This document discusses potential approaches to prevent CPU side-channel attacks like Meltdown. It proposes monitoring processes for multiple SIGSEGV children and stopping rather than killing any processes that meet this criteria. It also discusses limiting the cache flush instruction to prevent Flush+Reload and Flush+Flush attacks, and monitoring CPU performance counters and kernel events related to cache flushing.
2. ❖❖ Who am I?Who am I?
- Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com
- Sysadmin since 1996- Sysadmin since 1996
- Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl
Workshops, LUG-BG and othersWorkshops, LUG-BG and others
- Teaching Network Security and- Teaching Network Security and
Linux System AdministrationLinux System Administration
courses in Sofia Universitycourses in Sofia University
and SoftUniand SoftUni
3. ❖❖ DisclaimerDisclaimer
What I'm proposing is NOT aWhat I'm proposing is NOT a
general purpose solution!general purpose solution!
4. ❖❖ DisclaimerDisclaimer
We are a shared hostingWe are a shared hosting
provider... we consider allprovider... we consider all
code, hostilecode, hostile
11. L1 and L2 caches are shared between
hyper-threads in a single core
L2 cache is shared between different
execution engines inside the core
(ALU, FMA, ADD, etc.)
L3 cache is shared between all cores
Sharing the cacheSharing the cache
12. Shared L3 Cache (LLC)
Synchronization
L1
Instruction
cache
Branch Predict.Isnt. Fetch
Pipeline(s)
Instruction decoder
Dispatch Integer
Cluster
2FPU
W.C. Cache
L1
Instruction
cache
L1
data
cache
Integer
Cluster
1
L1
data
cache
L2 Data Cache
shared
Core
Iface
Single Core
L1
Instruction
cache
Branch Predict.Isnt. Fetch
Pipeline(s)
Instruction decoder
Dispatch Integer
Cluster
2FPU
W.C. Cache
L1
Instruction
cache
L1
data
cache
Integer
Cluster
1
L1
data
cache
L2 Data Cache
shared
Core
Iface
Single Core
L1
Instruction
cache
Isnt.
Instruct
Di
W.C
L1
Instruction
cache
Integer
Cluster
1
L1
data
cache
LCore
Iface
Some CPU architecture intro :)
AMD Bulldozer block diagram
14. Flush + ReloadFlush + Reload
L1
Instruction
cache
Branch Predict.Isnt. Fetch
Pipeline(s)
Instruction decoder
Dispatch Integer
Cluster
2FPU
W.C. Cache
L1
Instruction
cache
L1
data
cache
Integer
Cluster
1
L1
data
cache
L2 Data Cache
shared
Core
Iface
Single Core
Shared L3 Cache (LLC)
Synchronization
1. Find a shared library location in memory
2. Clear the cache
3. Check if the victim has accessed it or not by
comparing the time it takes to execute the code
15. Flush + FlushFlush + Flush
L1
Instruction
cache
Branch Predict.Isnt. Fetch
Pipeline(s)
Instruction decoder
Dispatch Integer
Cluster
2FPU
W.C. Cache
L1
Instruction
cache
L1
data
cache
Integer
Cluster
1
L1
data
cache
L2 Data Cache
shared
Core
Iface
Single Core
Shared L3 Cache (LLC)
Synchronization
1. Find a shared library location in memory
2. Clear the cache
3. Clear the cache again and observe the timing
if the victim has accessed the code, clflush will
take longer to finish
16. More architecture...
Floating Point
L1 D-Cache D-TLB
Schedulers
Integer
μop queues
Decoder
Trace Cache
Rename/Alloc
μop ROMBTB
BTB and I-TLB
BusL2CacheandControl
Thread 1: floating point
17. More architecture...
Floating Point
L1 D-Cache D-TLB
Schedulers
Integer
μop queues
Decoder
Trace Cache
Rename/Alloc
μop ROMBTB
BTB and I-TLB
BusL2CacheandControl
Thread 1: integer Thread 2: floating point
24. Fight the requirements
not the attacks
➢ Successful meltdown exploitation prefers that
both the SIGSEGV children and the victim are on
the same CPU
➢ so we simply LIE to sched_setaffinity
➢ effectively we do nothing
➢ we save the requested affinity in the
task_struct as cpumask_t cpus_allowed;cpumask_t cpus_allowed;
➢ we have patched sched_getaffinitysched_getaffinity to
report only the cpu mask already stored for
the current process
26. Fight the requirements
not the attacks
➢ On our infrastructure, there is no customer's
software that has a valid case to have
➢ SIGSEGV children or threads
➢ our CPUs do not support TSX instructions :)
42. you can find the list of Processor Monitor Unit
(PMU) events by running:
# perf list
Perf can be build from the linux kernel source
tree in tools/perf:
# make
# mv perf /usr/bin
TSX eventsTSX eventsTSX eventsTSX eventsTSX eventsTSX events