From: Bill Schmidt <wschmidt@linux.ibm.com>
To: "Richard Earnshaw (lists)" <Richard.Earnshaw@arm.com>
Cc: Jeff Law <law@redhat.com>, gcc-patches@gcc.gnu.org
Subject: Re: [PATCH 0/7] Mitigation against unsafe data speculation (CVE-2017-5753)
Date: Tue, 10 Jul 2018 13:48:00 -0000 [thread overview]
Message-ID: <156FA54E-DA3E-49FB-A48A-530D22F73CFD@linux.ibm.com> (raw)
In-Reply-To: <f814fcaf-1578-35ce-7ce2-a87989039681@arm.com>
> On Jul 10, 2018, at 3:49 AM, Richard Earnshaw (lists) <Richard.Earnshaw@arm.com> wrote:
>
> On 10/07/18 00:13, Jeff Law wrote:
>> On 07/09/2018 10:38 AM, Richard Earnshaw wrote:
>>>
>>> The patches I posted earlier this year for mitigating against
>>> CVE-2017-5753 (Spectre variant 1) attracted some useful feedback, from
>>> which it became obvious that a rethink was needed. This mail, and the
>>> following patches attempt to address that feedback and present a new
>>> approach to mitigating against this form of attack surface.
>>>
>>> There were two major issues with the original approach:
>>>
>>> - The speculation bounds were too tightly constrained - essentially
>>> they had to represent and upper and lower bound on a pointer, or a
>>> pointer offset.
>>> - The speculation constraints could only cover the immediately preceding
>>> branch, which often did not fit well with the structure of the existing
>>> code.
>>>
>>> An additional criticism was that the shape of the intrinsic did not
>>> fit particularly well with systems that used a single speculation
>>> barrier that essentially had to wait until all preceding speculation
>>> had to be resolved.
>> Right. I suggest the Intel and IBM reps chime in on the updated semantics.
>>
>
> Yes, logically, this is a boolean tracker value. In practice we use ~0
> for true and 0 for false, so that we can simply use it as a mask
> operation later.
>
> I hope this intrinsic will be even more acceptable than the one that
> Bill Schmidt acked previously, it's even simpler than the version we had
> last time.
Yes, I think this looks quite good. Thanks!
Thanks also for digging into the speculation tracking algorithm. This
has good potential as a conservative opt-in approach. The obvious
concern is whether performance will be acceptable even for apps
that really want the protection.
We took a look at Chandler's WIP LLVM patch and ran some SPEC2006
numbers on a Skylake box. We saw geomean degradations of about
42% (int) and 33% (fp). (This was just one test, so caveat emptor.)
This isn't terrible given the number of potential false positives and the
early state of the algorithm, but it's still a lot from a customer perspective.
I'll be interested in whether your interprocedural improvements are
able to reduce the conservatism a bit.
Thanks,
Bill
>
>>>
>>> To address all of the above, these patches adopt a new approach, based
>>> in part on a posting by Chandler Carruth to the LLVM developers list
>>> (https://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html),
>>> but which we have extended to deal with inter-function speculation.
>>> The patches divide the problem into two halves.
>> We're essentially turning the control dependency into a value that we
>> can then use to munge the pointer or the resultant data.
>>
>>>
>>> The first half is some target-specific code to track the speculation
>>> condition through the generated code to provide an internal variable
>>> which can tell us whether or not the CPU's control flow speculation
>>> matches the data flow calculations. The idea is that the internal
>>> variable starts with the value TRUE and if the CPU's control flow
>>> speculation ever causes a jump to the wrong block of code the variable
>>> becomes false until such time as the incorrect control flow
>>> speculation gets unwound.
>> Right.
>>
>> So one of the things that comes immediately to mind is you have to run
>> this early enough that you can still get to all the control flow and
>> build your predicates. Otherwise you have do undo stuff like
>> conditional move generation.
>
> No, the opposite, in fact. We want to run this very late, at least on
> Arm systems (AArch64 or AArch32). Conditional move instructions are
> fine - they're data-flow operations, not control flow (in fact, that's
> exactly what the control flow tracker instructions are). By running it
> late we avoid disrupting any of the earlier optimization passes as well.
>
>>
>> On the flip side, the earlier you do this mitigation, the more you have
>> to worry about what the optimizers are going to do to the code later in
>> the pipeline. It's almost guaranteed a naive implementation is going to
>> muck this up since we can propagate the state of the condition into the
>> arms which will make the predicate state a compile time constant.
>>
>> In fact this seems to be running into the area of pointer providence and
>> some discussions we had around atomic a few years back.
>>
>> I also wonder if this could be combined with taint analysis to produce a
>> much lower overhead solution in cases were developers have done analysis
>> and know what objects are potentially under attacker control. So
>> instead of analyzing everything, we can have a much narrower focus.
>
> Automatic application of the tracker to vulnerable variables would be
> nice, but I haven't attempted to go there yet: at present I still rely
> on the user to annotate code with the new intrinsic.
>
> That doesn't mean that we couldn't extend the overall approach later to
> include automatic tracking.
>
>>
>> The pointer munging could well run afoul of alias analysis engines that
>> don't expect to be seeing those kind of operations.
>
> I think the pass runs late enough that it isn't a problem.
>
>>
>> Anyway, just some initial high level thoughts. I'm sure there'll be
>> more as I read the implementation.
>>
>
> Thanks for starting to look at this so quickly.
>
> R.
>
>>
>> Jeff
next prev parent reply other threads:[~2018-07-10 13:48 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-09 16:39 Richard Earnshaw
2018-07-09 16:39 ` [PATCH 7/7] AArch64 - use CSDB based sequences if speculation tracking is enabled Richard Earnshaw
2018-07-09 16:39 ` [PATCH 3/7] AArch64 - add speculation barrier Richard Earnshaw
2018-07-09 16:39 ` [PATCH 2/7] Arm - add speculation_barrier pattern Richard Earnshaw
2018-07-09 16:39 ` [PATCH 5/7] AArch64 - disable CB[N]Z TB[N]Z when tracking speculation Richard Earnshaw
2018-07-09 16:39 ` [PATCH 6/7] AArch64 - new pass to add conditional-branch speculation tracking Richard Earnshaw
2018-07-11 21:01 ` Jeff Law
2018-07-23 14:33 ` Richard Earnshaw (lists)
2018-07-24 21:31 ` Jeff Law
2018-07-09 16:39 ` [PATCH 1/7] Add __builtin_speculation_safe_value Richard Earnshaw
2018-07-23 14:28 ` Richard Earnshaw (lists)
2018-07-24 17:26 ` Richard Biener
2018-07-25 9:49 ` Richard Earnshaw (lists)
2018-07-25 10:36 ` Richard Biener
2018-07-25 12:41 ` Richard Earnshaw (lists)
2018-07-25 13:47 ` Richard Biener
2018-07-26 10:03 ` Richard Earnshaw (lists)
2018-07-26 12:41 ` Richard Biener
2018-07-26 13:06 ` Richard Earnshaw (lists)
2018-07-26 13:13 ` Richard Biener
2018-07-26 23:34 ` Joseph Myers
2018-07-27 0:46 ` Paul Koning
2018-07-27 8:59 ` Richard Earnshaw (lists)
2018-07-27 10:59 ` Joseph Myers
2018-07-25 18:03 ` Richard Earnshaw (lists)
2018-07-26 8:42 ` Richard Biener
2018-07-09 16:39 ` [PATCH 4/7] AArch64 - Add new option -mtrack-speculation Richard Earnshaw
2018-07-09 23:13 ` [PATCH 0/7] Mitigation against unsafe data speculation (CVE-2017-5753) Jeff Law
2018-07-10 8:49 ` Richard Earnshaw (lists)
2018-07-10 13:48 ` Bill Schmidt [this message]
2018-07-10 14:14 ` Richard Earnshaw (lists)
2018-07-10 15:44 ` Jeff Law
2018-07-10 15:42 ` Jeff Law
2018-07-10 16:43 ` Richard Earnshaw (lists)
2018-07-11 20:47 ` Jeff Law
2018-07-11 22:31 ` Richard Earnshaw (lists)
2018-07-10 7:19 ` Richard Biener
2018-07-10 8:39 ` Richard Earnshaw (lists)
2018-07-10 10:10 ` Richard Biener
2018-07-10 10:53 ` Richard Earnshaw (lists)
2018-07-10 11:22 ` Richard Biener
2018-07-10 13:43 ` Richard Earnshaw (lists)
2018-07-10 15:56 ` Jeff Law
2018-07-27 9:38 ` [PATCH 00/11] (v2) " Richard Earnshaw
2018-07-27 9:38 ` [PATCH 03/11] AArch64 - add speculation barrier Richard Earnshaw
2018-07-27 9:38 ` [PATCH 02/11] Arm - add speculation_barrier pattern Richard Earnshaw
2018-08-06 14:01 ` Christophe Lyon
2018-08-06 15:59 ` Richard Earnshaw (lists)
2018-07-27 9:38 ` [PATCH 11/11] rs6000 " Richard Earnshaw
2018-07-31 22:01 ` Bill Schmidt
2018-07-31 23:31 ` Segher Boessenkool
2018-07-27 9:38 ` [PATCH 10/11] x86 " Richard Earnshaw
2018-07-28 8:25 ` Uros Bizjak
2018-07-31 23:15 ` H.J. Lu
2018-07-27 9:38 ` [PATCH 01/11] Add __builtin_speculation_safe_value Richard Earnshaw
2018-07-27 12:11 ` Nathan Sidwell
2018-07-27 12:32 ` Richard Earnshaw (lists)
2018-07-27 12:49 ` Nathan Sidwell
2018-07-27 12:53 ` Richard Earnshaw (lists)
2018-07-30 13:16 ` Richard Biener
2018-07-31 19:25 ` H.J. Lu
2018-07-31 20:51 ` Ian Lance Taylor via gcc-patches
2018-08-01 8:50 ` Richard Earnshaw (lists)
2018-08-01 8:54 ` Jakub Jelinek
2018-08-01 9:25 ` Richard Earnshaw (lists)
2018-07-27 9:38 ` [PATCH 07/11] AArch64 - use CSDB based sequences if speculation tracking is enabled Richard Earnshaw
2018-07-27 9:38 ` [PATCH 06/11] AArch64 - new pass to add conditional-branch speculation tracking Richard Earnshaw
2018-07-27 9:38 ` [PATCH 08/11] targhooks - provide an alternative hook for targets that never execute speculatively Richard Earnshaw
2018-07-30 13:17 ` Richard Biener
2018-07-27 9:38 ` [PATCH 09/11] pdp11 - example of a port not needing a speculation barrier Richard Earnshaw
2018-07-27 13:27 ` Paul Koning
2018-07-27 15:19 ` Richard Biener
2018-07-27 9:38 ` [PATCH 04/11] AArch64 - Add new option -mtrack-speculation Richard Earnshaw
2018-07-27 9:38 ` [PATCH 05/11] AArch64 - disable CB[N]Z TB[N]Z when tracking speculation Richard Earnshaw
2018-07-27 19:49 ` [PATCH 00/11] (v2) Mitigation against unsafe data speculation (CVE-2017-5753) John David Anglin
2018-08-02 18:40 ` Jeff Law
2018-08-02 20:19 ` John David Anglin
2018-08-03 9:06 ` Richard Earnshaw (lists)
2018-08-06 21:52 ` John David Anglin
2018-08-07 14:05 ` Richard Earnshaw (lists)
2018-08-07 14:56 ` John David Anglin
2018-08-03 17:26 ` Jeff Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=156FA54E-DA3E-49FB-A48A-530D22F73CFD@linux.ibm.com \
--to=wschmidt@linux.ibm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=law@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).