Lecture: Meltdown

preparation

• do Exercise: Meltdown

administrivia

• demos: talk to us after lecture or email staff today
• course eval

attack overview

• timeline, some internal discussions, and Intel’s response

• out-of-order execution
  • see figure 1
  • cpu (and compiler too) can rewrite & reorder your code - why?
  • roll back any externally visible effects if speculative execution fails
  • but the cache can have be written and is not discarded
  • how to deal with registers & cache
• address space isolation
  • review virtual memory in xv6 & JOS
  • user takes the lower half & kernel takes the upper half
  • what does the kernel’s half contain - (remapping of) the entire physical memory
  • why is the kernel’s half mapped?
  • what prevents user from accessing the kernel’s upper half - cpu mode & U bit in PTE
• high-level plan: see listing 2
  • read the secret byte from a kernel address
  • use the secret byte to index into a 256-page probe array
  • time the difference of accessing each page to find out the secret byte
• practical details
  • make probe array sparse
  • suppress exceptions - what approaches are proposed?
  • noise & performance

defense discussion

• a range of similar attacks
• OS workaround example: Linux kernel page-table isolation
  • idea: minimizing mappings in user space (if PTE_U is insufficient)
  • old syscall entry code
  • new syscall entry code
• who’s at fault?
• new CPU design/instructions?