This document discusses speculative execution hardware bugs and their impact on virtualization. It begins with an overview of speculative execution and how it works in CPUs. It then explains how speculative execution assumptions can be violated, enabling attacks like Spectre. It details specific attacks like Spectre v1 (bounds check bypass) and Spectre v2 (branch target injection). It analyzes the impact of these attacks on virtualization and different attack scenarios. It also discusses mitigations and their performance implications.
JavaScript - Like a Box of Chocolates - jsDayRobert Nyman
This presentation aims to give you information about the JavaScript language itself; pros, cons and pitfalls. It will cover the basics and then go into objects, scope, closure and some performance bits.
4Developers 2015: Under the dome (of failure driven pipeline) - Maciej LasykPROIDEA
Speaker: Maciej Lasyk
Language: English
One day you woke up in a new reality and realized, that you live in a world of constant and unpredicted failure. Any closet you open you find a dead body - residue of unfinished projects, badly designed ideas etc. All this summed up gives you the real continuous disaster.
Fortunately your stamina bar is full and you have some super powers - it's time for the change. This will be a multithreaded story of getting from point A (stiff, old & depressing state) to point B (a bit closer to DevOPS Nirvana); I'll discuss here multiple elements of the journey: trust & collaboration, changing the work - environment culture, guerilla capacity planning, redesigning infrastructure architecture (w/Mikado help), automating leadership tasks, choosing between IaaS and PaaS (embracing virtualization / containers technologies and making those work for you), designing developer's environments, working with Kanban/Lean, automation and ITIL, and finally - joining this all into one big - picture. Archeological elements included. With real - life scenarios :)
4Developers: http://4developers.org.pl/pl/
JavaScript - Like a Box of Chocolates - jsDayRobert Nyman
This presentation aims to give you information about the JavaScript language itself; pros, cons and pitfalls. It will cover the basics and then go into objects, scope, closure and some performance bits.
4Developers 2015: Under the dome (of failure driven pipeline) - Maciej LasykPROIDEA
Speaker: Maciej Lasyk
Language: English
One day you woke up in a new reality and realized, that you live in a world of constant and unpredicted failure. Any closet you open you find a dead body - residue of unfinished projects, badly designed ideas etc. All this summed up gives you the real continuous disaster.
Fortunately your stamina bar is full and you have some super powers - it's time for the change. This will be a multithreaded story of getting from point A (stiff, old & depressing state) to point B (a bit closer to DevOPS Nirvana); I'll discuss here multiple elements of the journey: trust & collaboration, changing the work - environment culture, guerilla capacity planning, redesigning infrastructure architecture (w/Mikado help), automating leadership tasks, choosing between IaaS and PaaS (embracing virtualization / containers technologies and making those work for you), designing developer's environments, working with Kanban/Lean, automation and ITIL, and finally - joining this all into one big - picture. Archeological elements included. With real - life scenarios :)
4Developers: http://4developers.org.pl/pl/
It's no news or secret that containers are good at providing multiple and different testing environments, or at offering a way of deploying apps and services that are completely decoupled from the host OS. E.g., spin up a distro X container, check if code compiles there (and dispose of it).
How about the opposite? I.e., having one (or more!) stateful and persistent environment(s), tightly coupled with the host and sharing as much information and configuration as possible with it. Why? Well for running that one app, which is only available for another distro, with just a click on a desktop launcher icon. Or for doing all kind of experiments, inside our development environment, without risking the stability and the consistency of the system. Well, yes, containers can do these things too. And in openSUSE, we have both toolbox and distrobox, that can make these examples, just reality!
In this talk, we'll explain what they are and how to use them for spawning development and application environments, based either on the same distro you have on the host or on different ones, and inside of which you still have all your file. A working space that, despite being containerized, you can access seamlessly from within GNOME Builder or open new terminals directly inside of it and create launcher icons for apps installed in there.
We'll offer (more) examples and show how this can be very useful, both on immutable (like MicroOS) and on "traditional" (like Tumbleweed) systems.
Containers for Science and High-Performance ComputingDmitry Spodarets
Within this talk, we will explore how Singularity liberates non-privileged users and host resources (such as interconnects, resource managers, file systems, accelerators, etc.) allowing users to take full control to set-up and run in their native environments. This talk explores how Singularity combines software packaging models with minimalistic containers to create very lightweight application bundles which can be simply executed and contained completely within their environment or be used to interact directly with the host file systems at native speeds. A Singularity application bundle can be as simple as containing a single binary application or as complicated as containing an entire workflow and is as flexible as you will need.
Symfony2 è sicuramente uno dei framework migliori in circolazione, ma non sono tutte rose e fiori, soprattutto per chi inizia a sviluppare ed è alle prime armi. In questa presentazione vorrei condividere la mie esperienza di apprendimento ed utilizzo del framework, cercando di mettere in evidenza i miei momenti wtf e alcune linee guida per sviluppare applicazioni manutenibili
Advanced Topics in Continuous DeploymentMike Brittain
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
Presentation by Haroon Meer, Roelof Tammingh at black hat USA in 2006.
This presentation is about Suru, the inline proxy tool developed by Roelof Tammingh. How it works and some of it's features are discussed.
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Baruch Sadogursky
A private Java (Maven or Gradle) repository as a service can be setup in the cloud. A private Docker registry as a service can be easily setup in the cloud. But what if you want to build a holistic CI/CD pipeline, and on the cloud of YOUR choice?
In this talk Baruch will take you through steps of setting up a universal artifact repository, which can serve for both Java and Docker. You’ll learn how to build a CI/CD pipeline with traceable metadata from the Java source files all the way to Docker images. Amazon, Azure, and Google Cloud (do you have setup that works on these?) will be used as an example although the recipes shown would be applicable to other cloud as well.
In today’s age, it is important to have a basic understanding of computer programming. Although not everyone will become a computer programmer as a result, it is helpful these days to understand how computers and various software applications run code behind the scenes; plus, troubleshooting esoteric messages becomes much easier with some computer programming essentials under your belt. Without a doubt, it can be difficult to teach coding skills, but if fun and engaging tools are introduced it won’t be too bad. Thinking like a programmer does involve problem solving, but it can enhance creative confidence and inventive learning. In this webinar:
• Learn the basics of some visual programming languages like Scratch, Hopscotch, App Inventor, Raptor and others.
• Understand basic code syntax to gain important mathematical, computational, and creative thinking concepts through playful learning!
• Discover alternative tools and applications to give people practice programming while having fun!
• Gain other programming ideas, computing devices, and apps to help children & young adults thrive in a world based on technology.
Software Heritage: let's build together the universal archive of our software...Codemotion
Free/Open Source Software is now everywhere, but the risk of losing forever some of it is growing. Shutdowns of once popular forges are early warnings that we should not underestimate. How many million lines of code would we lose if development hubs that are hype today were to disappear 20 years from now? This talk will present Software Heritage, whose aim is to collect, preserve, and share all publicly available source code. Forever. Software Heritage has already archived 3 billion distinct source code files and 650 million commits, spanning more than 25 million development projects.
Debugging Spark: Scala and Python - Super Happy Fun Times @ Data Day Texas 2018Holden Karau
Apache Spark is one of the most popular big data projects, offering greatly improved performance over traditional MapReduce models. Much of Apache Spark’s power comes from lazy evaluation along with intelligent pipelining, which can make debugging more challenging. Holden Karau and Joey Echeverria explore how to debug Apache Spark applications, the different options for logging in Spark’s variety of supported languages, and some common errors and how to detect them.
Spark’s own internal logging can often be quite verbose. Holden and Joey demonstrate how to effectively search logs from Apache Spark to spot common problems and discuss options for logging from within your program itself. Spark’s accumulators have gotten a bad rap because of how they interact in the event of cache misses or partial recomputes, but Holden and Joey look at how to effectively use Spark’s current accumulators for debugging before gazing into the future to see the data property type accumulators that may be coming to Spark in future versions. And in addition to reading logs and instrumenting your program with accumulators, Spark’s UI can be of great help for quickly detecting certain types of problems. Holden and Joey cover how to quickly use the UI to figure out if certain types of issues are occurring in your job.
The talk will wrap up with Holden trying to get everyone to buy several copies of her new book, High Performance Spark.
Apache Spark is one of the most popular big data projects, offering greatly improved performance over traditional MapReduce models. Much of Apache Spark’s power comes from lazy evaluation along with intelligent pipelining, which can make debugging more challenging. Holden Karau and Joey Echeverria explore how to debug Apache Spark applications, the different options for logging in Spark’s variety of supported languages, and some common errors and how to detect them.
Spark’s own internal logging can often be quite verbose. Holden and Joey demonstrate how to effectively search logs from Apache Spark to spot common problems and discuss options for logging from within your program itself. Spark’s accumulators have gotten a bad rap because of how they interact in the event of cache misses or partial recomputes, but Holden and Joey look at how to effectively use Spark’s current accumulators for debugging before gazing into the future to see the data property type accumulators that may be coming to Spark in future versions. And in addition to reading logs and instrumenting your program with accumulators, Spark’s UI can be of great help for quickly detecting certain types of problems. Holden and Joey cover how to quickly use the UI to figure out if certain types of issues are occurring in your job.
The talk will wrap up with Holden trying to get everyone to buy several copies of her new book, High Performance Spark.
The things we don't see – stories of Software, Scala and AkkaKonrad Malawski
Opening keynote for Scalapeno, Tel Aviv 2016.
The talk focuses and explains the things we don't often see explicitly and/or don't notice when doing our daily work, yet make up a large part of the ecosystem and maturity of the ecoststem as a whole. We also dive into some of the more confusing bits around using the same word about different things in software
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
A very quick overview of how Vagrant, Ansible and Docker fits nicely together as a very productive and flexible solution for creating automated development environments.
Jonathan Corbet - Keynote: The Kernel Reportlinuxlab_conf
A whirlwind tour of what has been happening in the kernel development community and what can be expected in the near future.
The Linux kernel is at the core of any Linux system; the performance and capabilities of the kernel will, in the end, place an upper bound on what the system as a whole can do. This talk will review recent events in the kernel development community, discuss the current state of the kernel and the challenges it faces, and look forward to how the kernel may address those challenges. Attendees of any technical ability should gain a better understanding of how the kernel got to its current state and what can be expected in the near future.
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...linuxlab_conf
The Yocto Project is an open source collaboration project that provides models, tools and methods to create custom Linux-based systems for embedded products that are independent from the adopted hardware architecture. The project was created in 2010 as a collaboration among several hardware manufacturers, open-source operating system providers and electronics companies to bring some order into the chaos of Linux Embedded development. Over the years, Yocto Project has established itself as the de-facto standard for the generation of embedded Linux systems, surpassing alternative products thanks to its characteristics.
The free tools that Yocto provides are powerful and easily generated (including emulation environments, debuggers, an application generator toolkit, etc.). The complete abstraction from the hardware of the development environment allows to optimize the investments made during the prototyping phase. The Yocto Project encourages the adoption of this technology by the open source community allowing users to focus on the characteristics and development of their product.
More Related Content
Similar to Dario Faggioli - Virtualization in the age of speculative execution HW bugs
It's no news or secret that containers are good at providing multiple and different testing environments, or at offering a way of deploying apps and services that are completely decoupled from the host OS. E.g., spin up a distro X container, check if code compiles there (and dispose of it).
How about the opposite? I.e., having one (or more!) stateful and persistent environment(s), tightly coupled with the host and sharing as much information and configuration as possible with it. Why? Well for running that one app, which is only available for another distro, with just a click on a desktop launcher icon. Or for doing all kind of experiments, inside our development environment, without risking the stability and the consistency of the system. Well, yes, containers can do these things too. And in openSUSE, we have both toolbox and distrobox, that can make these examples, just reality!
In this talk, we'll explain what they are and how to use them for spawning development and application environments, based either on the same distro you have on the host or on different ones, and inside of which you still have all your file. A working space that, despite being containerized, you can access seamlessly from within GNOME Builder or open new terminals directly inside of it and create launcher icons for apps installed in there.
We'll offer (more) examples and show how this can be very useful, both on immutable (like MicroOS) and on "traditional" (like Tumbleweed) systems.
Containers for Science and High-Performance ComputingDmitry Spodarets
Within this talk, we will explore how Singularity liberates non-privileged users and host resources (such as interconnects, resource managers, file systems, accelerators, etc.) allowing users to take full control to set-up and run in their native environments. This talk explores how Singularity combines software packaging models with minimalistic containers to create very lightweight application bundles which can be simply executed and contained completely within their environment or be used to interact directly with the host file systems at native speeds. A Singularity application bundle can be as simple as containing a single binary application or as complicated as containing an entire workflow and is as flexible as you will need.
Symfony2 è sicuramente uno dei framework migliori in circolazione, ma non sono tutte rose e fiori, soprattutto per chi inizia a sviluppare ed è alle prime armi. In questa presentazione vorrei condividere la mie esperienza di apprendimento ed utilizzo del framework, cercando di mettere in evidenza i miei momenti wtf e alcune linee guida per sviluppare applicazioni manutenibili
Advanced Topics in Continuous DeploymentMike Brittain
Like what you've read? We're frequently hiring for a variety of engineering roles at Etsy. If you're interested, drop me a line or send me your resume: mike@etsy.com.
http://www.etsy.com/careers
Presentation by Haroon Meer, Roelof Tammingh at black hat USA in 2006.
This presentation is about Suru, the inline proxy tool developed by Roelof Tammingh. How it works and some of it's features are discussed.
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Baruch Sadogursky
A private Java (Maven or Gradle) repository as a service can be setup in the cloud. A private Docker registry as a service can be easily setup in the cloud. But what if you want to build a holistic CI/CD pipeline, and on the cloud of YOUR choice?
In this talk Baruch will take you through steps of setting up a universal artifact repository, which can serve for both Java and Docker. You’ll learn how to build a CI/CD pipeline with traceable metadata from the Java source files all the way to Docker images. Amazon, Azure, and Google Cloud (do you have setup that works on these?) will be used as an example although the recipes shown would be applicable to other cloud as well.
In today’s age, it is important to have a basic understanding of computer programming. Although not everyone will become a computer programmer as a result, it is helpful these days to understand how computers and various software applications run code behind the scenes; plus, troubleshooting esoteric messages becomes much easier with some computer programming essentials under your belt. Without a doubt, it can be difficult to teach coding skills, but if fun and engaging tools are introduced it won’t be too bad. Thinking like a programmer does involve problem solving, but it can enhance creative confidence and inventive learning. In this webinar:
• Learn the basics of some visual programming languages like Scratch, Hopscotch, App Inventor, Raptor and others.
• Understand basic code syntax to gain important mathematical, computational, and creative thinking concepts through playful learning!
• Discover alternative tools and applications to give people practice programming while having fun!
• Gain other programming ideas, computing devices, and apps to help children & young adults thrive in a world based on technology.
Software Heritage: let's build together the universal archive of our software...Codemotion
Free/Open Source Software is now everywhere, but the risk of losing forever some of it is growing. Shutdowns of once popular forges are early warnings that we should not underestimate. How many million lines of code would we lose if development hubs that are hype today were to disappear 20 years from now? This talk will present Software Heritage, whose aim is to collect, preserve, and share all publicly available source code. Forever. Software Heritage has already archived 3 billion distinct source code files and 650 million commits, spanning more than 25 million development projects.
Debugging Spark: Scala and Python - Super Happy Fun Times @ Data Day Texas 2018Holden Karau
Apache Spark is one of the most popular big data projects, offering greatly improved performance over traditional MapReduce models. Much of Apache Spark’s power comes from lazy evaluation along with intelligent pipelining, which can make debugging more challenging. Holden Karau and Joey Echeverria explore how to debug Apache Spark applications, the different options for logging in Spark’s variety of supported languages, and some common errors and how to detect them.
Spark’s own internal logging can often be quite verbose. Holden and Joey demonstrate how to effectively search logs from Apache Spark to spot common problems and discuss options for logging from within your program itself. Spark’s accumulators have gotten a bad rap because of how they interact in the event of cache misses or partial recomputes, but Holden and Joey look at how to effectively use Spark’s current accumulators for debugging before gazing into the future to see the data property type accumulators that may be coming to Spark in future versions. And in addition to reading logs and instrumenting your program with accumulators, Spark’s UI can be of great help for quickly detecting certain types of problems. Holden and Joey cover how to quickly use the UI to figure out if certain types of issues are occurring in your job.
The talk will wrap up with Holden trying to get everyone to buy several copies of her new book, High Performance Spark.
Apache Spark is one of the most popular big data projects, offering greatly improved performance over traditional MapReduce models. Much of Apache Spark’s power comes from lazy evaluation along with intelligent pipelining, which can make debugging more challenging. Holden Karau and Joey Echeverria explore how to debug Apache Spark applications, the different options for logging in Spark’s variety of supported languages, and some common errors and how to detect them.
Spark’s own internal logging can often be quite verbose. Holden and Joey demonstrate how to effectively search logs from Apache Spark to spot common problems and discuss options for logging from within your program itself. Spark’s accumulators have gotten a bad rap because of how they interact in the event of cache misses or partial recomputes, but Holden and Joey look at how to effectively use Spark’s current accumulators for debugging before gazing into the future to see the data property type accumulators that may be coming to Spark in future versions. And in addition to reading logs and instrumenting your program with accumulators, Spark’s UI can be of great help for quickly detecting certain types of problems. Holden and Joey cover how to quickly use the UI to figure out if certain types of issues are occurring in your job.
The talk will wrap up with Holden trying to get everyone to buy several copies of her new book, High Performance Spark.
The things we don't see – stories of Software, Scala and AkkaKonrad Malawski
Opening keynote for Scalapeno, Tel Aviv 2016.
The talk focuses and explains the things we don't often see explicitly and/or don't notice when doing our daily work, yet make up a large part of the ecosystem and maturity of the ecoststem as a whole. We also dive into some of the more confusing bits around using the same word about different things in software
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
A very quick overview of how Vagrant, Ansible and Docker fits nicely together as a very productive and flexible solution for creating automated development environments.
Similar to Dario Faggioli - Virtualization in the age of speculative execution HW bugs (20)
Jonathan Corbet - Keynote: The Kernel Reportlinuxlab_conf
A whirlwind tour of what has been happening in the kernel development community and what can be expected in the near future.
The Linux kernel is at the core of any Linux system; the performance and capabilities of the kernel will, in the end, place an upper bound on what the system as a whole can do. This talk will review recent events in the kernel development community, discuss the current state of the kernel and the challenges it faces, and look forward to how the kernel may address those challenges. Attendees of any technical ability should gain a better understanding of how the kernel got to its current state and what can be expected in the near future.
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...linuxlab_conf
The Yocto Project is an open source collaboration project that provides models, tools and methods to create custom Linux-based systems for embedded products that are independent from the adopted hardware architecture. The project was created in 2010 as a collaboration among several hardware manufacturers, open-source operating system providers and electronics companies to bring some order into the chaos of Linux Embedded development. Over the years, Yocto Project has established itself as the de-facto standard for the generation of embedded Linux systems, surpassing alternative products thanks to its characteristics.
The free tools that Yocto provides are powerful and easily generated (including emulation environments, debuggers, an application generator toolkit, etc.). The complete abstraction from the hardware of the development environment allows to optimize the investments made during the prototyping phase. The Yocto Project encourages the adoption of this technology by the open source community allowing users to focus on the characteristics and development of their product.
Bruno Verachten - The Android device farm that fits in a (cloudy) pocketlinuxlab_conf
Android developers are facing a common problem: how to test our applications on many devices without sacrificing too much time or money? Could we use remotely all the devices inside the company with the continuous integration system? Maybe thanks to a low cost device farm that fits into a pocket?
Android developers are facing a common problem: how to test our applications on many devices without sacrificing too much time or money?
How to build and test automatically our applications for each commit? How can we find those devices inside the company, whatever its size may be? Could there be a directory somewhere that lists those available devices? Could we use a device remotely and share it with other developers as if it were in the cloud? What if you could answer all these questions with the help of a low cost device farm that fits into a pocket? A pocket full of clouds…
Poddingue, our proposal, aims to tackle this problem thanks to Docker, HypriotOS, Armbian, Gitlab CI and OpenSTF. It’s an internal solution made of OSS readily available, but it has not yet been publicly announced as a whole.
This is a feedback about an idea on its way to production, a long journey full of different feelings : horror, happiness, suspense, boredom…
Why should I come? This presentation won’t be too technical ; it is opened to anybody who has an interest into Android, exotic hardware or continuous integration, as long as you can stand a bad sense of humour. At the end of the talk, you should know how to build your own cloudy pocket farm of Android devices and how to use it to test your applications within your ci pipeline.
And as I am cheap, you will also be surprised at how little money you need to build it.
U-Boot project has evolved in the time span of over 17 years and so as its complexity and its uses. This has made it a daunting task in getting started with its development and uses. This talk will address all these issues start with overview, features, efforts created by community and future plans.
The U-Boot project has evolved in the time span of over 17 years and so as its complexity and its uses. This has made it a daunting task in getting started with its development and uses. This talk will address all these issues and share development efforts created by the U-Boot community.
In this talk Jagan Teki(Maintainer for Allwinner SoC, SPI, SPI FLASH Subsystems) will introduce U-Boot from scratch with a brief overview of U-Boot history, U-Boot Proper, SPL, TPL, Build process and Startup sequence. He will talk about other preliminaries such as Image booting, Falcon Mode, Secure Boot and U-Boot features like device tree, device overlays, driver model and DFU, etc.
Once giving enough introduction, he will also talk about steps to port U-Boot to new hardware with a demo, along with U-Boot testing process. Finally, he will address and review ongoing development work, issues and future development regarding U-Boot.
Claudio Scordino - Handling mixed criticality on embedded multi-core systemslinuxlab_conf
This talk illustrates how to use the Jailhouse hypervisor for running Linux alongside an RTOS on modern ARM multi-core SoCs, aiming at building smarter devices for the automotive market.
Recently, the industry has shown a growing interest for executing activities with different levels of criticality on the same multi-core SoC. These could consist, for example, of non-critical activities (e.g., monitoring, logging, human-machine intefaces) together with safety-critical tasks. The rationale behind this interest is the continuous need for reducing the time-to-market as well as the design and hardware costs. This is particularly suitable for the automotive market, where new infotainment functionalities might be coupled with traditional safety-critical tasks (e.g. engine/brake control). In this talk, we will present our experience (grown through the HERCULES EU project) in using the Jailhouse hypervisor for executing the Linux general-purpose OS alongside an automotive RTOS on modern ARM multi-core platforms. Besides providing useful instructions for using Jailhouse, we will illustrate a library designed for easing the communication between the two OSs as well as some mechanism for limiting the interference on shared hardware resources. Finally, a short video of a simple demo will show the effectiveness of the proposed approach.
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
Do you ever wonder what the kernel is doing while your code is running? This talk will explore some methodologies and techniques (eBPF, ftrace, etc.) to look under the hood of the Linux kernel and understand what it’s actually doing behind the scenes.
This talk explores methodologies that allow to take a look “live” at kernel internal operations, from a network perspective, to I/O paths, CPU usage, memory allocations, etc., using in-kernel technologies, like eBPF and ftrace. Understanding such kernel internals can be really helpful to track down performance bottlenecks, debug system failures and it can be also a very effective way to approach to kernel development.
Jacopo Mondi - Complex cameras are complexlinuxlab_conf
The ‘complex camera’ user-space library is a fairly new and hot topic in the Linux kernel video community. The issue is debated and targets a real technical debt of Linux systems.
The Linux kernel video input subsystem and its APIs changed greatly in the last years to keep up with the increasing complexity and processing power embedded in modern SoCs. Namely, the biggest game-changing feature introduced already 5 years ago is the media controller subsystem and its pad oriented APIs, that allows composing pipelines of processing blocks to model the acquisition and re-processing of video and images.
While most of the media subsystem drivers in mainline Linux have been ported to fully support media-controller, the real missing component is now user space support to automate setting up and controlling the image processing pipelines.
The Video4Linux community is now tackling the issue by implementing support for “complex camera” systems by providing a user space library that aims to support the most recent use cases represented by mobile consumer devices and high end laptops.
This talks provides an overview of the in-kernel APIs of modern media-controller capable video device drivers, their userspace APIs and the challenges the currently in-development library has to face.
It also aims to provide to both driver and application developers an overview of the most modern implementation of the Linux video input stack architecture, that will likely be found in most system in next years.
Alessio Lama - Development and testing of a safety network protocollinuxlab_conf
The progress in the industrial automation, automotive, biomedical and avionic sectors requires the use of safety network protocols that in some cases have to satisfy real time constrains. In this talk we will discuss about facing the major issues of the network, which tools to use to test and analyze the protocol and we will understand the usefulness of integrating PTP and PRP modules in our communication.
Emanuele Faranda - Creating network overlays with IoT devices using N2Nlinuxlab_conf
When building a network of communicating IoT devices, it is compulsory to ensure that all the devices are reachable regardless of their IP address and location. This talk is about an open source software named n2n that enables secure communication over a lightweight and secure p2p network overlay.
When building a network of IoT devices, communication topology can be a problem as some of them might be behind a NAT, and some others might be reachable only from certain network nodes. Furthermore the advent of mobile and automotive computing with non persistent addressing will make all this even more challenging. To address all this, usually people use a centralised cloud-based topology that makes the network weak and not optimal, as all the devices have to communicate though this central point instead, when possible, to talk directly. However the cloud does not address privacy and security, in particular when IoT devices are used and developers and not fully aware of security issues: this can be addressed by a network overlay that tackles this problem at network instead that at application level This talk is about an open source, lightweight network overlay software named n2n ( https://github.com/ntop/n2n ) [available for Linux, BSD, MacOS, Windows] developed by the authors, that enables the creation of a persistent network that promotes secure communications even on environments where security is an option, or some communications are prevented by NATs or firewall devices.
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...linuxlab_conf
The development of device drivers usually requires hardware availability. We will try to address this issue by simulating our “missing” device thanks to a QEMU ARM machine. The fake device will be tested and debugged using bare-metal software, again running in QEMU. Finally, we will write a Linux device driver from scratch that will interact with the device and expose it to the userspace.
The training assumes some basic knowledge of the C programming language and using Linux as a development platform. During the training, we will show how to build the Linux kernel and write a simple yet complete device driver, how to use QEMU as a development platform and a few notions of bare-metal and kernel code debugging.
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...linuxlab_conf
Introduction to firmware reverse engineering process of IoT devices. The process, described with an example on a home router, is based on Information Gathering of hardware and software, Building of an Emulation Environment to run binaries, and Techniques to analyze, hack and modify the firmware.
The introduction to firmware reverse engineering process is described with a real example, done by the author, on a recent home router with the target to load a modified firmware overcoming the router protection that doesn’t allow loading of unsigned firmware (ref: https://github.com/digiampietro/adbtools2 )
The process described is based on:
Information Gathering hw: identify main device components (CPU, Flash, SDRAM, main components) hw: locate UART and JTAG interfaces hw tools: Bus Pirate, OpenOCD, Jtagulator sw: get os image file or firmware file sw tools: strings, file, binwalk, dd, jefferson, uncramfs etc. identification of CPU, Flash, RAM, kernel version, C library, toolchain used etc. identification of Original Manufacturer and Original Firmware Manufacturer Emulation Environment using QEMU select a QEMU machine and CPU reasonably similar to the IoT device (same CPU, similar kernel version, similar modules and libraries) select a tool to build the kernel and the root file system (brief description of Yocto Project, Buildroot and OpenWRT build system). Buildroot will be used in the example and described in more detail Buildroot and kernel configuration, generation of root file system with binaries and libraries with debugging information Overcoming obstacles created by the firmware manufacturer Running interesting binaries in the emulated environment Use tools like strace, ltrace, gdb to reverse engineer the most interesting binaries Analyze how the device works the firmware upgrade process CLI and Web interface analisys main processes analisys finding vulnerabilities hacking into the system hack the firmware upgrade process replace the original firmware Create a Firmware Modification Kit to simplify the firmware modification process.
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
An embedded system usually involves low level languages like C and highly customized hardware. In this talk we will see a use case of a soft real time system which was developed taking a very different approach, written in Go. We will see what are the advantages of this choice, along with its limits.
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linuxlinuxlab_conf
Building Linux-based low-latency audio processing software for nowadays multi-core devices can be cumbersome. I’ll present some of our on-going research on the topic at the Real-Time Systems Lab of Scuola Superiore Sant’Anna, focusing on sound synthesis on Android where power-efficiency is a must.
The talk will provide basic background information on how the audio sub-system of Linux works, in terms of interactions between the Linux kernel and the ALSA sound architecture, including how user-space applications normally cope with low-latency requirements, touching briefly on design concepts behind the existence of the JACK low-latency framework. Then, a few concepts will be provided on the peculiarities of the Android audio processing pipeline, crossing the concepts with the due complications arising from the world of mobile and power-efficient devices. Throughout the talk, I’ll touch upon concepts behind our research efforts on the topic, describing how properly designed real-time CPU scheduling strategies can make a difference in what is achievable in this area.
Angelo Compagnucci - Upgrading buildroot based devices with swupdatelinuxlab_conf
This talk will guide you through the perils of building a resilient software stack for embedded system using buildroot as a base, stuff your software in between and adding swupdate as cherry on top! The talk will be composed by three main areas:
How to use buildroot as a base system for your stack
An introduction to swupdate and it’s fields of use
An example of using buildroot + swupdate to update your stack.
In the first we will talk about using buildroot as base for your software and how to add your software around. Buildroot make really easy to build a complete firmware image when using the standard configurations provided by the software but it could be cumbersome if you want to add your software in simple, easy and automated way. So we will show you how to write a simple makefile to add your software as an external component and how to automate the process of compiling everything to produce your binary artifacts.
The second part will discuss about swupdate and it’s field of use. Swupdate provides several ways of use: it can be used in a simple way, it could be integrated to do A/B updates, it could be used via network or locally using a medium. We will discuss about the possibility of approaches of system updates and how swupdate can satisfy each one of the use cases.
The third phase will show you a real approach adopted to solve a specific use cause with the hope it can be used a reference for auditor specific needs.
Stefano Cordibella - An introduction to Yocto Projectlinuxlab_conf
If you heard something about Yocto, bitbake, openembedded, layers, recipes and you want to know more about that, this talk is for you. In this presentation you will be introduced to the Yocto Project build system starting from the basic concepts of metadata up to the use of the build system “tasks” in order to create your own embedded linux distribution. I will start speaking about the pros and cons of the Yocto Project compared to the other embedded linux build systems. Then we go deep into the framework components: poky, openembedded core and bitbake. The practical use of the recipes, packagegroups, images and machines files will be explained by examples. Finally an example on how to integrate an extra layer will be showed demonstrating the ease of use and the modularity of the build system.
Luca Cipriani - Control your Embedded Linux remotely by using MQTT and a web ...linuxlab_conf
To manage remotely your IoT device without knowing the IP address of the device we used MQTT and a set of custom go libraries. With this architecture Arduino Create Agent allows users to deploy container remotely. A journey on Docker client, APT command line, sockets, systemd and much more on Arm and Intel Linux devices.
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
The exploding popularity of Embedded/IoT computing facilitate this security problems using low or non-existent security policies and exploits countermeasures. So why not explore some security measures that are widely available in the Linux world? We will focus on memory corruption techniques.
The Linux kernel was always focused on security features and giving bad times to the exploiters. This talk will introduce some common exploits and techniques, showing the mitigations employed by the kernel. By focusing on the major threats that affects modern Linux boxes, we will see which are the main features that can give problems to the system administator and how a preliminary penetration test can be done, ensuring that the system is in a sane state. The talk will also focus on problematics of embedded/IoT Unix systems, showing how some recent attacks gained control over a big network of devices and how a simple embedded system can be analyzed, hunting for bugs. Talk outline: Penetration testing, Linux, netfilter/bpf, memory corruption, ASLR, Spectre/Meltdown.
Luca Abeni - Real-Time Virtual Machines with Linux and kvmlinuxlab_conf
This talk describes how to use some available technologies (the SCHED_DEADLINE scheduling policy, the PREEMPT_RT patchset, etc…) to execute real-time applications in kvm-based virtual machines while still providing performance guarantees to the virtualized applications.
In recent years, there has been a growing interest in supporting virtualized services even in embedded and real-time systems. However, executing real-time applications (characterized by temporal constraints) in virtual machines is not straightforward and presents some non-trivial challenges. This talk will describe how to use some technologies already available in the Linux kernel (the SCHED_DEADLINE scheduling policy, the PREEMPT_RT patchset, etc…) to execute real-time applications in kvm-based virtual machines while still providing performance guarantees to the virtualized applications. After presenting the problem (and providing a quick summary about real-time scheduling), it will be shown how to configure the host and guest kernels and the virtual machine, and how to schedule the VM threads in order to achieve predictable response times and to provide real-time guarantees.
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Joblinuxlab_conf
Buildroot and Yocto, the two leading embedded Linux buildsystems, have largely overlapping goals but vastly different implementations.
Perhaps you’re familiar with either, and wonder how your daily job would change if you used the other.
Luca will share insights he gained while managing projects with both tools, spending a lot of time in learning how to achieve the same goals in a different way.
He will give a sort of “translation table” to ease the transition
between the two, covering: bootstrapping a project, what happens under the hood, invoking the build, customizing the rootfs and tweaking recipes.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
4. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre, Meltdown & Friends
● Spectre v1 - Bounds Check Bypass
● Spectre v2 - Branch Target Isolation
● Meltdown - Rogue Data Cash Load (a.k.a. Spectre v3)
● Spectre v3a- Rogue System Register Read
● Spectre v4 - Speculative Store Bypass
● LazyFPU - Lazy Floating Point State Restore
● L1TF - L1 Terminal Fault (a.k.a. Foreshadow)
Will cover: Spectre v2, Meltdown, Foreshadow
Stop me and ask (or ask at the end, or ask offline)
Spotted a mistake? Do not hesitate point’n out... Thanks! ;-)
5. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
● speculate = to guess, execution = to do something
speculative execution = do something based on a guess
● IRL:
○ You to a friend: <<hey, do you want a cup coffee?>>
○ While talking/waiting for answer: turn on machine, prep. cups, ...
● In CPUs:
○ Memory is slow. While waiting for data, do something
○ instruction reordering, superscalar pipelines, branch prediction, ...
if <A> is true
do <x>
○ Modern CPUs speculate a lot!
Kernel Recipes ‘18: Paolo Bonzini - "Meltdown and Spectre: seeing through the magician’s tricks"
Very good technical intro to speculative execution
Speculative execution
do <x> | check <A>
Speculative Execution:
do <x> , while waiting to be
able to check <A>
6. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Alternate Universes (*)
● I can create an alternate universe
● everything the same, I have superpowers:
– I can do whatever I want, I always succeeds
(it's my alternate universe! :-D )
● After, say, 30 seconds:
– alternate universe disappears
– in the original universe, I remember nothing :-(
– good things I've done ⇒ "copied" back to original universe
– bad things I've done ⇒ never happened in original universe
(*) Analogy stolen from George’s talk https://youtu.be/36jta61XTw8
7. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Alternate Universes (*)
● I can create an alternate universe
● everything the same, I have superpowers:
– I can do whatever I want, I always succeeds
(it's my alternate universe! :-D )
● After, say, 30 seconds:
– alternate universe disappears
– in the original universe, I remember nothing
– good things I've done ⇒ "copied" back to original universe
– bad things I've done ⇒ never happened in original universe
(*) Analogy stolen from George’s talk https://youtu.be/36jta61XTw8
What if, alteration of the heat of
objects, happening in the
alternate universe, leaks to
original universe?
8. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Alternate Universes (*)
● I can create an alternate universe
● everything the same, I have superpowers:
– I can do whatever I want, I always succeeds
(it's my alternate universe! )
● After, say, 30 seconds:
– alternate universe disappears
– in the original universe, I remember nothing
– good things I've done ⇒ "copied" back to original universe
– bad things I've done ⇒ never happened in original universe
(*) Analogy stolen from George’s talk https://youtu.be/36jta61XTw8
What if, alteration of the heat of
objects, happening in the
alternate universe, leaks to
original universe?
9. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Alternate Universes (*)
● I can create an alternate universe
● everything the same, I have superpowers:
– I can do whatever I want, I always succeeds
(it's my alternate universe! )
● After, say, 30 seconds:
– alternate universe disappears
– in the original universe, I remember nothing
– good things I've done ⇒ "copied" back to original universe
– bad things I've done ⇒ never happened in original universe
(*) Analogy stolen from George’s talk https://youtu.be/36jta61XTw8
What if, alteration of the heat of
objects, happening in the
alternate universe, leaks to
original universe?
Stop looking at
Facebook, BTW!
10. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution Attack
result_bit = 0; //goal: read the 5th bit of what's at an address
bit = 4; //that I normally wouldn't be able to read!
flush_cacheline(L);
if ( fork_alt_univ() ) { //returns 1 in alternate, 0 in original universe
:-)
if ( *target_address & (1 << bit) )
//in the alternate universe now
load_cacheline(L);
}
if ( is_cacheline_loaded(L) )
//”Back” in in original universe
result_bit = 1;
do it in a loop, use a bitmask and shift (<<)
11. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution Attack
result_bit = 0; //goal: read the 5th bit of what's at an address
bit = 4; //that I normally wouldn't be able to read!
flush_cacheline(L);
if ( fork_alt_univ() ) { //returns 1 in alternate, 0 in original universe
:-)
if ( *target_address & (1 << bit) )
//in the alternate universe now
load_cacheline(L);
}
if ( is_cacheline_loaded(L) )
//”Back” in in original universe
result_bit = 1;
do it in a loop, use a bitmask and shift (<<)
The CPU is executing this “in
speculation” ==> no fault!
Cache used as a side-channel:
Extract information from behavior
E.g., our looking-at-Facebook
“heated” spoon, a stethoscope for
hearing locks’ clicks, ...
This is how we “trick” the CPU to
execute code “in speculation”
(e.g., “poison” branch prediction)
12. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Fundamental Assumptions
● Spec. Execution ~= out-of-order execution + branch prediction
● Safe iff:
a. Rollback works: not retired (== executed speculatively, but
rolled back) instructions have no side effects and leave no trace
b. No messing with guesses: it is impossible to reliably tell
whether or not a particular block of code will be executed
speculatively.
13. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Speculative Execution:
Fundamental Assumptions
● Spec. Execution ~= out-of-order execution + branch prediction
● Safe iff:
a. Rollback works? Arch. registers, flags, …, OK.
Caches, TLBs, …, not so much :-(
b. No messing with guesses? Predictions based on history
(branch taken/not taken previous times), tagged by bits of the
branch instruction address (~ a cache/TLB) ⇒ can be “poisoned”
Spectre class vulnerabilities are hardware bugs represents
violations of the fundamental assumptions on top of which
we’ve been building massively parallel CPUs since ~20 years!
14. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com (*) slightly different between Xen and KVM
Virtualization, security, isolation ...
Virtualization Platform
Host: Kernel / Hypervisor (*)
Device Drivers
Host
User
Apps
HWMemory CPUsI/O
Memory
Management
Scheduler
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM3
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM4
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM1
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM2
15. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Attack Scenarios:
Virtualization Platform
Virtualization, security, isolation ...
Host: Kernel / Hypervisor
Device Drivers
Host
User
Apps
HWMemory CPUsI/O
Memory
Management
Scheduler
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM3
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM4
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM1
Guest Kernel
Guest
User
Apps
Guest
User
Apps
Guest
User
Apps
VM2
- Host User to
Other Host User(s)
- Guest User to
Other Guest User(s)
- Host User to
Host Kernel
- Guest User to
Guest Kernel
- Guest to
Other Guest(s)
- Guest User to
Hypervisor
- Guest Kernel to
Hypervisor
== successfully attacked!
(e.g., read data/steal secrets)
16. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Virtualization, security, isolation ...
Attack Scenarios:
1. Host User App to Other Host User Apps(s)
2. Guest User App to Other Guest User Apps(s)
– Damage contained within App(s) data inside a VM
– VM user must protect his/her apps
3. Host User to Host Kernel
4. Guest User to Guest Kernel
– implies nr. 2
– Damage contained within VM/customer
– Guest kernel must protect itself ( mitigations ~= Host User to Host Kernel case)
5. Guest to Other Guest(s) (*)
– VM 3 can steal secrets from VM 4
– Hypervisor must isolate VMs
6. Guest to Hypervisor (Bad! Bad! Bad! Bad!) (*)
– Damage: implies nr. 5 “on steroids”!
– Hypervisor must protect itself
(*) don’t really care if Guest User or Kernel: never trust VMs, guest kernel might
be compromised, and become malicious!
17. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v1
Bounds-Check Bypass (CVE-2017-5753)
● Attacks conditional branch prediction
● Vulnerable code (leaky gadget) must be present in target, or JIT (*)
● Affected CPUs: everyone (Intel, AMD, ARM)
uint8_t arr_size, arr[]; //array_size not in cache
Uint8_t arr_size, arr2[]; //elements 0 and 1 not in cache
//untrusted_index_from_attacker = <out of array[] boundaries>
if ( untrusted_index_from_attacker < arr_size ) {
val = arr[untrusted_index_from_attacker ];
idx2 = (val&1) + 1;
val2 = arr2[idx2]; //arr2[0] in cache ⇒ (arr[untrusted_index ]&1) = 0
} //arr2[1] in cache ⇒ (arr[untrusted_index ]&1) = 1
(*) Just in Time code generators
18. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v1
Bounds-Check Bypass (CVE-2017-5753)
● Attacks conditional branch prediction
● Vulnerable code (leaky gadget) must be present in target, or JIT (*)
uint8_t arr_size, arr[]; //array_size not in cache
Uint8_t arr_size, arr2[]; //elements 0 and 1 not in cache
//untrusted_index_from_attacker = <out of array[] boundaries>
if ( untrusted_index_from_attacker < arr_size ) {
val = arr[untrusted_index_from_attacker ];
idx2 = (val&1) + 1;
val2 = arr2[idx2]; //arr2[0] in cache ⇒ (arr[untrusted_index ]&1) = 0
} //arr2[1] in cache ⇒ (arr[untrusted_index ]&1) = 1
(*) Just in Time code generators
Target == kernel/hypervisor
(Linux if KVM, Xen if Xen). Not
really common!
Leaky gadget:
● Load a secret
● Leak it, by loading something
else, offseted by that secret
Xen: no JIT,
KVM: eBPF
Trigger speculation:
Make sure the branch is
predicted “taken”
(e.g., poison BHB)
19. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v1: Impact,
mitigations, performance
● Impact:
– Guest User App to Guest User App(s): yes (JIT, e.g., Javascript
in browsers)
– Guest User to Guest Kernel, Guest to Hypervisor, Containers:
well, theoretically (leaky gadgets or JIT in kernel/hypervisor)
● Extremely hard to exploit
● Mitigation:
– none… wait, what?
– Manual code sanitization
(a.k.a. playing the whack-a-mole game!)
– array_index_mask_nospec(), in Xen &
Linux, to stop speculation
● Performance Implications: none (clever
Tricks to avoid “fencing” …)
20. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2
Branch Target Injection(CVE-2017-5715)
● Attacks indirect branch prediction: function pointers / jmp *(%r11)
● Attacker might be able to provide his own leaky gadget
● Affected CPUs: everyone (Intel, AMD, ARM)
Predictors of indirect branch targets:
● Are based on previous history (BTB); can be “poisoned”
● Branches done in userspace influence predictions in kernel space
● Branches done in SMT thread influence predictions on sibling
Attack:
● Same leaky gadget based strategy (PoC for KVM via eBPF)
● Attacker provided leaky gadget if !SMEP on the CPU (on x86)
Marc Zyngier - KVM/arm Meets the Villain: Mitigating Spectre
Very good talk about ARM specifics challenges
21. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2
Let’s set up a trap for speculation:
Address Instruction
0x001123 jmp *(%r11) //r11 = 0xddeeff
... ...
... ...
0xaabbcc <my leaky gadget> //either target’s or
... ... //attacker’s code
... ...
0xddeeff <xxx>
<yyy>
Regular Execution:
● We are at (1)
● We jump at (2)
(1)
(2)
Indirect branch:
● Function
pointer
● Which
function is
pointed is
predicted
22. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2
Let’s set up a trap for speculation:
Address Instruction
0x001123 jmp *(%r11) //r11 = 0xddeeff
... ...
... ...
0xaabbcc <my leaky gadget> //either target’s or
... ... //attacker’s code
... ...
0xddeeff <xxx>
<yyy>
Regular Execution:
● We are at (1)
● We jump at (2)
(1)
(2)
Speculative Execution (Attack):
● We poison BTB to think that
r11 = aabbcc
● We are at (1)
● We enter speculation at (1s),
where’s the leaky gadget
(1)
(1s)
0xaabbcc
23. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2: Impact
● Guest User to Guest Kernel, (Guest User App to Guest User
App(s)): yes (JIT, e.g., Javascript in browsers)
● Guest to Other Guest(s): yes (via Guest to Hypervisor)
● Guest to Hypervisor: yes (existing leaky gadget if SMEP,
or via JIT)
● Containers: affected
● Reasonably hard to exploit, exp. for vitrtualization
SMEP: Supervisor Mode Exec. Protection (Fischer, Stephen (2011-09-21))
– Kernel won’t execute User App code
– We can’t make kernel speculatively jump to a User App provided leaky gadget
24. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2: retpoline
Let’s set up a trap for speculation:
jmp *(%r11)
Replacement can happen:
● kernel/hypervisor & userspace: compiler support
(<<yay, let’s recompile everything!>> :-/ )
● kernel/hypervisor: binary patching (e.g., alternatives.)
call set_up_target;
capture_spec:
pause; lfence;
jmp capture_spec;
set_up_target:
mov %r11, (%rsp);
ret;
25. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Let’s set up a trap for speculation:
jmp *(%r11)
• Skylake+: ret target might be predicted with BTB lwn.net/Articles/745111/
• “RSB Stuffing” Retpoline: A Branch Target Injection Mitigation
call set_up_target;
capture_spec:
pause; lfence;
jmp capture_spec;
set_up_target:
mov %r11, (%rsp);
ret;
Key point: call/ret have their own
predictor (RSB) different than indirect
jmp one (BTB)
(1) we jmp to known label/address: no
prediction or speculation (with call)
(2) we what the last call (at (1)) put on
the stack for the next ret with *(%r11)
(3) ret sends us to *(%r11); predicted target,
via RSB, is below last call (i.e.,
capture_spec)
(4) while code executes at *(%r11),
speculation is trapped in infinite loop!
Spectre v2: retpoline
Key point:
call/ret have
their own
predictor (RSB)
different than
indirect jmp one
(BTB)
26. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2:
IBPB, STIBP, IBRS
Firmware/Microcode update (e.g., from Intel).
Gross hacks… ahem.. New instructions:
● IBPB: flush all branch info learned so far
● STIBP: ignore info of branches done on sibling hyperthread
● IBRS: ignore info of branches done in a less-privileged mode
(before it was most recently set)
Intended usage:
● IBPB: on context and/or vCPU switch. Prevents App/VM A
influencing (poisoning?) branch predictions of App/VM B
● STIBP: when running with HT. Prevents App/VM running on thread
influencing (poisoning?) branch predictions of App/VM on sibling
● IBRS: when entering kernel/hypervisor. Prevents Apps/VMs
influencing (poisoning?) branch predictions in kernel/hypervisor
27. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2: Mitigation(s)
● User Apps:
– retpoline
– Make timer less precise ⇒ harder to measure side effects!
– IBPB & STIBP (Spectre v2 app2app, in these days)
● Xen: tries to pick best combo at boot
– retpoline, when safe. IBRS, when reptoline-unsafe
– IBPB at VM switch
– Clear RSB on VM switch
● KVM:
– reptoline + some IBRS (e.g., when calling into firmware)
– IBPB at VM switch (heuristics for IBPB at context switch)
– Clear RSB on context/VM switch
● Both Xen, KVM: IBRS, IBPB, STIBP available/virtualized for VMs too
28. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v2:
Performance Impact
It’s complicated!
● retpoline: good performance… is it enough paranoia protection?
● IB* barriers:
– IBPB: moderate imapact
– IBRS: impact varies a lot, depending on hardware
– STIBP: (these days) huge impact ⇒ making it per-app opt-in
E.g. Intel:
• pre-Skylake: super-bad
• post-Skylake: not-too-bad
– ⇒ it’s not only the flushing
• x86 : these are, for now, MSR write (sloooow!)
• ARM: on one CPU, disable/re-enable the MMU! :-O
●
29. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown (Spectre v3)
Rouge Data Cache Load (CVE-2017-5754)
● Virtual Memory, paging, system/user (s/u) bit:
– Kernel: ring0, can access all memory pages
– User Apps: ring3, can’t access kernel’s (ring0) pages
● While in speculation:
– Everyone can access everything!
• Kernel can read kernel addresses
• Kernel can read user addresses
• User can read user addresses
• User can read kernel addresses…
● No leaky gadget needed in kernel/hypervisor.
Attacker can use her own in user code (much,much
worse than Spectre!)
● Affected CPUs: Intel, one ARM CPU
30. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown
App A
Kernel
App B
App C
App A
Kernel
App A
Kernel
Host Physical
Memory
Virtual Memory
of App A running
in User Mode
(ring3)
Mapping
Mapping
Page Tables
(MMU)
Virtual Memory
of App A running
in Kernel Mode
(ring0)
Yes, virtual memory map is
identical for User App A, when
running in both user and kernel
mode! Why?
● User apps switch from user
to kernel mode: e.g., syscall,
interrupts, …
● Changing virtual memory
map come at high price: TLB
flush
● Kernel is the same for
everyone, so, why bother?
31. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown
App A
Kernel
App B
App C
App A
Kernel
App A
Kernel
Host Physical
Memory
Mapping
Mapping
Page Tables
(MMU)
Yes, virtual memory map is
identical for User App A, when
running in both user and kernel
mode! Why?
● User apps switch from user
to kernel mode: e.g., syscall,
interrupts, …
● Changing virtual memory
map come at high price: TLB
flush
● Kernel is the same for
everyone, so, why bother?
(a)
Virtual Memory
of App A running
in User Mode
(ring3)
Virtual Memory
of App A running
in Kernel Mode
(ring0)
But… Can’t App A,
running in User
Mode, access
Kernel memory
then?
32. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown
App A
Kernel
App B
App C
App A
Kernel
App A
Kernel
Host Physical
Memory
Mapping
Mapping
Page Tables
(MMU)
(a)
Accessing Kernel Memory
from User Mode (a):
● Normally, s/u bit in page
tables:
– Forbidden in user
mode
– Permitted in kernel
mode
● Speculatively:
Always permitted, s/u
bit in page tables
ignored
Virtual Memory
of App A running
in User Mode
(ring3)
Virtual Memory
of App A running
in Kernel Mode
(ring0)
33. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown
User space code:
int w, x, xx, array[];
if ( <false_but_predicted_as_true> ) {
w = *((int*) kernel_memory_address );
x = array[(w & 0x001)];
}
t0 = rdtsc(); xx = array[0]; t0 = rdtsc() - t0
t1 = rdtsc(); xx = array[1]; t1 = rdtsc() - t1
if ( t0 < t1)
//access to array[0] faster → (* kernel_memory_address )&1 = 0
else
//access to array[1] faster → (* kernel_memory_address )&1 = 1
34. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown
User space code:
int w, x, xx, array[];
if ( <false_but_predicted_as_true> ) {
w = *((int*) kernel_memory_address );
x = array[(w & 0x001)];
}
t0 = rdtsc(); xx = array[0]; t0 = rdtsc() - t0
t1 = rdtsc(); xx = array[1]; t1 = rdtsc() - t1
if ( t0 < t1)
//access to array[0] faster → (* kernel_memory_address )&1 = 0
else
//access to array[1] faster → (* kernel_memory_address )&1 = 1
Trigger speculation:
Make sure the branch is
predicted “taken”
(e.g., poison BHB)
Accessed in speculation:
● Privilege check
bypassed
● No fault (instruction
doesn’t retire)
Leaky gadget:
● Load a secret
● Load something else,
offseted by that secret
Entirely under attacker’s control!
35. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown: Impact
● Guest User to Guest Kernel (Guest User App to Guest User App(s)):
– KVM: yes (User to User goes via kernel mappings in User Apps)
– Xen HVM, PVH, PV-32bit[1]: yes (User to User goes via kernel
mappings in User Apps)
– Xen PV-64bit: no [2]
● Guest to Hypervisor (Guest to Other Guest(s)):
– KVM: no
– Xen HVM, PVH, PV-32bit: no
– Xen PV-64bit: yes :-(( [2]
● Containers: affected :-((
● Rather easy to exploit !
[1] Address space is too small
[2] Looong story… ask offline ;-P
36. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown: {K,X}PTI
KPTI / XPTI:
Kernel Page Table Isolation,
Xen Page Table Isolation:
● In speculation CPU can
access everything that
is mapped
App A
Kernel
App B
App C
App A App A
Kernel
Host Physical
Memory
Mapping
Mapping
Page Tables
(MMU)
(a)
Virtual Memory
of App A running
in User Mode
(ring3)
Virtual Memory
of App A running
in Kernel Mode
(ring0)
(*) Only “trampolines” for syscalls, IRQs, ...
Kernel
37. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown: {K,X}PTI
KPTI / XPTI:
Kernel Page Table Isolation,
Xen Page Table Isolation:
● In speculation CPU can
access everything that
is mapped
● Let’s *not* map
everything! … … … ...
… … and pay the price
for that! :-(
App A
Kernel
App B
App C
App A
Kernel (*)
App A
Kernel
Host Physical
Memory
Mapping
Mapping
Page Tables
(MMU)
(a)
Virtual Memory
of App A running
in User Mode
(ring3)
Virtual Memory
of App A running
in Kernel Mode
(ring0)
(*) Only “trampolines” for syscalls, IRQs, ...
38. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown: PCID
● User Mode ⇒ Kernel Mode (and vice-versa)
– syscalls, IRQs, ...
– Change virtual memory layout (CR3 register)
– Flush all TLB (~ page tables cache). It really hurts performance
● PCID (Process-Context IDentifier):
– Tag TLB entries ⇒ flush all TLB flush selectively
– In Intel CPUs since 2010 !!! (PCID in Westmere, INVPCID in Haswell)
● Until now … … …
– complicate to use, and we map everything anyway,
why bother?
● Now (i.e., after Meltdown):
– Let’s bother!
– Used in both Xen and Linux
40. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Meltdown:
Performance Impact
Expected: from -5% to -30% performance impact
● Workload dependant: worse if I/O and syscall intensive
● Slowdowns of more than -20% reached only on synthetic
benchmarks (e.g., doing lots of tiny I/O)
● For “typical” workloads, we’re usually well within -10% ...
● … with PCID support!
– LKML posts: postgres -5%, haproxy -17%
– Brendan Gregg - KPTI/KAISER Meltdown Initial Performance Regressions
– Gil Tene - PCID is now a critical performance/security feature on x86
42. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Spectre v4 (Spectre-NG)
Speculative Store Bypass (SSB) (CVE-2018-3639)
● Affected CPUs: everyone (Intel, AMD, ARM)
● in speculation, a load from an address can observe the result of a
store which is not the latest store to that address:
– STO 1 → R1
STO 2 → R1
(in speculation) LOAD R1 ⇒ sees 1 !!!
– E.g.:
user: syscall() ← pass data
Kernel: copy data on stack
… … … …
Kernel: store data on stack
Kernel: load data from stack ⇒ sees previous user provided data
!!!
● Similar to Spectre v1: needs leaky gadget or JIT
● New instruction SSDB ⇒ no use Xen/KVM, useful for User Apps in
43. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
LazyFP (Spectre v5)
Lazy FPU State Leak (CVE-2018-3665)
● Affected CPUs: Intel
● FPU context is large
– let’s ignore it at context switches
– Mark it as invalid
– If new context (process/VM) needs it: save it, switch it
and mark as valid again
● Speculative execution:
– New context needs it ⇒ uses it right away, in speculation, with
old context’s values in it!
– “old context’s values”: how about keys or crypto stuff?!?!
● XSAVEOPT ...
44. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF (Foreshadow-NG)
L1TF / Foreshadow-NG (CVE-2018-3620, CVE-2018-3646)
● Like Meltdown. But scarier. And almost harder to fix (for virt)!
● Meltdown: user space can read kernel pages,
if they’re mapped in its address space
– s/u bit in page table entries, ignored, in speculation
– User space manages to maliciously read (in speculation)
all its virtual addresses
● L1TF: guests can kind of read physical memory directly!
– present bit in page table entries ignored, in speculation
– Guest manages to maliciously read (in speculation)
all RAM ⇒ PTI is useless
– … … … and, believe me, it gets worse !!!
● Affects only Intel (~= Meltdown)
45. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Regular execution
App accesses data in
present page:
1. Guest page
tables
2. Host page tables
3. Host cache
4. Cache hit! deliver
to guest
---
4. Cache miss…
fetch from host
RAM
5. Deliver to host
caches
6. Deliver to guest
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App A
VM 1
Guest Virt. Addr.
Guest Phys. Addr.
Host Phys. Addr.
L1 Cache
L2 Cache
L2 Cache
Memory
page present: Y
46. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Regular execution
Guest accesses data in
non present page:
1. Guest page
tables
2. Non present /
malicious address
3. Host page fault
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App A
VM 1
Guest Virt. Addr.
Guest Phys. Addr.
Invalid for VM 1
L1 Cache
L2 Cache
L2 Cache
Memory
FAULT!
Potentially malicious
App A, or VM 1 (or
both), trying to steal
from host or other
VMs: stopped!
* Swap page in
* kill VM
* ...
47. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Regular execution
App accesses data in
non present page:
1. Guest page
tables
2. Non present /
malicious address
3. Guest page fault
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App A
VM 1
Guest Virt. Addr.
Invalid for AppA L1 Cache
L2 Cache
L2 Cache
Memory
FAULT!
Potentially Malicious
App A (e.g., trying to
steal data within
VM 1): stopped!
page present: N
* Swap page in
* SEGFAULT
* ...
49. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Speculative
execution
App (speculatively)
accesses data in non
present page:
1. Guest page
tables
2. Host cache
3. Cache hit! deliver
to guest
What?!?!
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App A
VM 1
Guest Virt. Addr.
Invalid for AppA L1 Cache
L2 Cache
L2 Cache
Memory
NB!!!
Potentially malicious
App A, or VM (or both),
managed to read
arbitrary data from
host’s L1 cache: can be
host’s or other VMs’
secrets!
50. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App A
VM 1
Guest Virt. Addr.
Invalid for AppA L1 Cache
L2 Cache
L2 Cache
Memory
Speculative
execution
App (speculatively)
accesses data in non
present page:
1. Guest page
tables
2. Host cache
3. Cache hit! deliver
to guest
What?!?!
Is this really dangerous?
● Attacker must control VMs’
kernel ⇒ generate malicious
guest addresses
● (doable from userspace, but really
difficult)
● Sensitive data must be in host’s L1
cache; L1 cache is small;
turnaround is quick; ...
Potentially malicious
App A, or VM (or both),
managed to read
arbitrary data from
host’s L1 cache: can be
host’s or other VMs’
secrets!
51. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
HW
L1TF
Host: Kernel /
Hypervisor
Device Drivers
CPUs
I/O
Memory
Management
Scheduler
Guest Kernel
Guest User App 1
VM 1
Guest Virt. Addr.
Invalid for AppA L1 Cache
L2 Cache
L2 Cache
Memory
Hypertrheading (HT) /
Simmetric Multi-Threading (SMT)
to the rescue… of the attacker!!! :-/
● SMT Siblings share L1 cache
Speculative
execution
App (speculatively)
accesses data in non
present page:
1. Guest page
tables
2. Host cache
3. Cache hit! deliver
to guest
What?!?!
Is this really dangerous?
● Attacker must control VMs’
kernel ⇒ generate malicious
guest addresses
● (doable from userspace, but really
difficult)
● Sensitive data must be in host’s L1
cache; L1 cache is small;
turnaround is quick; ...
Potentially malicious
App A, or VM (or both),
managed to read
arbitrary data from
host’s L1 cache: can be
host’s or other VMs’
secrets!
52. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: hyperthreading
Without Hyperthreading:
With Hyperthreading:
L1 Cache
VM 1
1. VM 1 runs on CPU
2. VM 1 puts secrets in L1 cache
3. VM 1 leaves CPU
4. VM 2 runs on CPU
5. VM 2 reads VM 1’s secrets!
VM 2
(1)
(2)
(3)
(4)
(5 -
L1TF)
L1 Cache
VM 1 VM 2(1) (3)
(2)
(4 -
L1TF)
1. VM 1 runs on Thread A
2. VM 2 runs on Thread B
3. VM 1 puts secrets in L1 cache
4. VM 2 reads VM 1’s secret
from L1 cache
Context Switch
No context switch
needed...
Guest (Kernel) to Other Guest(s) attack
53. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: hyperthreading
Without Hyperthreading: mitigation
With Hyperthreading: err… mitigation?
L1 Cache
VM 1
1. VM 1 runs on CPU
2. VM 1 puts secrets in L1 cache
3. VM 1 leaves CPU
4. Hypervisor: flush L1 cache
5. VM 2 runs on CPU
6. VM 2 reads VM 1’s secrets!
VM 2
(1)
(2)
(3)
(5)
L1 Cache
VM 1 VM 2(1) (3)
(2)
(4 -
L1TF)
1. VM 1 runs on Thread A
2. VM 2 runs on Thread B
3. VM 1 puts secrets in L1 cache
Hypervisor: THERE’S
NOTHING I CAN DO !!!
4. VM 2 reads VM 1’s secret
from L1 cache
ContextSwitch
(4)
Guest (kernel) to Other Guest(s) attack
54. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: hyperthreading
Without Hyperthreading:
With Hyperthreading:
L1 Cache
1. Hypervisor runs on CPU
2. Hypervisor puts secrets in L1
3. Hypervisor leaves CPU
4. VM 2 runs on CPU
5. VM 2 reads hypervisor’s
secrets!
VM 2
(1)
(2)
(3)
(4)
(5 -
L1TF)
L1 Cache
VM 2(1) (3)
(2)
(4 -
L1TF)
1. Hypervisor runs on Thread A
2. VM 2 runs on Thread B
3. Hypervisor puts secrets in L1
4. VM 2 reads VM 1’s secret
from L1 cache
VMEntry
hyper-
visor
hyper-
visor
Guest Kernel to Other Guest(s) attack
No VMEntry
needed...
55. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: hyperthreading
Without Hyperthreading: mitigation
With Hyperthreading: err… mitigation?
L1 Cache
hyper-
visor
1. Hypervisor runs on CPU
2. Hypervisor puts secrets in L1
3. Hypervisor leaves CPU
4. Hypervisor: flush L1 cache
5. VM 2 runs on CPU
6. VM 2 reads hypervisor’s
secrets!
VM 2
(1)
(2)
(3)
(5)
L1 Cache
hyper-
visor
VM 2(1) (3)
(2)
(4 -
L1TF)
1. Hypervisor runs on Thread A
2. VM 2 runs on Thread B
3. Hypervisor puts secrets in L1
Hypervisor: THERE’S
NOTHING I CAN DO !!!
4. VM 2 reads Hypervisor’s
secret from L1 cache
VMEntry
(4)
Guest kernel to Other Guest(s) attack
57. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: Mitigation
● Host, Containers:
– Flip address bits in page tables when present bit is 0
● Xen PV:
– Xen intercepts PV guets’ page table updates: sanitize/crash
malicious guests
● Xen HVM, Xen PVH, KVM:
– Flush L1 cache on VMEntry
– Disable hyperthreading
– If not wanting to disable hyperthreading… disable
hyperthreading!
– … … … Did I say disable hyperthreading?
58. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: Performance Impact
● Host, Containers, Xen PV:
– Negligible
● Xen HVM, Xen PVH, KVM:
– L1 cache: limited (so small and so fast!)
– Disable hyperthreading: depends
• Varies with workloads: realistically, -15% in some of the
common cases. Not more than -20%, or -30%, in most
• -50% claimed, but only seen in specific microbenchmarks
59. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
L1TF: Performance Impact
● Alternative ideas? (to disabling HT)
– Shadow Page Tables: we’d detect attacks ⇒ slow
– Core-scheduling: only vCPUs of same VM on SMT-siblings
• In the works, for both Xen and Linux: complex
• ok for Guest to Other Guests, not ok for Guest to Hypervisor
– Core-scheduling + “Coordinated VMExits”: complex
– Secret hiding:
• Hyper-V ~done
• Xen maybe doable
• KVM really hard
– Shadow Page Table, make it fast by “abusing” Intel CPU feats:
• CR3-whitelisting, PML (was for live-migration), ...
• ⇒ in the works brains…
KVM Forum '18: Alexander Graf - L1TF and KVM ( has a demo!!! :-D )
60. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Tunables
<<Greetings, how slow do you want to go today?>>
<<Greetings, how secure do you want to be today?>>
● KVM:
– pti = on|off| auto
– spectre_v2 = on|off|auto|retpoline,generic| retpoline,amd
– spec_store_bypass_disable = on|off|auto|prctl|seccomp
– L1tf = full|flush|flush,nosmt
– Kvm-intel.vmentry_l1d_flush = always|cond|never
● XEN:
– xpti = [ dom0 = TRUE/FALSE , domu = TRUE/FALSE ]
– bti-thunk = retpoline|lfence|jmp
– {ibrs,ibpb,ssbd,eager-fpu,l1d-flush} = TRUE/FALSE
– {smt,pv-l1tf} = TRUE/FALSE
61. Dario Faggioli, https://about.me/dario.faggioli
https://www.suse.com/company/careers/dfaggioli@suse.com
Conclusions
● “Hardware bugs” are difficult
– Not only to fix mitigate
– But also to work on, collaboratively (NDAs, etc)
– Getting better
● Issues like these will really hunt us for a few time…
● Speculative Execution has shaped Computing World
● We focused on performance first, now we deal with consequences.
As grandma used to say: <<L’hai voluta la bicicletta, oh pedala!!!>>
● Do update your firmware/microcode; do update your kernel
● Threats are real but don’t panic: analyze your system, assess risks
● Performance impact may be really high but don’t panic:
benchmark your own workload, look for tunables