Where performance goes wrong
Spectre/Meltdown
• Critical hardware/software interaction that allows protected memory to be accessed
Copyright By PowCoder代写 加微信 powcoder
• Widespread in nearly all modern processors • Fixing it can cost performance
• Root course is performance optimisation
Modern pipelines
• Modern processors have pipelines
• Key implementation technique for making fast CPUs.
• Execution of instructions is broken down into stages.
• Each stage can be executed in one CPU clock cycle
• Once a stage has completed for one instruction, it can be executed for the next instruction on the subsequent clock cycle.
• Allows one instruction to be completed per clock cycle, even though the instruction itself may take many cycles to complete.
Problems of pipelines
Three major problems to overcome: • Structural hazards
• two instructions both require the same hardware resource at the same time
• Data hazards
• one instruction depends on the result of another instruction
further down the pipeline • Control hazards
• result of instruction changes which instruction to execute next (e.g. branches)
Any of these can result in stopping and restarting the pipeline, and wasting cycles as a result.
Solution to hazards
• Speculative execution used to mitigate costs of control hazards
• Instruction from one of the branches executed whilst waiting for result of branch to be know
• Instruction result cancelled (backed out) if it shouldn’t have been executed
• Requires extra registers and logic but can keep pipelines running and provide good performance
Spectre/Meltdown
• Program memory can be inter-mingled with kernel memory
• Virtual memory to physical memory mapping means program memory can be located next to kernel memory
• Kernel memory is protected from reading/writing by programs
• Memory references are checked against allowed access when a kernel page fault is undertaken
• In theory, programs are, therefore, not be able to read kernel memory
Spectre/Meltdown
• However, speculative execution can be undertaken to get around this check
• Specially designed code does this:
• Write a loop or something with a control
; rcx = kernel address ; rbx = probe array retry:
mov al, byte [rcx] shlrax,0xc
mov rbx, qword [rbx +
hazard in it
• Writesomeinstructionsafterthat:
• Requestsomekernelmemory
• Whilst the kernel memory request will trigger an exception and the program will not be allowed to actually read the data, the speculative execution means the data has been loaded into cache
• Specialinstructionscanthenbeusedto fetch the cache line and get the data from it
Spectre/Meltdown
• Meltdown exploits this to get kernel memory
• Spectre exploits this to get browser memory and
therefore get other programs’ data
• Both only can retrieve data in memory
• These aren’t privilege raising exploits
• However, fixing them involves disabling speculative
• Therefore reducing performance for some applications/workloads
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com