance
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction
industry)
70 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 235: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/235.jpg)
Proof-of-Concept
You can find our proof-of-concept implementation on:
• https://github.com/IAIK/meltdown
71 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 236: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/236.jpg)
Conclusion
• Underestimated microarchitectural attacks for a long time
• Meltdown exploit performance optimizations
• Allow to leak arbitrary memory
• Countermeasures come with a performance impact
• Find trade-offs between security and performance
72 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 237: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/237.jpg)
![Page 238: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/238.jpg)
References
R. Grisenthwaite. Cache Speculation Side-channels. 2018.
D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard. KASLR is
Dead: Long Live KASLR. In: ESSoS. 2017.
Intel. Intel Analysis of Speculative Execution Side Channels. Jan. 2018. url:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.
K. Johnson. KVA Shadow: Mitigating Meltdown on Windows. Mar. 2018. url:
https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/.
73 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology
![Page 239: Meltdown - Basics, Details, Consequences · WhoamI? MichaelSchwarz PhDstudent@GrazUniversityofTechnology @misc0110 michael.schwarz@iaik.tugraz.at 2 MoritzLipp,MichaelSchwarz,DanielGruss|GrazUniversityofTechnology](https://reader034.fdocuments.net/reader034/viewer/2022042223/5ec98de9b7511a59e711a23b/html5/thumbnails/239.jpg)
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard,
P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown: Reading Kernel
Memory from User Space. In: USENIX Security Symposium. 2018.
LWN. The current state of kernel page-table isolation. 2017. url:
https://lwn.net/SubscriberLink/741878/eb6c9d3913d7cb2b/.
Y. Yarom and K. Falkner. Flush+Reload: a High Resolution, Low Noise, L3 Cache
Side-Channel Attack. In: USENIX Security Symposium. 2014.
74 Moritz Lipp, Michael Schwarz, Daniel Gruss | Graz University of Technology