GlobalLogic Ukraine, profile picture
Uploaded byGlobalLogic Ukraine
PDF, PPTX1,520 views

ARM Architecture and Meltdown/Spectre

The document discusses ARM architecture, highlighting the evolution from ARMv7 to ARMv8 and detailing core principles such as registers, execution states, and memory management unit (MMU) functionalities. It addresses vulnerabilities like Meltdown and Spectre, emphasizing their implications, method of exploits, and ARM's response. Additionally, it provides resources for further reading and concludes with a section for questions.

Embed presentation

Download as PDF, PPTX
1 Embedded Career Day#2: ARM Architecture and Meltdown/Spectre Andrew Lukin 2018-02-10
2 In general
3 RISC -- Reduced Instructions Set Computer ● Small set of simple and general instructions ● Fixed length instructions ● Simpler processor’s core logic ● Harvard architecture -- architecture with physically separate storage and signal pathways for instructions and data ● Load/Store architecture -- separate instructions for memory access ● A lot of general purpose registers or even register files
4 Evolution of the ARM architecture
5 Registers ARMv7
6 Registers AArch64 (ARMv8)
7 PSTATE at AArch32
8 OS-specific
9 ARMv7 exceptions
10 AArch64 exceptions model
11 Exceptions table
12 Exceptions ● A synchronous exception if it is generated as a result of execution or attempted execution of the instruction stream, and where the return address provides details of the instruction that caused it. ● An asynchronous exception is not generated by executing instructions, while the return address might not always provide details of what caused the exception. ● In the ARMv7-A architecture, the prefetch abort, Data Abort and undef exceptions are separate items. ● In AArch64, all of these events generate a Synchronous abort. The exception handler may then read the syndrome and FAR registers to obtain the necessary information to distinguish between them.
13 Interrupts
14 Execution states
15 Execution states - Registers mapping
16 MMU
17 MMU ARMv7
18 AArch64 MMU Support
19 MMU - Caches ● Point of Coherency (PoC) -- is the point at which all observers, for example, cores, DSPs, or DMA engines, that can access memory, are guaranteed to see the same copy of a memory location. Typically, this is the main external system memory. ● Point of Unification (PoU) -- is the point at which the instruction and data caches and translation table walks of the core are guaranteed to see the same copy of a memory location
20 MMU + ASID
21 MMU - Normal memory ● Normal memory -- The processor can re-order, repeat, and merge accesses to it. Furthermore, address locations that are marked as Normal can be accessed speculatively by the processor, so that data or instructions can be read from memory without being explicitly referenced in the program, or in advance of the actual execution of an explicit reference. Such speculative accesses can occur as a result of branch prediction, speculative cache linefills, out-of-order data loads, or other hardware optimizations.
22 MMU - Device memory ● Device memory -- ○ Device-nGnRnE most restrictive (equivalent to Strongly Ordered memory in the ARMv7 architecture). ○ Device-nGnRE ○ Device-nGRE ○ Device-GRE least restrictive ● Gathering of non Gathering (G or nG) -- whether multiple accesses can be merged into a single bus transaction for this memory region. ● Re-ordering (R or nR) -- whether accesses to the same device can be re-ordered with respect to each other. ● Early Write Acknowledgement (E or nE) -- whether an intermediate write buffer between the processor and the slave device being accessed is allowed to send an acknowledgement of a write completion
23 Instructions
24 Instruction changes
25 Instruction changes
26 Instruction changes
27 Multiplication instructions in assembly language
28 ABI
29 ABI for AArch64
30 PCS
31 Meltdown and Spectre
32 Conspiracy theory Intel: Vulnerability is there for 10 to 20 YEARS But “Flush+Reload” are known from 2014 at least ARM: Vulnerability is introduced in latest most powerful designs
33 Vulnerable processors
34 Microarchitecture Cortex-A75
35 Microarchitecture Cortex-A75
36 Side-channel attacks: Timing attack
37 Variant 1: bypassing software checking of untrusted values 1 struct array { 2 unsigned long length; 3 unsigned char data[]; 4 }; 5 struct array *arr1 = ...; /* small array */ 6 struct array *arr2 = ...; /*array of size 0x400 */ 7 unsigned long untrusted_offset_from_user = ...; 8 if (untrusted_offset_from_user < arr1->length) { 9 unsigned char value; 10 value = arr1->data[untrusted_offset_from_user]; 11 unsigned long index2 = ((value&1)*0x100)+0x200; 12 if (index2 < arr2->length) { 13 unsigned char value2 = arr2->data[index2]; 14 } 15 }
38 Variant 2: branch target injection
39 Variant 3: using speculative reads of inaccessible data The perturbation of the cache by the LDR X5, [X6,X3] (line 7) can be subsequently measured by the EL0 code for different values of the shift amount imm (line 5). This gives a mechanism to establish the value of the EL1 data at the address pointed to by X4,so leaking data that should not be accessible to EL0 code. 1 LDR X1, [X2] ; arranged to miss in the cache 2 CBZ X1, over ; This will be taken but 3 ; is predicted not taken 4 LDR X3, [X4] ; X4 points to some EL1 memory 5 LSL X3, X3, #imm 6 AND X3, X3, #0xFC0 7 LDR X5, [X6,X3] ; X6 is an EL0 base address 8 over
40 Variant 3a: using speculative reads of system registers In much the same way as with the main Variant 3, in a small number of Arm implementations, a processor that speculatively performs a read of a system register that is not accessible at the current exception level, will actually access the associated system register (provided that it is a register that can be read without side-effects). 1 LDR X1, [X2] ; arranged to miss in the cache 2 CBZ X1, over ; This will be taken 3 MRS X3, TTBR0_EL1; 4 LSL X3, X3, #imm 5 AND X3, X3, #0xFC0 6 LDR X5, [X6,X3] ; X6 is an EL0 base address 7 over Can be used to read crypto keys from system registers if ARM Pointer authentication feature used (ARMv8.3)
41 Links 1. Programmer’s Guide for ARMv8-A (DEN0024A) 2. ARM® Architecture Reference Manual ARMv8, for ARMv8-A architecture profile DDI0487B_a_armv8.pdf 3. ARM® Architecture Reference Manual ARMv7-A and ARMv7-R edition DDI0406C_C_arm_architecture_reference_manual.pdf 4. http://meltdownattack.com 5. http://spectreattack.com 6. https://developer.arm.com/support/security-update
42 Questions?
43 Thank you Andrew Lukin Sr Embedded Developer andrii.lukin@globallogic.com +380-95-303-43-76

More Related Content

PDF
HKG15-311: OP-TEE for Beginners and Porting Review
byLinaro
 
PPTX
U-boot and Android Verified Boot 2.0
byGlobalLogic Ukraine
 
PDF
Linux Kernel Platform Development: Challenges and Insights
byGlobalLogic Ukraine
 
PPT
Linux Kernel Debugging
byGlobalLogic Ukraine
 
PDF
LCU14 302- How to port OP-TEE to another platform
byLinaro
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
byLinaro
 
PDF
Lcu14 306 - OP-TEE Future Enhancements
byLinaro
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 
HKG15-311: OP-TEE for Beginners and Porting Review
byLinaro
 
U-boot and Android Verified Boot 2.0
byGlobalLogic Ukraine
 
Linux Kernel Platform Development: Challenges and Insights
byGlobalLogic Ukraine
 
Linux Kernel Debugging
byGlobalLogic Ukraine
 
LCU14 302- How to port OP-TEE to another platform
byLinaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
byLinaro
 
Lcu14 306 - OP-TEE Future Enhancements
byLinaro
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 

What's hot

PDF
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
PDF
LAS16-403: GDB Linux Kernel Awareness
byLinaro
 
PDF
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
byLinaro
 
PDF
Trusted firmware deep_dive_v1.0_
byLinaro
 
PPTX
QEMU and Raspberry Pi. Instant Embedded Development
byGlobalLogic Ukraine
 
PDF
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
byAnne Nicolas
 
PDF
TEE - kernel support is now upstream. What this means for open source security
byLinaro
 
PDF
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
byLinaro
 
PDF
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
bySecurity Session
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 
PDF
BKK16-312 Integrating and controlling embedded devices in LAVA
byLinaro
 
PDF
Uboot startup sequence
byHoucheng Lin
 
PDF
Lcu14 107- op-tee on ar mv8
byLinaro
 
PDF
LCU14 500 ARM Trusted Firmware
byLinaro
 
PDF
Linux : PSCI
byMr. Vengineer
 
PPTX
Linux Timer device driver
by艾思程式教育
 
PPT
Concurrency bug identification through kernel panic log (english)
bySneeker Yeh
 
PPT
U boot porting guide for SoC
byMacpaul Lin
 
PDF
F9 Microkernel code reading - part 1
byBenux Wei
 
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
LAS16-403: GDB Linux Kernel Awareness
byLinaro
 
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
byLinaro
 
Trusted firmware deep_dive_v1.0_
byLinaro
 
QEMU and Raspberry Pi. Instant Embedded Development
byGlobalLogic Ukraine
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
byAnne Nicolas
 
TEE - kernel support is now upstream. What this means for open source security
byLinaro
 
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
byLinaro
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
bySecurity Session
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
byLinaro
 
BKK16-312 Integrating and controlling embedded devices in LAVA
byLinaro
 
Uboot startup sequence
byHoucheng Lin
 
Lcu14 107- op-tee on ar mv8
byLinaro
 
LCU14 500 ARM Trusted Firmware
byLinaro
 
Linux : PSCI
byMr. Vengineer
 
Linux Timer device driver
by艾思程式教育
 
Concurrency bug identification through kernel panic log (english)
bySneeker Yeh
 
U boot porting guide for SoC
byMacpaul Lin
 
F9 Microkernel code reading - part 1
byBenux Wei
 

Similar to ARM Architecture and Meltdown/Spectre

PPTX
ARM Architecture for Kernel Development
byGlobalLogic Ukraine
 
PPTX
ARM Architecture in Details
byGlobalLogic Ukraine
 
PPTX
ARM-7 ADDRESSING MODES INSTRUCTION SET
bySasiBhushan22
 
PPT
ARM_2.ppt
byMostafaParvin1
 
PDF
Arm architecture overview
bySathish Arumugasamy
 
PPT
ARM - Advance RISC Machine
byEdutechLearners
 
PDF
arm
byPratik Gohel
 
PPTX
Introduction to armv8 aarch64
byYi-Hsiu Hsu
 
PPTX
WINSEM2022-23_BECE204L_TH_VL2022230500861_2023-02-10_Reference-Material-I.pptx
bySoniBhavya
 
PDF
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
byinside-BigData.com
 
PDF
Practical real-time operating system security for the masses
byMilosch Meriac
 
PDF
Arm11
byZogenk II
 
PPT
AdvancedRiscMachineryss-INTRODUCTION.ppt
bymailshivaiah
 
PPTX
UNIT 2.pptx
bylalithamani sampath
 
PPT
LPC 2148 Instructions Set.ppt
byProfBadariNathK
 
PPT
Arm architecture
byPantech ProLabs India Pvt Ltd
 
PPTX
Introduction to arm processor
byRAMPRAKASHT1
 
PPT
ARM7TDMI-S_CPU.ppt
byMostafaParvin1
 
PPTX
MICROCONTROLLERS mod1.pptx designs and functions operators
bynanditha7766
 
PPTX
Topic 2 ARM Architecture and Programmer's Model.pptx
bypushprajsinhmakwana1
 
ARM Architecture for Kernel Development
byGlobalLogic Ukraine
 
ARM Architecture in Details
byGlobalLogic Ukraine
 
ARM-7 ADDRESSING MODES INSTRUCTION SET
bySasiBhushan22
 
ARM_2.ppt
byMostafaParvin1
 
Arm architecture overview
bySathish Arumugasamy
 
ARM - Advance RISC Machine
byEdutechLearners
 
arm
byPratik Gohel
 
Introduction to armv8 aarch64
byYi-Hsiu Hsu
 
WINSEM2022-23_BECE204L_TH_VL2022230500861_2023-02-10_Reference-Material-I.pptx
bySoniBhavya
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
byinside-BigData.com
 
Practical real-time operating system security for the masses
byMilosch Meriac
 
Arm11
byZogenk II
 
AdvancedRiscMachineryss-INTRODUCTION.ppt
bymailshivaiah
 
UNIT 2.pptx
bylalithamani sampath
 
LPC 2148 Instructions Set.ppt
byProfBadariNathK
 
Arm architecture
byPantech ProLabs India Pvt Ltd
 
Introduction to arm processor
byRAMPRAKASHT1
 
ARM7TDMI-S_CPU.ppt
byMostafaParvin1
 
MICROCONTROLLERS mod1.pptx designs and functions operators
bynanditha7766
 
Topic 2 ARM Architecture and Programmer's Model.pptx
bypushprajsinhmakwana1
 

More from GlobalLogic Ukraine

PDF
GlobalLogic JavaScript Community Webinar #21 “Інтерв’ю без заспокійливих”
byGlobalLogic Ukraine
 
PPTX
Deadlocks in SQL - Turning Fear Into Understanding (by Sergii Stets)
byGlobalLogic Ukraine
 
PDF
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
byGlobalLogic Ukraine
 
PDF
GlobalLogic Embedded Community x ROS Ukraine Webinar "Surgical Robots"
byGlobalLogic Ukraine
 
PDF
GlobalLogic Java Community Webinar #17 “SpringJDBC vs JDBC. Is Spring a Hero?”
byGlobalLogic Ukraine
 
PDF
GlobalLogic JavaScript Community Webinar #18 “Long Story Short: OSI Model”
byGlobalLogic Ukraine
 
PPTX
Штучний інтелект як допомога в навчанні, а не замінник.pptx
byGlobalLogic Ukraine
 
PPTX
Задачі AI-розробника як застосовується штучний інтелект.pptx
byGlobalLogic Ukraine
 
PPTX
Що треба вивчати, щоб стати розробником штучного інтелекту та нейромереж.pptx
byGlobalLogic Ukraine
 
PDF
GlobalLogic Java Community Webinar #16 “Zaloni’s Architecture for Data-Driven...
byGlobalLogic Ukraine
 
PDF
JavaScript Community Webinar #14 "Why Is Git Rebase?"
byGlobalLogic Ukraine
 
PDF
GlobalLogic .NET Community Webinar #3 "Exploring Serverless with Azure Functi...
byGlobalLogic Ukraine
 
PPTX
Страх і сила помилок - IT Inside від GlobalLogic Education
byGlobalLogic Ukraine
 
PDF
GlobalLogic .NET Webinar #2 “Azure RBAC and Managed Identity”
byGlobalLogic Ukraine
 
PDF
GlobalLogic QA Webinar “What does it take to become a Test Engineer”
byGlobalLogic Ukraine
 
PDF
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
PDF
GlobalLogic Machine Learning Webinar “Advanced Statistical Methods for Linear...
byGlobalLogic Ukraine
 
PPTX
GlobalLogic Machine Learning Webinar “Statistical learning of linear regressi...
byGlobalLogic Ukraine
 
PDF
GlobalLogic C++ Webinar “The Minimum Knowledge to Become a C++ Developer”
byGlobalLogic Ukraine
 
PDF
Embedded Webinar #17 "Low-level Network Testing in Embedded Devices Development"
byGlobalLogic Ukraine
 
GlobalLogic JavaScript Community Webinar #21 “Інтерв’ю без заспокійливих”
byGlobalLogic Ukraine
 
Deadlocks in SQL - Turning Fear Into Understanding (by Sergii Stets)
byGlobalLogic Ukraine
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
byGlobalLogic Ukraine
 
GlobalLogic Embedded Community x ROS Ukraine Webinar "Surgical Robots"
byGlobalLogic Ukraine
 
GlobalLogic Java Community Webinar #17 “SpringJDBC vs JDBC. Is Spring a Hero?”
byGlobalLogic Ukraine
 
GlobalLogic JavaScript Community Webinar #18 “Long Story Short: OSI Model”
byGlobalLogic Ukraine
 
Штучний інтелект як допомога в навчанні, а не замінник.pptx
byGlobalLogic Ukraine
 
Задачі AI-розробника як застосовується штучний інтелект.pptx
byGlobalLogic Ukraine
 
Що треба вивчати, щоб стати розробником штучного інтелекту та нейромереж.pptx
byGlobalLogic Ukraine
 
GlobalLogic Java Community Webinar #16 “Zaloni’s Architecture for Data-Driven...
byGlobalLogic Ukraine
 
JavaScript Community Webinar #14 "Why Is Git Rebase?"
byGlobalLogic Ukraine
 
GlobalLogic .NET Community Webinar #3 "Exploring Serverless with Azure Functi...
byGlobalLogic Ukraine
 
Страх і сила помилок - IT Inside від GlobalLogic Education
byGlobalLogic Ukraine
 
GlobalLogic .NET Webinar #2 “Azure RBAC and Managed Identity”
byGlobalLogic Ukraine
 
GlobalLogic QA Webinar “What does it take to become a Test Engineer”
byGlobalLogic Ukraine
 
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
GlobalLogic Machine Learning Webinar “Advanced Statistical Methods for Linear...
byGlobalLogic Ukraine
 
GlobalLogic Machine Learning Webinar “Statistical learning of linear regressi...
byGlobalLogic Ukraine
 
GlobalLogic C++ Webinar “The Minimum Knowledge to Become a C++ Developer”
byGlobalLogic Ukraine
 
Embedded Webinar #17 "Low-level Network Testing in Embedded Devices Development"
byGlobalLogic Ukraine
 

Recently uploaded

PDF
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
PPTX
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
PDF
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
PPT
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
PPTX
PPT Unit I. real time operating system pptx
byAyushiJaiswal249363
 
PDF
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PPTX
Energy_Conservation_in_Cement_Factories.pptx
bysibirajmurugan8
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PPTX
Origin of Soil and Grain Size with Introduction and explanation
byMahmoodKhalid11
 
PPTX
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 
PPTX
ISO 13485.2016 Awareness's Training material
byPrakashSivan
 
PPTX
operating_systems.pptx m,nm,nm,n,nm,n,nm,nikl
bykirthigaaiml
 
PDF
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
PPTX
Week 1.pptx dynamics particle kinetics introduction
byfmsalih06
 
PDF
WTE Infra Projects Pvt. Ltd. Company Profile 2026 – Water & Wastewater Treatm...
byWTE Infra Projects Pvt. Ltd
 
PDF
Lifting Operations Safety and Risk Control
bymanju774
 
PDF
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
PDF
Decision-Support-Systems-and-Decision-Making-Processes.pdf
byPatankarNikhil
 
PDF
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
PPT Unit I. real time operating system pptx
byAyushiJaiswal249363
 
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Energy_Conservation_in_Cement_Factories.pptx
bysibirajmurugan8
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
Origin of Soil and Grain Size with Introduction and explanation
byMahmoodKhalid11
 
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 
ISO 13485.2016 Awareness's Training material
byPrakashSivan
 
operating_systems.pptx m,nm,nm,n,nm,n,nm,nikl
bykirthigaaiml
 
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
Week 1.pptx dynamics particle kinetics introduction
byfmsalih06
 
WTE Infra Projects Pvt. Ltd. Company Profile 2026 – Water & Wastewater Treatm...
byWTE Infra Projects Pvt. Ltd
 
Lifting Operations Safety and Risk Control
bymanju774
 
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
Decision-Support-Systems-and-Decision-Making-Processes.pdf
byPatankarNikhil
 
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 

ARM Architecture and Meltdown/Spectre

  • 1.
    1 Embedded Career Day#2: ARMArchitecture and Meltdown/Spectre Andrew Lukin 2018-02-10
  • 2.
  • 3.
    3 RISC -- ReducedInstructions Set Computer ● Small set of simple and general instructions ● Fixed length instructions ● Simpler processor’s core logic ● Harvard architecture -- architecture with physically separate storage and signal pathways for instructions and data ● Load/Store architecture -- separate instructions for memory access ● A lot of general purpose registers or even register files
  • 4.
    4 Evolution of theARM architecture
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
    12 Exceptions ● A synchronousexception if it is generated as a result of execution or attempted execution of the instruction stream, and where the return address provides details of the instruction that caused it. ● An asynchronous exception is not generated by executing instructions, while the return address might not always provide details of what caused the exception. ● In the ARMv7-A architecture, the prefetch abort, Data Abort and undef exceptions are separate items. ● In AArch64, all of these events generate a Synchronous abort. The exception handler may then read the syndrome and FAR registers to obtain the necessary information to distinguish between them.
  • 13.
  • 14.
  • 15.
    15 Execution states -Registers mapping
  • 16.
  • 17.
  • 18.
  • 19.
    19 MMU - Caches ●Point of Coherency (PoC) -- is the point at which all observers, for example, cores, DSPs, or DMA engines, that can access memory, are guaranteed to see the same copy of a memory location. Typically, this is the main external system memory. ● Point of Unification (PoU) -- is the point at which the instruction and data caches and translation table walks of the core are guaranteed to see the same copy of a memory location
  • 20.
  • 21.
    21 MMU - Normalmemory ● Normal memory -- The processor can re-order, repeat, and merge accesses to it. Furthermore, address locations that are marked as Normal can be accessed speculatively by the processor, so that data or instructions can be read from memory without being explicitly referenced in the program, or in advance of the actual execution of an explicit reference. Such speculative accesses can occur as a result of branch prediction, speculative cache linefills, out-of-order data loads, or other hardware optimizations.
  • 22.
    22 MMU - Devicememory ● Device memory -- ○ Device-nGnRnE most restrictive (equivalent to Strongly Ordered memory in the ARMv7 architecture). ○ Device-nGnRE ○ Device-nGRE ○ Device-GRE least restrictive ● Gathering of non Gathering (G or nG) -- whether multiple accesses can be merged into a single bus transaction for this memory region. ● Re-ordering (R or nR) -- whether accesses to the same device can be re-ordered with respect to each other. ● Early Write Acknowledgement (E or nE) -- whether an intermediate write buffer between the processor and the slave device being accessed is allowed to send an acknowledgement of a write completion
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
    32 Conspiracy theory Intel: Vulnerability isthere for 10 to 20 YEARS But “Flush+Reload” are known from 2014 at least ARM: Vulnerability is introduced in latest most powerful designs
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
    37 Variant 1: bypassingsoftware checking of untrusted values 1 struct array { 2 unsigned long length; 3 unsigned char data[]; 4 }; 5 struct array *arr1 = ...; /* small array */ 6 struct array *arr2 = ...; /*array of size 0x400 */ 7 unsigned long untrusted_offset_from_user = ...; 8 if (untrusted_offset_from_user < arr1->length) { 9 unsigned char value; 10 value = arr1->data[untrusted_offset_from_user]; 11 unsigned long index2 = ((value&1)*0x100)+0x200; 12 if (index2 < arr2->length) { 13 unsigned char value2 = arr2->data[index2]; 14 } 15 }
  • 38.
    38 Variant 2: branchtarget injection
  • 39.
    39 Variant 3: usingspeculative reads of inaccessible data The perturbation of the cache by the LDR X5, [X6,X3] (line 7) can be subsequently measured by the EL0 code for different values of the shift amount imm (line 5). This gives a mechanism to establish the value of the EL1 data at the address pointed to by X4,so leaking data that should not be accessible to EL0 code. 1 LDR X1, [X2] ; arranged to miss in the cache 2 CBZ X1, over ; This will be taken but 3 ; is predicted not taken 4 LDR X3, [X4] ; X4 points to some EL1 memory 5 LSL X3, X3, #imm 6 AND X3, X3, #0xFC0 7 LDR X5, [X6,X3] ; X6 is an EL0 base address 8 over
  • 40.
    40 Variant 3a: usingspeculative reads of system registers In much the same way as with the main Variant 3, in a small number of Arm implementations, a processor that speculatively performs a read of a system register that is not accessible at the current exception level, will actually access the associated system register (provided that it is a register that can be read without side-effects). 1 LDR X1, [X2] ; arranged to miss in the cache 2 CBZ X1, over ; This will be taken 3 MRS X3, TTBR0_EL1; 4 LSL X3, X3, #imm 5 AND X3, X3, #0xFC0 6 LDR X5, [X6,X3] ; X6 is an EL0 base address 7 over Can be used to read crypto keys from system registers if ARM Pointer authentication feature used (ARMv8.3)
  • 41.
    41 Links 1. Programmer’s Guidefor ARMv8-A (DEN0024A) 2. ARM® Architecture Reference Manual ARMv8, for ARMv8-A architecture profile DDI0487B_a_armv8.pdf 3. ARM® Architecture Reference Manual ARMv7-A and ARMv7-R edition DDI0406C_C_arm_architecture_reference_manual.pdf 4. http://meltdownattack.com 5. http://spectreattack.com 6. https://developer.arm.com/support/security-update
  • 42.
  • 43.
    43 Thank you Andrew Lukin SrEmbedded Developer andrii.lukin@globallogic.com +380-95-303-43-76