Presentation is loading. Please wait.

Presentation is loading. Please wait.

CleanupSpec: An “Undo” Approach to Safe Speculation

Published byFrithjof Sivert Slettebakk Modified over 5 years ago

Similar presentations

Presentation on theme: "CleanupSpec: An “Undo” Approach to Safe Speculation"— Presentation transcript:

1 CleanupSpec: An “Undo” Approach to Safe Speculation
MICRO-2019 Gururaj Saileshwar and Moinuddin Qureshi Georgia Institute of Technology 2-minutes => Intro (Performance Optimizations, Security Threat, Our Undo Approach) 3-minutes => Motivation & Goal (Threat Model, Problem, Redo vs Undo) 6-minutes => Design (Scope, L1,L2,Directory, Putting it together) 5-minutes => Evaluation (Security Analysis, Spectre-V1, Performance & Related Work, Conclusion) Total – 15 minutes. (2 minutes for buffer)

2 Processor Optimizations  Performance Gains
Speculation Caching Goal Fast -$ Slow Mem Computer Architects

3 Processor Optimizations  Security Threat!
Speculation Caching Speculation-Based Attacks Fast -$ Slow Mem Attacks breach SW confidentiality Defenses have high slowdown Mis-speculation allows Access to Secret Timing Side-channel Leaks Secret

4 Our Work CleanupSpec : An Undo-Based Mitigation
Speculation Caching Cleanup on Mis-Speculation Fast -$ Slow Mem CleanupSpec Cleanup Speculative Cache Changes Pipeline State Flushed Enables a low-cost mitigation: ~5% slowdown & <1KB storage

5 Agenda Introduction Background & Motivation Design Evaluation

6 Threat Model Any speculative load can leak information via side-channels Channels of Information Leakage: Data Cache Hierarchy L1-Dcache, L2 Cache, LLC, Directory Side-Channels Out Of Scope: Port & Functional Unit Contention Branch Predictor, TLB, I-Cache Main-Memory

7 Problem: Cache Exploit by Speculation Attacks
Processor Speculative Execution Non-Speculative Mis-speculation Detected Secret Encoded as Cache Address Leak Secret Secret Cache Core Core Cache State Retained Cache Install Array[Secret] in Cache Cache Hit on Array[Secret] Need to Prevent Speculative Cache Changes Leaking Information

8 Prior Work vs Our Approach - To Do or Not to Do?
Prior Work InvisiSpec – Redo based Our Approach – Undo Based No Leakage of Information Speculative Non-Speculative Speculative Core Core Core Core Mis- Speculation Correct Speculation Correct Speculation Mis- Speculation No Leakage of Information Cache Cache Cache Cache (Common) (Uncommon) (Common) No Cache Change 2nd Load to Update Cache Install + Evict Cleanup Changes Goal: Enable a Undo-Based Mitigation without Buffering, OS-Support, SW-Rewrite [Yan+, MICRO-2018] Slowdown due to Double Loads Low-overhead => only on Mis-speculation 8

9 Agenda Introduction Background & Motivation Design of CleanupSpec
Evaluation

10 Cache Changes that Need to be Undone
L1 Cache L2 Cache Directory Core Core Install (Miss) C0 C1 Dirty L1-Cache L1-Cache Install Evict Cache Evict Repl-state Update (Hit) L2-Cache Exclusive => Shared [Yao+, HPCA-18] Evict Evict Need to Undo Changes to L1 cache, L2/LLC and Coherence State

11 L1-Cache Cleanup  Invalidate Install, Restore Eviction
L1 Cache Changes (Speculative) Cleanup On Mis-speculation Core Core Install (Miss) Repl-state Update (Hit) Invalidate 1 Random Repl-Policy (stateless) L1-Cache L1-Cache Evict Restore 2 L2-Cache Random-Replacement incurs <1% Slowdown; Cleanup needed only on Mis-Speculation + L1-Cache Miss

12 L2/LLC – Invalidate Install & Randomize Evictions
L2/LLC Evictions Complex & Leak Info L2/LLC Evictions Complex  Randomize L2 Cache Changes Core Line Address Set Index Randomizing Function Dirty N-lower bits L1-Cache Evict Install Install Evict L2-Cache Invalidate Cache Evict Evict [CEASER, MICRO-18] and others Evictions are Benign; Cleanup Only Requires Invalidation of L2/LLC lines

13 Restoring Coherence State Changes
PARSEC/SPLASH-2 on SniperSim (4-Core system) Coherence State Changes on Get-S Fraction of Total Loads Local Cache: M/E/S  S 97% Restore Remote Cache: S  S Remote Cache: M/E  S 2% Delay DRAM Access: I  S 1% Restore CleanupSpec uses “GetS-Safe” to delay Remote-Downgrades until Non-Speculative

14 Putting it together: CleanupSpec Mitigations
L1 Cache L2 Cache Coherence Downgrades (Exclusive => Shared) Core Core Cache C0 C1 L1-Cache L2-Cache L2-Cache Invalidate + Restore Invalidate + Randomize Delay till Non-Speculative Metadata in Cache MSHR & Load-Queue entries track Cache Changes; Storage Overhead <1KB/Core

15 Agenda Introduction Background & Motivation Design Evaluation

16 Security Analysis Key Security Property:
Concern: Adversary infers cache hit/miss on Correct-Path Concern: Adversary gets Cache-Hit Concern: Correct-Path Loads get Cache Hit t = t0 t = t1 t = t2 t = t∞ Speculative Install Mis-speculation Detected Cleanup Completed Redressal: Detected by metadata in Cache MSHRs & serviced as Cache-Miss Transient Window < 650 cycles for 99% loads Redressal: Pipeline stalled till Cleanup completes Redressal: Lines invalidated, restored or randomized Key Security Property: After Mis-speculation, Cache State Restored or Randomized

17 Evaluating Proof of Concept Defense
Avg. access time for Secret-Inference in Spectre-V1 Array Index (in multiples of 512) CleanupSpec has no latency difference for (secret) entry installed on wrong-path

18 Performance Overheads
Normalized Execution Time for CleanupSpec vs Non-Secure (Evaluations on Gem5-SE: 1-Core OOO, L1-Cache 64KB, L2-Cache – 2MB) Branch Mis-prediction Rate: > 5% L1-D Cache Miss-Rate: 3%-6% Avg. Slowdown 5.1% Slowdown Decreasing Order of Branch Mis-prediction Rate In comparison, InvisiSpec-2019 has 15% slowdown – 3x more than CleanupSpec (5%)

19 Conclusion Thanks! Questions ? Core Cache
Problem: Mitigate speculation-attacks leveraging cache as a channel Existing Solutions: Have high overheads (15% or more) Key insights: Undoing speculative changes or Randomizing them CleanupSpec is practical  <1KB / core storage & 5% slowdown Core Cache Thanks! Questions ?

20 Backup

21 Prefetching + CleanupSpec
Train Prefetcher on Non-Speculative Access Stream Approach 1 – Simple Prefetchers Approach 2 – Complex Prefetchers E.g. Next Line Prefetchers Issue Prefetch on Speculative Load Track & Cleanup Cache E.g. Irregular / Pattern-based Prefetchers Issue Prefetch on Non-Speculative Load Increase Degree to ensure timeliness

22 Metadata for Tracking Load Side-Effects on Cache
5 – 7 bytes metadata per LQ & MSHR entry Cleanup Epoch Load completion order Whether Line Filled Evicted Line Address Total Storage Overhead < 1KB / core (for 32 LQ Entries & 64 L1/L2 MSHR entries)

23 How SEFE Enables Cleanup Operations

24 Performance Evaluation Methodology
Simulator: Gem5 in native execution Benchmarks: SPEC-CPU2006 (500 Million instruction slices) System Configuration : 1-Core Out-of-Order LQ – 32 Entry L1-DCache – 64KB L2-Cache (our LLC) – 2MB/core Delete

25 Time for Actual Cleanup Operations
CDF PDF

26 Characterizing Cleanup on Mis-Speculations
Frequency of Pipeline Squash (Avg. 20 squashes per 1000 Inst) Stall-Time Per Pipeline Squash (Avg. 25 cycles/squash, Avg. 5 cycles for cleanup)

27 Statistics for Loads Requiring Cleanup
Workload Characteristics Statistics for Squashed Loads

Download ppt "CleanupSpec: An “Undo” Approach to Safe Speculation"

Similar presentations

Jaewoong Sim Alaa R. Alameldeen Zeshan Chishti Chris Wilkerson Hyesoon Kim MICRO-47 | December 2014.

Jaewoong Sim Alaa R. Alameldeen Zeshan Chishti Chris Wilkerson Hyesoon Kim MICRO-47 | December 2014.
1 A Hybrid Adaptive Feedback Based Prefetcher Santhosh Verma, David Koppelman and Lu Peng Louisiana State University.

1 A Hybrid Adaptive Feedback Based Prefetcher Santhosh Verma, David Koppelman and Lu Peng Louisiana State University.
1 Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and Prefetch Buffers By Sreemukha Kandlakunta Phani Shashank.

1 Improving Direct-Mapped Cache Performance by the Addition of a Small Fully-Associative Cache and Prefetch Buffers By Sreemukha Kandlakunta Phani Shashank.
Lecture 12 Reduce Miss Penalty and Hit Time

Lecture 12 Reduce Miss Penalty and Hit Time
High Performing Cache Hierarchies for Server Workloads

High Performing Cache Hierarchies for Server Workloads
CSE 490/590, Spring 2011 CSE 490/590 Computer Architecture Cache III Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 490/590, Spring 2011 CSE 490/590 Computer Architecture Cache III Steve Ko Computer Sciences and Engineering University at Buffalo.
1 Line Distillation: Increasing Cache Capacity by Filtering Unused Words in Cache Lines Moinuddin K. Qureshi M. Aater Suleman Yale N. Patt HPCA 2007.

1 Line Distillation: Increasing Cache Capacity by Filtering Unused Words in Cache Lines Moinuddin K. Qureshi M. Aater Suleman Yale N. Patt HPCA 2007.
4/17/20151 Improving Memory Bank-Level Parallelism in the Presence of Prefetching Chang Joo Lee Veynu Narasiman Onur Mutlu* Yale N. Patt Electrical and.

4/17/20151 Improving Memory Bank-Level Parallelism in the Presence of Prefetching Chang Joo Lee Veynu Narasiman Onur Mutlu* Yale N. Patt Electrical and.
A Cache-Like Memory Organization for 3D memory systems CAMEO 12/15/2014 MICRO Cambridge, UK Chiachen Chou, Georgia Tech Aamer Jaleel, Intel Moinuddin K.

A Cache-Like Memory Organization for 3D memory systems CAMEO 12/15/2014 MICRO Cambridge, UK Chiachen Chou, Georgia Tech Aamer Jaleel, Intel Moinuddin K.
Memory System Characterization of Big Data Workloads

Memory System Characterization of Big Data Workloads
A Scalable Approach to Thread-Level Speculation J. Gregory Steffan, Christopher B. Colohan, Antonia Zhai, and Todd C. Mowry Carnegie Mellon University.

A Scalable Approach to Thread-Level Speculation J. Gregory Steffan, Christopher B. Colohan, Antonia Zhai, and Todd C. Mowry Carnegie Mellon University.
Glenn Reinman, Brad Calder, Department of Computer Science and Engineering, University of California San Diego and Todd Austin Department of Electrical.

Glenn Reinman, Brad Calder, Department of Computer Science and Engineering, University of California San Diego and Todd Austin Department of Electrical.
Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.

Techniques for Efficient Processing in Runahead Execution Engines Onur Mutlu Hyesoon Kim Yale N. Patt.
Mitigating Prefetcher-Caused Pollution Using Informed Caching Policies for Prefetched Blocks Vivek Seshadri Samihan Yedkar ∙ Hongyi Xin ∙ Onur Mutlu Phillip.

Mitigating Prefetcher-Caused Pollution Using Informed Caching Policies for Prefetched Blocks Vivek Seshadri Samihan Yedkar ∙ Hongyi Xin ∙ Onur Mutlu Phillip.
An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.

An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.
CS 7810 Lecture 9 Effective Hardware-Based Data Prefetching for High-Performance Processors T-F. Chen and J-L. Baer IEEE Transactions on Computers, 44(5)

CS 7810 Lecture 9 Effective Hardware-Based Data Prefetching for High-Performance Processors T-F. Chen and J-L. Baer IEEE Transactions on Computers, 44(5)
The Dirty-Block Index Vivek Seshadri Abhishek Bhowmick ∙ Onur Mutlu Phillip B. Gibbons ∙ Michael A. Kozuch ∙ Todd C. Mowry.

The Dirty-Block Index Vivek Seshadri Abhishek Bhowmick ∙ Onur Mutlu Phillip B. Gibbons ∙ Michael A. Kozuch ∙ Todd C. Mowry.
Cache Organization of Pentium

Cache Organization of Pentium
A Low-Cost Memory Remapping Scheme for Address Bus Protection Lan Gao *, Jun Yang §, Marek Chrobak *, Youtao Zhang §, San Nguyen *, Hsien-Hsin S. Lee ¶

A Low-Cost Memory Remapping Scheme for Address Bus Protection Lan Gao *, Jun Yang §, Marek Chrobak *, Youtao Zhang §, San Nguyen *, Hsien-Hsin S. Lee ¶
Achieving Non-Inclusive Cache Performance with Inclusive Caches Temporal Locality Aware (TLA) Cache Management Policies Aamer Jaleel,

Achieving Non-Inclusive Cache Performance with Inclusive Caches Temporal Locality Aware (TLA) Cache Management Policies Aamer Jaleel,

Similar presentations

Ads by Google