Shulou(Shulou.com)11/24 Report--

This article comes from the official account of Wechat: programming Technology Universe (ID:xuanyuancoding), author: Xuanyuan Wind

This story is based on the real vulnerability of CPU.

Previously on, remember me? I am Ah Q, the Ah Q from the No.1 workshop of CPU. If you forget me, remember to look here and remember: it's over! CPU keeps asking that something is going to happen!

Since out-of-order execution and branch prediction have been used in our workshop, the production efficiency has been greatly improved. the leader not only praised us at the staff meeting of the whole plant, but also promoted these two technologies to the whole plant, which was spread out in our 8 CPU core workshops, and the performance was a few streets away from our competitors CPU.

However, while we were still indulging in our achievements, we unwittingly planted the seeds of disaster.

It all started the other night.

Mysterious code that night, our No. 1 workshop came across a piece of code like this:

Uint8_t array1; uint8_t array2; uint8_t temp = 0void bad_guy (int x) if x 16 temp & = Array 2 [Array 1 [x] * 512];} in less than a while, we executed this bad_guy () function many times.

Little A, who is in charge of fetching instructions, made a phone call to the guy in memory and asked the memory to transmit the contents of parameter x. We knew that at the snail speed of the memory, we would have to wait.

At this time, Xiao Pang, who is in charge of instruction decoding, could not help saying, "you see, we have executed this function many times, and each time the parameter x is less than 16, and this time it is estimated to be about the same. Why don't we start the branch prediction function? what do you think of the instructions in less than 16 branches first? what do you think?"

Old K, who is in charge of data writing, and I looked at each other and nodded in agreement.

So, while we were waiting, we called the guy in memory again and asked him to pass on the contents of array1 [x].

After waiting for a while, the data finally came:

X: 2array1 [x]: 3 after we get the result, we begin to execute the branch instruction of x 16.

Then, the same thing happens from time to time, and gradually we get used to it.

The disaster was getting late at night, and we were all a little sleepy. Suddenly, the leader made a phone call and asked us to put down our work and go to his office quickly.

All of us dare not delay, so let's go quickly.

When I came to the leader's office, there were two strangers, one of whom was still tied up, the leader frowned, and the atmosphere was very tense.

"Ah Q, do you know that your newly invented out-of-order execution and branch prediction technology is in big trouble?"

A few of us were dumbfounded, "Leader, where does this start?"

The leader stood up from his chair, pointed to the stranger next to him and said, "Let me introduce you. This is the security officer from the operating system. Let him tell you where to start."

The security officer nodded to everyone, pointed to the bound person and said, "Hello, everyone. We caught this thread reading the data in the kernel space of the system. After our first examination, he explained that this purpose was achieved through the out-of-order execution and branch prediction function of your CPU."

Xiao An and I are full of question marks on our faces. How can our two technologies to improve work efficiency leak system kernel data?

The security officer obviously saw our confusion and pointed to the bound thread and said, "repeat what you said before."

"Gentlemen, have you encountered the failure of branch prediction before?" The man looked up at us.

"Yes, what's that got to do with it? it's normal to fail. Since it's a prediction, you can't be 100% sure that it will be correct," I replied.

"you're right, but what if I planned the failure on purpose?"

When I heard him say this, my heart hung. "Nani, did you do this?"

"Yes, that's me. I deliberately gave you parameters less than 16 many times in a row, misleading you into thinking that the latter parameters were still less than 16, and then suddenly came a specially constructed parameter greater than 16, and you really took the bait, and the prediction failed. Some instructions that should not have been executed were executed in advance."

"so what? we just put the data we need in advance into the cache, and we didn't do anything further." I still don't understand.

"that's enough!"

"your boy is tied up, so don't lose your appetite and make things clear at once." the impatient old K couldn't help it.

"all right, I'll explain. You have prepared the data in advance into the cache, and when I went to access this part of the data later, I found that it was much faster than accessing other memory."

"that's right, our caching technology is not bragging! Hey, wait a minute, why are we talking about caching again?" Well, Lao K continued to ask.

The man continued, "if I want to know the value in an address unit, I use it as the offset of the array to access an area of memory." Take advantage of the mechanism that you will predict and execute in advance and cache the data. Although your prediction failed, the corresponding piece of data is already in the cache. Then, I go to access that piece of memory in turn to see whose access time is obviously shorter than the other parts, and then I know which piece is cached. Then you can push back to know what the value as an offset is. According to this idea, I can know the content of each address unit. "

We listened while thinking, pondered for a long time and finally figured out this guy's routine, old K was so angry that he almost wanted to fix the man.

"good you guys, it is very smart, but not on the right path! a good accelerated optimization mechanism has become your accomplice", I also have a fire in my heart.

The truth of the matter has finally been figured out, and several of us are already sweating now.

After negotiation with the security staff, the operating system introduced a new KPTI technology to solve this problem, that is, kernel page table isolation.

In the past, thread execution in user mode and kernel mode used the same address translation manual, also known as the page table. Through this manual, we CPU can find real memory pages through virtual addresses.

Now, let threads run in user mode and kernel mode using different manuals. In the manual of user mode threads, the kernel address space is blank. Let's get to the bottom of it!

I thought we could go back, but unexpectedly the leader gave us a difficult problem. "you caused this disaster. Although other people's operating systems are protected, shouldn't you also come up with something? otherwise, how can we CPU raise our heads in the future?"

Do you have any good ideas? help us!

Behind the scenes, this article describes the famous CPU circuit breaker and phantom loophole that broke out two years ago.

Out-of-order execution and branch prediction are widely used optimization mechanisms in modern processors. Unlike traditional software vulnerabilities, hardware-level vulnerabilities are more influential, deeper and more difficult to fix.

By judging the access speed of memory to know whether it is cached or not, this kind of technology has a special term called side channel, that is, through some off-site information to analyze and draw important conclusions, so as to achieve the purpose that the normal way can not achieve.

Special thanks: netizens how much wind and rain to provide technical support

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.