Re: Reverse engineering of Intel branch predictors

Liste des GroupesRevenir à c arch 
Sujet : Re: Reverse engineering of Intel branch predictors
De : monnier (at) *nospam* iro.umontreal.ca (Stefan Monnier)
Groupes : comp.arch
Date : 11. Nov 2024, 21:55:01
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <jwv7c99sdzw.fsf-monnier+comp.arch@gnu.org>
References : 1 2 3 4
User-Agent : Gnus/5.13 (Gnus v5.13)
If "leave no trace" includes not slowing down other concurrent memory
accesses (e.g. from other CPUs), it might require some kind of
priority scheme.
First, one needs to ensure that the CPU performing speculative
fetch will not slown down due to say resource contention.

AFAIK there have been attempts at using resource contention as a side
channel, indeed, but the effectiveness depends on the scale of the impact
of resource contention compared to the "ambient noise".

IOW, there we get into the realm of quantifying the leaks.

But AFAIK if you limit yourself to L1 accesses I believe it's not too
hard to avoid all resource contentions (i.e. make sure that
no speculative access can slow down a less speculative access).

If you want several ("arbitrarily many") speculative fetches without
slowing down normal execution, that would mean highly
overprovisioned machine.

Once you're into the higher levels of cache, I don't have a clear
picture of how hard/easy it would be to maintain the "no
trace" guarantee.  And the higher in the hierarchy you go, the more
visible any slowdown will be, I expect.

If you're worried about, say, a Spectre-like attack measuring the
temperature or the power consumption of the CPU to try and guess what
operations were performed (or what addresses were accessed, ...)
speculatively, then you'd have to be yet more careful.
I am mostly concerned with remote attacks.  To block them it should
be enough to ensure that machine never goes into thermal throttling
(I consider adversary who is not able to directly monitor power
or temperature, so only thing remaining is thermal throttling and
its effect on execution time).

Thermal and power information is usually made available to non-root
processes, so I think we should assume remote attackers have access
to it.  Maybe the granularity is coarse enough to make the leak
impractical (but we're again in the realm of quantifying leaks, here).


        Stefan

Date Sujet#  Auteur
23 Oct 24 * Reverse engineering of Intel branch predictors34Thomas Koenig
23 Oct 24 +* Re: Reverse engineering of Intel branch predictors24MitchAlsup1
28 Oct 24 i`* Re: Reverse engineering of Intel branch predictors23Stefan Monnier
5 Nov 24 i `* Re: Reverse engineering of Intel branch predictors22MitchAlsup1
11 Nov 24 i  +* Re: Reverse engineering of Intel branch predictors2Thomas Koenig
11 Nov 24 i  i`- Re: Reverse engineering of Intel branch predictors1MitchAlsup1
11 Nov 24 i  `* Re: Reverse engineering of Intel branch predictors19Stefan Monnier
11 Nov 24 i   `* Re: Reverse engineering of Intel branch predictors18MitchAlsup1
12 Nov 24 i    `* Re: Reverse engineering of Intel branch predictors17Stefan Monnier
12 Nov 24 i     `* Re: Reverse engineering of Intel branch predictors16MitchAlsup1
12 Nov 24 i      +* Re: Reverse engineering of Intel branch predictors13Stefan Monnier
12 Nov 24 i      i`* Re: Reverse engineering of Intel branch predictors12MitchAlsup1
13 Nov 24 i      i +* Re: Reverse engineering of Intel branch predictors7Stefan Monnier
13 Nov 24 i      i i`* Re: Reverse engineering of Intel branch predictors6Terje Mathisen
13 Nov 24 i      i i `* Re: Reverse engineering of Intel branch predictors5Stefan Monnier
13 Nov 24 i      i i  `* Re: Reverse engineering of Intel branch predictors4Thomas Koenig
13 Nov 24 i      i i   +* Re: Reverse engineering of Intel branch predictors2Stefan Monnier
14 Nov 24 i      i i   i`- Re: Reverse engineering of Intel branch predictors1Thomas Koenig
14 Nov 24 i      i i   `- Interpreters and indirect-branch prediction (was: Reverse ...)1Anton Ertl
13 Nov 24 i      i `* Interpreters and indirect-branch prediction4Anton Ertl
13 Nov 24 i      i  `* Re: Interpreters and indirect-branch prediction3MitchAlsup1
13 Nov 24 i      i   `* Re: Interpreters and indirect-branch prediction2BGB
14 Nov 24 i      i    `- Re: Interpreters and indirect-branch prediction1BGB
13 Nov 24 i      `* Re: Reverse engineering of Intel branch predictors2Brett
13 Nov 24 i       `- Re: Reverse engineering of Intel branch predictors1MitchAlsup1
1 Nov 24 `* Re: Reverse engineering of Intel branch predictors9Waldek Hebisch
1 Nov 24  +- Re: Reverse engineering of Intel branch predictors1MitchAlsup1
5 Nov 24  `* Re: Reverse engineering of Intel branch predictors7Stefan Monnier
5 Nov 24   +- Re: Reverse engineering of Intel branch predictors1MitchAlsup1
8 Nov 24   `* Re: Reverse engineering of Intel branch predictors5Waldek Hebisch
8 Nov 24    +* Re: Reverse engineering of Intel branch predictors3MitchAlsup1
10 Nov 24    i`* Re: Reverse engineering of Intel branch predictors2Waldek Hebisch
10 Nov 24    i `- Re: Reverse engineering of Intel branch predictors1MitchAlsup1
11 Nov 24    `- Re: Reverse engineering of Intel branch predictors1Stefan Monnier

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal