## Virtual Memory II

CSE 351 Summer 2020

#### **Instructor:**

**Porter Jones** 

#### **Teaching Assistants:**

Amy Xu
Callum Walker
Sam Wolfson
Tim Mandzyuk



WHY EVERYTHING I HAVE IS BROKEN

https://xkcd.com/1495/

#### **Administrivia**

Questions doc: <a href="https://tinyurl.com/CSE351-8-10">https://tinyurl.com/CSE351-8-10</a>

- hw19 is optional
  - Can complete it at any point before the quarter ends
  - Practice with virtual memory concepts
- hw20 due Friday (8/14) 10:30am
- - All about caches!

## Virtual Memory (VM)

- Overview and motivation
- VM as a tool for caching
- Address translation
- VM as a tool for memory management
- VM as a tool for memory protection

#### **Address Translation**

How do we perform the virtual → physical address translation?



# Address Translation: Page Tables P= 2° P= 10921

CPU-generated address can be split into:



- Note that Physical Offset = Virtual Offset (page-aligned)
- Use lookup table that we call the page table (PT)
  - Replace Virtual Page Number (VPN) for Physical Page Number (PPN) to generate Physical Address
  - Index PT using VPN: page table entry (PTE) stores the PPN plus management bits (e.g. Valid, Dirty, access rights)
  - Has an entry for every virtual page



## Page Table Address Translation



## Polling Question [VM II]

- \* How many bits wide are the following fields?
  - 16 KiB pages
  - 48-bit virtual addresses
  - 16 GiB physical memory
  - Vote at: <a href="http://pollev.com/pbjones">http://pollev.com/pbjones</a>

| VPN       | PPN            |
|-----------|----------------|
| <b>34</b> | 24             |
| <b>32</b> | 18             |
| <b>30</b> | 20             |
| 34        | 20             |
|           | 34<br>32<br>30 |

| VA widow = 48 518 5                                    |
|--------------------------------------------------------|
| VA widow = 48 518 ><br>PA widow = log_2(234) = 34 5:+5 |
| -Cffet - 1000 (2) = 17 61                              |
| UPN width = VAwidth - offset = 34 bits                 |
| VPN with = VANION WIGHT - 20 10/49                     |
| PPN width = PAWidth - Sister = 20 6/49                 |
|                                                        |

CSE351, Summer 2020

## Page Hit

Page hit: VM reference is in physical memory



## Page Fault

\* Page fault: VM reference is NOT in physical memory



### Reminder: Page Fault Exception

- User writes to memory location
- That portion (page) of user's memory is currently on disk

```
int a[1000];
int main () {
    a[500] = 13;
}
```

```
80483b7: c7 05 10 9d 04 08 0d movl $0xd,0x8049d10
```



- Page fault handler must load page into physical memory
- ❖ Returns to faulting instruction: mov is executed again!
  - Successful on second try

Page miss causes page fault (an exception)



- Page miss causes page fault (an exception)
- Page fault handler selects a victim to be evicted (here VP 4)



- Page miss causes page fault (an exception)
- Page fault handler selects a victim to be evicted (here VP 4)



- Page miss causes page fault (an exception)
- OS croose Sictim.
- Page fault handler selects a victim to be evicted (here VP 4)
- Offending instruction is restarted: page hit!



## Virtual Memory (VM)

- Overview and motivation
- VM as a tool for caching
- Address translation
- VM as a tool for memory management
- VM as a tool for memory protection

## VM for Managing Multiple Processes

- Key abstraction: each process has its own virtual address space
  - It can view memory as a simple linear array
- With virtual memory, this simple linear virtual address space need not be contiguous in physical memory
  - Process needs to store data in another VP? Just map it to any PP!



## **Simplifying Linking and Loading**

#### Linking

- Each program has similar virtual address space
- Code, Data, and Heap always start at the same addresses

#### Loading

- execve allocates virtual pages
   for .text and .data sections
   & creates PTEs marked as invalid
- The .text and .data sections are copied, page by page, on demand by the virtual memory system
  0x400000

Memory invisible to Kernel virtual memory user code User stack (created at runtime) %rsp (stack pointer) Memory-mapped region for shared libraries brk Run-time heap (created by malloc) Read/write segment Loaded (.data, .bss) from the executable Read-only segment file (.init, .text, .rodata) Unused

## **VM for Protection and Sharing**

- The mapping of VPs to PPs provides a simple mechanism to protect memory and to share memory between processes
  - Sharing: map virtual pages in separate address spaces to the same physical page (here: PP 6)
  - Protection: process can't access physical pages to which none of its virtual pages are mapped (here: Process 2 can't access PP 2)



## **Memory Protection Within Process**

- VM implements read/write/execute permissions
  - Extend page table entries with permission bits
  - MMU checks these permission bits on every memory access

 If violated, raises exception and OS sends SIGSEGV signal to process (segmentation fault)



## **Review Question**

What should the permission bits be for pages from the following sections of virtual memory?

| Section       | Read | Write         | Execute          |
|---------------|------|---------------|------------------|
| Stack         | 1    |               | C                |
| Heap          | 1    |               | 6                |
| 9 Static Data |      | )             | S                |
| Literals      | \    | () (Constant) | 0                |
| Instructions  |      | O (don't cox) | langer<br>instru |

Granil/

## Address Translation: Page Hit ( Page 15 in memory)



- 1) Processor sends virtual address to MMU (memory management unit)
- 2-3) MMU fetches PTE from page table in cache/memory (Uses PTBR to find beginning of page table for current process)
- 4) MMU sends physical address to cache/memory requesting data
- 5) Cache/memory sends data to processor

VA = Virtual Address PTEA = Page Table Entry Address PTE= Page Table Entry
PA = Physical Address Data = Contents of memory stored at VA originally requested by CPU

## Address Translation: Page Fault ( rose is not in physical physical



- 1) Processor sends virtual address to MMU
- **2-3)** MMU fetches PTE from page table in cache/memory
- 4) Valid bit is zero, so MMU triggers page fault exception
- 5) Handler identifies victim (and, if dirty, pages it out to disk)
- 6) Handler pages in new page and updates PTE in memory
- 7) Handler returns to original process, restarting faulting instruction

#### **Hmm...** Translation Sounds Slow

- The MMU accesses memory twice: once to get the PTE for translation, and then again for the actual memory request
  - The PTEs may be cached in L1 like any other memory word
    - But they may be evicted by other data references
    - And a hit in the L1 cache still requires 1-3 cycles

- What can we do to make this faster?
  - Solution: add another cache!

## Speeding up Translation with a TLB

#### Translation Lookaside Buffer (TLB):

- Small hardware cache in MMU
  - Split VPN into TLB Tag and TLB Index based on # of sets in TLB
- Maps virtual page numbers to physical page numbers
- Stores page table entries for a small number of pages
  - Modern Intel processors have 128 or 256 entries in TLB
- Much faster than a page table lookup in cache/memory





A TLB hit eliminates a memory access!



- A TLB miss incurs an additional memory access (the PTE)
  - Fortunately, TLB misses are rare

## **Fetching Data on a Memory Read**

- 1) Check TLB translate VA > PA
  - Input: VPN, Output: PPN
  - TLB Hit: Fetch translation, return PPN
  - TLB Miss: Check page table (in memory)
    - Page Table Hit: Load page table entry into TLB
    - Page Fault: Fetch page from disk to memory, update corresponding page table entry, then load entry into TLB
- 2) Check cache use PA to get soon
  - Input: physical address, Output: data
  - Cache Hit: Return data value to processor
  - Cache Miss: Fetch data value from memory, store it in cache, return it to processor

#### **Address Translation**



## **Address Manipulation**



## **Context Switching Revisited**

- What needs to happen when the CPU switches processes?
  - Registers:
    - Save state of old process, load state of new process
    - Including the Page Table Base Register (PTBR)
  - Memory:
    - Nothing to do! Pages for processes already exist in memory/disk and protected from each other
  - TLB:
    - Invalidate all entries in TLB mapping is for old process' VAs
  - Cache:
    - Can leave alone because storing based on PAs good for shared data

## Memory Overview (data flow)



## **Summary of Address Translation Symbols**

- Basic Parameters
  - $N = 2^n$  Number of addresses in virtual address space
  - $M = 2^m$  Number of addresses in physical address space
  - $P = 2^p$  Page size (bytes)
- Components of the virtual address (VA)
  - VPO Virtual page offset
  - VPN Virtual page number
  - **TLBI** TLB index
  - **TLBT** TLB tag
- Components of the physical address (PA)
  - PPO Physical page offset (same as VPO)
  - PPN Physical page number

## **Virtual Memory Summary**

- Programmer's view of virtual memory
  - Each process has its own private linear address space
  - Cannot be corrupted by other processes

- System view of virtual memory
  - Uses memory efficiently by caching virtual memory pages
    - Efficient only because of locality
  - Simplifies memory management and sharing
  - Simplifies protection by providing permissions checking

## **Memory System Summary**

- Memory Caches (L1/L2/L3)
  - Purely a speed-up technique
  - Behavior invisible to application programmer and (mostly) OS
  - Implemented totally in hardware
- Virtual Memory
  - Supports many OS-related functions
    - Process creation, task switching, protection
  - Operating System (software)
    - Allocates/shares physical memory among processes
    - Maintains high-level tables tracking memory type, source, sharing
    - Handles exceptions, fills in hardware-defined mapping tables
  - Hardware
    - Translates virtual addresses via mapping tables, enforcing permissions
    - Accelerates mapping via translation cache (TLB)

## Simple Memory System Example (small)

- Addressing
- 14-Dit virtual addresses n=14 ←> N=16 K; B VA Space

  12-bit physical address m=12 ←> M=4 K; BPA space

  □ 12-bit physical address

  - P=64 ES p=66HS Page size = 64 bytes



**Note:** showing 2 hex digits for PPN even though only 6 bits

Note: other management bits not shown, but part of PTE

|            |     | 1 1 2 |
|------------|-----|-------|
| <b>VPN</b> | PPN | Valid |
| 0          | 28  | 1     |
| 1          | 1   | 0     |
| 2          | 33  | 1     |
| 3          | 02  | 1     |
| 4          | 1   | 0     |
| 5          | 16  | 1     |
| 6          | 1   | 0     |
| 7          | _   | 0     |
|            |     |       |

| PPN | Valid                          |
|-----|--------------------------------|
| 13  | 1                              |
| 17  | 1                              |
| 09  | 1                              |
| ı   | 0                              |
| ı   | 0                              |
| 2D  | 1                              |
| _   | 0                              |
| 0D  | 1                              |
|     | 13<br>17<br>09<br>-<br>-<br>2D |

## **Simple Memory System: TLB**



## Simple Memory System: Cache

Note: It is just coincidence that the PPN is the same width as the cache Tag

- Direct-mapped with K = 4 B, C/K = 16
- Physically addressed



| Index | Tag | Valid | В0 | B1 | B2 | В3 |
|-------|-----|-------|----|----|----|----|
| 0     | 19  | 1     | 99 | 11 | 23 | 11 |
| 1     | 15  | 0     | -  | _  | _  | _  |
| 2     | 1B  | 1     | 00 | 02 | 04 | 08 |
| 3     | 36  | 0     | _  | _  | _  | _  |
| 4     | 32  | 1     | 43 | 6D | 8F | 09 |
| 5     | 0D  | 1     | 36 | 72 | F0 | 1D |
| 6     | 31  | 0     | _  | _  | _  | _  |
| 7     | 16  | 1     | 11 | C2 | DF | 03 |

| Index | Tag | Valid | В0 | B1 | B2 | В3 |
|-------|-----|-------|----|----|----|----|
| 8     | 24  | 1     | 3A | 00 | 51 | 89 |
| 9     | 2D  | 0     | _  | -  | -  | _  |
| Α     | 2D  | 1     | 93 | 15 | DA | 3B |
| В     | OB  | 0     | _  | -  | -  | _  |
| С     | 12  | 0     | -  | -  | -  | _  |
| D     | 16  | 1     | 04 | 96 | 34 | 15 |
| Ε     | 13  | 1     | 83 | 77 | 1B | D3 |
| F     | 14  | 0     | _  | _  | _  | _  |

Index

## Current State of Memory System

#### TLB:

| Set | Tag | PPN | V | Tag | PPN | V   | Tag | PPN | V   | Tag | PPN | V |
|-----|-----|-----|---|-----|-----|-----|-----|-----|-----|-----|-----|---|
| 0   | 03  | _   | 0 | 09  | 0D  | 1   | 00  | _   | 0,% | 07  | 02  | 1 |
| 1   | 03  | /2D | 1 | 02  | _   | 0   | 04  | _   | 0   | 0A  | _   | 0 |
|     |     |     |   |     |     |     |     |     |     |     | _   |   |
| 3   | 07  | _   | 0 | 03√ | OD  | 1 🗸 | 0A  | 34  | 1   | 02  | _   | 0 |

#### Page table (partial):

| VPN | PPN  | V   | VPN  | PPN | V  |
|-----|------|-----|------|-----|----|
| 30  | 28 ( | 1 🗸 | 8    | 13  | 1  |
| 1   | ]    | 0   | 9    | 17  | 1  |
| 2   | 33   | 1   | Α    | 09  | 1  |
| 3   | 02   | 1   | В    | -   | 0  |
| 4   | -    | 0   | C    | -   | 0  |
| 5   | 16   | 1   | D    | 2D  | 1  |
| 6   | _    | 0   | (2)E | _   | 0× |
| 7   | _    | 0   | F    | 0D  | 1  |

#### Cache:

| Index | Tag         | V   | В0 | B1 | <i>B2</i> | <i>B3</i> |
|-------|-------------|-----|----|----|-----------|-----------|
| 0     | 19          | 1   | 99 | 11 | 23        | 11        |
| 1     | 15          | 0   | _  | ı  | _         | _         |
| 2     | 1B          | 1   | 00 | 02 | 04        | 08        |
| 3     | 36          | 0   | _  | -  | _         | _         |
| 4     | 32          | 1   | 43 | 6D | 8F        | 09        |
| ) 5   | 0D <b>√</b> | 1 🗸 | 36 | 72 | F0        | 1D        |
| 6     | 31          | 0   | _  | _  | _         | _         |
| 7     | 16          | 1   | 11 | C2 | DF        | 03        |

| Tag         | V   | В0 | B1 | <b>B2</b> | В3 |
|-------------|-----|----|----|-----------|----|
| 24 <b>×</b> | 1 🗸 | 3A | 00 | 51        | 89 |
| 2D          | 0   | _  | _  | _         | _  |
| 2D√         | 1 🗸 | 93 | 15 | DA        | 3B |
| OB          | 0   | _  | _  | _         | _  |
| 12          | 0   | _  | _  | _         | -  |
| 16          | 1   | 04 | 96 | 34        | 15 |
| 13          | 1   | 83 | 77 | 1B        | D3 |
| 14          | n   | _  | _  | _         | _  |

## **Polling Question [VM III]**

**Memory Request Example #1** 

❖ Virtual Address: 0x03D4

Note: It is just coincidence that the PPN is the same width as the cache Tag





## **Memory Request Example #2**

Note: It is just coincidence that the PPN is the same width as the cache Tag

❖ Virtual Address: 0x038F





## **Memory Request Example #3**

Note: It is just coincidence that the PPN is the same width as the cache Tag

❖ Virtual Address: 0x0020





## **Memory Request Example #4**

Note: It is just coincidence that the PPN is the same width as the cache Tag

❖ Virtual Address: 0x036B





## **Practice VM Question**

- Our system has the following properties
  - 1 MiB of physical address space
  - 4 Giß of virtual address space
  - ■25 7 25 25 25 32 KiB page size

- n=20 bits n=32 bits P=156;ts
- 4-entry fully associative TLB with LRU replacement

1 set

a) Fill in the following blanks:

Minimum bit-width of ptbr Physical address

Max # of valid entries in a page table

## **Practice VM Question**

startadoress is page of set

One process uses a page-aligned square matrix mat [] of 32-bit integers in the code shown below:

```
#define MAT_SIZE = 2048
for(int i = 0; i < MAT_SIZE; i++)
  mat[i*(MAT_SIZE+1)] = i;</pre>
```

b) What is the largest stride (in bytes) between successive memory accesses (in the VA space)?



## **Practice VM Question**

One process uses a page-aligned square matrix mat[] of 32-bit integers in the code shown below:

c) Assuming all of mat[] starts on disk, what are the following hit rates for the execution of the for-loop?

3/4=75% TLB Hit Rate

alless pottern: single writh to index

never revisit indices

never revisit indices

each row of matrix

page holds 2 15/213=4 rows

of matrix

each page = MHHH

each page = MHHH

each page = MHHH

## Page Table Reality

This is extra (non-testable) material

- Just one issue... the numbers don't work out for the story so far!
- The problem is the page table for each process:
   n=64 bits, p=13 bits, m=33 bits
   Suppose 64-bit VAs, 8 KiB pages, 8 GiB physical memory

  - How many page table entries is that? 1 PTE for every virtual page ■ About how long is each PTE?
    PPN width + management bits = 20+5= 25 Lits \$3 bytes (V,D,R,W,X)m-p
  - Moral: Cannot use this naïve implementation of the virtual → physical page mapping – it's way too big

## A Solution: Multi-level Page Tables

This is extra (non-testable) material



## **Multi-level Page Tables**

This is extra (non-testable) material

- \* A tree of depth k where each node at depth i has up to  $2^{j}$  children if part i of the VPN has j bits
- Hardware for multi-level page tables inherently more complicated
  - But it's a necessary complexity 1-level does not fit
- Why it works: Most subtrees are not used at all, so they are never created and definitely aren't in physical memory
  - Parts created can be evicted from cache/memory when not being used
  - Each node can have a size of ~1-100KB
- \* But now for a k-level page table, a TLB miss requires k+1 cache/memory accesses
  - Fine so long as TLB misses are rare motivates larger TLBs

# BONUS SLIDES

#### For Fun: DRAMMER Security Attack

- Why are we talking about this?
  - Recent: Announced in October 2016; Google released Android patch on November 8, 2016
  - Relevant: Uses your system's memory setup to gain elevated privileges
    - Ties together some of what we've learned about virtual memory and processes
  - Interesting: It's a software attack that uses only hardware vulnerabilities and requires no user permissions

## **Underlying Vulnerability: Row Hammer**

- Dynamic RAM (DRAM) has gotten denser over time
  - DRAM cells physically closer and use smaller charges
  - More susceptible to "disturbance errors" (interference)
- DRAM capacitors need to be "refreshed" periodically (~64 ms)
  - Lose data when loss of power
  - Capacitors accessed in rows
- Rapid accesses to one row can flip bits in an adjacent row!
  - ~ 100K to 1M times



By Dsimic (modified), CC BY-SA 4.0, <a href="https://commons.wikimedia.org/w">https://commons.wikimedia.org/w</a> /index.php?curid=38868341

## **Row Hammer Exploit**

- Force constant memory access
  - Read then flush the cache
  - clflush flush cache line
    - Invalidates cache line containing the specified address
    - Not available in all machines or environments

```
hammertime:
  mov (X), %eax
  mov (Y), %ebx
  clflush (X)
  clflush (Y)
  jmp hammertime
```

- Want addresses X and Y to fall in activation target row(s)
  - Good to understand how banks of DRAM cells are laid out
- The row hammer effect was discovered in 2014
  - Only works on certain types of DRAM (2010 onwards)
  - These techniques target x86 machines

## **Consequences of Row Hammer**

- Row hammering process can affect another process via memory
  - Circumvents virtual memory protection scheme
  - Memory needs to be in an adjacent row of DRAM
- Worse: privilege escalation
  - Page tables live in memory!
  - Hope to change PPN to access other parts of memory, or change permission bits
  - Goal: gain read/write access to a page containing a page table, hence granting process read/write access to all of physical memory

## **Effectiveness?**

- Doesn't seem so bad random bit flip in a row of physical memory
  - Vulnerability affected by system setup and physical condition of memory cells

#### Improvements:

- Double-sided row hammering increases speed & chance
- Do system identification first (e.g. Lab 4)
  - Use timing to infer memory row layout & find "bad" rows
  - Allocate a huge chunk of memory and try many addresses, looking for a reliable/repeatable bit flip
- Fill up memory with page tables first
  - fork extra processes; hope to elevate privileges in any page table

## What's DRAMMER?

- No one previously made a huge fuss
  - Prevention: error-correcting codes, target row refresh, higher DRAM refresh rates
  - Often relied on special memory management features
  - Often crashed system instead of gaining control
- Research group found a deterministic way to induce row hammer exploit in a non-x86 system (ARM)
  - Relies on predictable reuse patterns of standard physical memory allocators
  - Universiteit Amsterdam, Graz University of Technology, and University of California, Santa Barbara

### **DRAMMER Demo Video**

- It's a shell, so not that glamorous, but still interesting
  - Apologies that the text is so small on the video



## How did we get here?

- Computing industry demands more and faster storage with lower power consumption
- Ability of user to circumvent the caching system
  - clflush is an unprivileged instruction in x86
  - Other commands exist that skip the cache
- Availability of virtual to physical address mapping
  - Example: /proc/self/pagemap on Linux
    (not human-readable)

- Google patch for Android (Nov. 8, 2016)
  - Patched the ION memory allocator

## More reading for those interested

- DRAMMER paper: https://vvdveen.com/publications/drammer.pdf
- Google Project Zero: <a href="https://googleprojectzero.blogspot.com/2015/03/exp">https://googleprojectzero.blogspot.com/2015/03/exp</a> loiting-dram-rowhammer-bug-to-gain.html
- First row hammer paper:
   https://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf
- \* Wikipedia: https://en.wikipedia.org/wiki/Row hammer

## **Quick Review**

- ♦ What do Page Tables map?
  VPN → PPN or disk address
- Where are Page Tables located?
- \* ЫœwpmanysPage Tables are there?
- \* True / False: Virtual Addressés that are contiguous will always be contiguous in physical memory

  pages can be mapped to any slot in physical mem

\* TLB stands for and stores translation lookaside buffer

page table entries

## **Quick Review Answers**

- What do Page Tables map?
  - VPN → PPN or disk address
- Where are Page Tables located?
  - In physical memory
- How many Page Tables are there?
  - One per process
- Can your program tell if a page fault has occurred?
  - Nope, but it has to wait a long time
- What is thrashing?
  - Constantly paging out and paging in
- True / False: Virtual Addresses that are contiguous will always be contiguous in physical memory
  - Could fall across a page boundary
- TLB stands for <u>Translation Lookaside Buffer</u> and stores <u>page table entries</u>

## **Handouts Diagrams**



## **Handouts Diagrams**



## **Address Translation**

- VM is complicated, but also elegant and effective
  - Level of indirection to provide isolated memory & caching

