[GTALUG] more on Spectre v2

David Collier-Brown davec-b at rogers.com
Mon Feb 5 16:45:42 EST 2018 

On 05/02/18 11:50 AM, D. Hugh Redelmeier via talk wrote:
> | From: David Collier-Brown via talk <talk at gtalug.org>
>
> | There's also a race condition: the 6130 and DPS8m processors checked the
> | permissions of the fetch before they fetched to the (then small) cache.
>
> [These are Honeywell mainframe computers.]
>
> Spectre V2 is about subverting branch target prediction.  Something
> quite different.
>
> BUT this subversion only matters because speculation of memory fetches
> leaves a trace.  So what you mention is relevant, indirectly.
>
> Checking permissions can be quite expensive: going through multi-level
> page tables can involve several memory fetches (which you'd like to
> speculate past).
>
> Obvious cure: keep permissions in each cache line.  The trouble is
> that permissions can be bulky, forcing a reduction in the effective
> size of the cache.  AMD may have done more of this than Intel
> <https://www.amd.com/en/corporate/speculative-execution>

That was the reason I earlier mentioned the (vague!) Oracle/Fujitsu 
SPARC scheme for marking cache lines in different colors. It was 
suspiciously correlated with the covert channel that the Spectre attacks 
were using.

> 	GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not
> 	applicable to AMD processors.
>
> 	    We believe AMD processors are not susceptible due to our
> 	use of privilege level protections within paging architecture
> 	and no mitigation is required.
>
> Intel seems to have added PCID to each cache line.  It is too small to
> encode a process number but you could assign a PCID number to each
> active process/thread and when you run out, do hard work.  It would be
> kind of analogous to the way we allocate page frames (real memory) to
> pages of processes (virtual memory).
>
> Linux did not use PCID but it seems that Spectre and Meltdown are
> stimulating interest in it.
>
> | Simulating the same thing in the Multics emulator took some extra work but
> | it was implemented well before the spectre attacks showed up.
>
> I assume that we're not talking about a cycle-accurate emulator nor an
> emulator done in hardware.
>
> How would it be extra work in an emulator?  An emulator doesn't
> normally do speculative execution.  For normal path execution, of
> course you must emulate the permissions model of the hardware.
Yes. The emulator authors noted that emulating the permissions on a 
fetch were surprisingly complex, in part because the hardware they were 
emulating was designed in the middle of the period when covert channels 
were a major concern and had the mandatory-access-control people 
scratching their heads over ways to avoid them.

--dave


-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain

More information about the talk mailing list