

# CprE 381: Computer Organization and Assembly Level Programming

HW Security

Henry Duwe  
Electrical and Computer Engineering  
Iowa State University

# Administrative

- Part 4 due in lab this week
  - **WARNING:** No extensions!!!
- Final Exam
  - When: Mon May 6 at 7:30am
  - Where: **Marston 2155** (everyone)
  - What: Branch prediction through HW security
- Please take online course assessment

# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1



# Review: HW11 Cache Test 1

Memory  
Array  
...



Miss!

Way 0

Set 0  
Set 1  
...  
Set S

Way 1



Way W-1



Learn way size (i.e., # sets \* block size) at sharp increase in execution time

$$j = \# \text{ sets} * \text{block size}$$

$$i = W$$

$$\text{Access} = i*j$$

# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2

Memory  
Array  
...

0  
1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15



Eviction!

LRU eviction

Way 0

Way 1

Way W-1

Set 0

Set 1

...

Set 5

$j = W+1$

$i = W$

...

Access =  $i * \text{size of way}$  where  $i < j$

# Review: HW11 Cache Test 2



# Review: HW11 Cache Test 2

Memory  
Array  
...



Miss!

Way 0

Set 0

Set 1

...

Set S

Way 1

Way W-1

...

$j = W+1$

$i = 0$

Access =  $i * \text{size of way}$  where  $i < j$

Learn # of ways from  
j's value

# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3



# Review: HW11 Cache Test 3

Misses in all iterations  
after first iteration ( $k$ )  
for conflict miss since  
stride  $\geq$  block size



# A Thought Experiment



# A Thought Experiment



# A Thought Experiment



# A Thought Experiment



# A Thought Experiment



# This Course's Focus

Dear Bored in Lecture,

- Case and point from recent news:

The screenshot shows the homepage of The Wall Street Journal. At the top right, there are links for "Subscribe Now" and "NEW YEAR SALE: 50". Below the masthead, there is a navigation bar with categories: Home, World, U.S., Politics, Economy, Business, Tech, Markets, Opinion, Life & Arts, Real Estate, WSJ. Magazine, and a search bar. The main content area features several news cards. One card under the "TECH" category is titled "Businesses Rush to Contain Fallout From Major Chip Flaws". Another card under "PRO PRIVATE MARKETS" is about a dog-walking app. A third card under "OPINION" discusses Europe's EU-Boat needs. A card under "BUSINESS" is about IT security executives assessing potential impact. A final card under "OPINION" features a photo of a man speaking at a podium. Below the cards, a large article title reads "Tech Giants Race to Address Chip Flaws With a Potentially Vast Impact".

- - The device you design is not reliable?
  - The device you design doesn't scale?

Sincerely,  
Prof Duwe

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. Victim loads secret after mispredicted branch
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in μ-arch state
4. Attacker recalls secret from μ-arch state (probe)

# Specter Attack

Victim Code Gadget

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```



1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. Victim loads secret after mispredicted branch
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in μ-arch state
4. Attacker recalls secret from μ-arch state (probe)

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

Attacker calls victim  
many times where x  
< array1\_size

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. Victim loads secret after mispredicted branch
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in μ-arch state
4. Attacker recalls secret from μ-arch state (probe)

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

Attacker calls victim once where  $x >$  `array1_size`, but BTB predicts  $x < \text{array1\_size}$

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. **Victim loads secret after mispredicted branch**
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in  $\mu$ -arch state
4. Attacker recalls secret from  $\mu$ -arch state (probe)

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

Victim accesses arbitrary data in victims address space

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. **Victim loads secret after mispredicted branch**
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in μ-arch state
4. Attacker recalls secret from μ-arch state (probe)

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

Victim evicts attackers data based on victims data which shouldn't have been accessed

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. Victim loads secret after mispredicted branch
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. **Victim saves secret in μ-arch state**
4. Attacker recalls secret from μ-arch state (probe)

# Specter Attack

```
if (x < array1_size) {  
    y = array2[array1[x] * 256]  
}
```

1. Attacker primes micro-architecture
  - Train branch predictor/BTB
  - Prime cache side-channel (prime)
2. Victim loads secret after mispredicted branch
  - Load to secret shouldn't trap since it is speculative (exception not handled until instruction is non-speculative)
3. Victim saves secret in μ-arch state
4. Attacker recalls secret from μ-arch state (probe)

# Many Other HW Sec Issues...

## Insecure Supply Chain



**Generation of Random Numbers**

Block Diagram of Intel RNG

# Many Other HW Sec Issues...

## Insecure Supply Chain



## In-class Assessment!

**Access Code: T-1**

**Note: sharing access code to those outside of classroom or using access code while outside of classroom is considered cheating**



**Generation of Random Numbers**

**Block Diagram of Intel RNG**

# Acknowledgments

- These slides contain material developed and copyright by:
  - Mark Hill (UW Madison)
  - Marten van Dijk (UConn)