DOCSLIB.ORG

RIDL: Rogue In-Flight Data Load

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
RIDL: Rogue In-Flight Data Load RIDL: Rogue In-Flight Data Load Stephan van Schaik∗, Alyssa Milburn∗, Sebastian Österlund∗, Pietro Frigo∗, Giorgi Maisuradze†‡, Kaveh Razavi∗, Herbert Bos∗, and Cristiano Giuffrida∗ ∗Department of Computer Science †CISPA Helmholtz Center for Information Security Vrije Universiteit Amsterdam, The Netherlands Saarland Informatics Campus {s.j.r.van.schaik, a.a.milburn, s.osterlund, p.frigo}@vu.nl, [email protected] {kaveh, herbertb, giuffrida}@cs.vu.nl Abstract—We present Rogue In-flight Data Load practical “spot” mitigations against existing attacks [6], (RIDL), a new class of speculative unprivileged and [7], [8], [9]. This shaped the common perception that— constrained attacks to leak arbitrary data across ad- until in-silicon mitigations are available on the next gener- dress spaces and privilege boundaries (e.g., process, ation of hardware—per-variant, software-only mitigations kernel, SGX, and even CPU-internal operations). Our are a relatively pain-free strategy to contain ever-emerging reverse engineering efforts show such vulnerabilities memory disclosure attacks based on speculative execution. originate from a variety of micro-optimizations per- vasive in commodity (Intel) processors, which cause In this paper, we challenge the common perception the CPU to speculatively serve loads using extrane- by introducing Rogue In-flight Data Load (RIDL), a new ous CPU-internal in-flight data (e.g., in the line fill class of speculative execution attacks that lifts all such ad- buffers). Contrary to other state-of-the-art speculative dressing restrictions entirely. While existing attacks target execution attacks, such as Spectre, Meltdown and Fore- shadow, RIDL can leak this arbitrary in-flight data with information at specific addresses, RIDL operates akin to no assumptions on the state of the caches or translation a passive sniffer that eavesdrops on in-flight data (e.g., data structures controlled by privileged software. in the line fill buffers or LFBs) flowing through CPU components. RIDL is powerful: it can leak information The implications are worrisome. First, RIDL attacks across address space and privilege boundaries by solely can be implemented even from linear execution with no invalid page faults, eliminating the need for excep- abusing micro-optimizations implemented in commodity tion suppression mechanisms and enabling system-wide Intel processors. Unlike existing attacks, RIDL is non- attacks from arbitrary unprivileged code (including trivial to stop with practical mitigations in software. JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak The vulnerability of existing vulnerabilities. To il- sensitive information from victim processes, virtual lustrate how existing speculative execution vulnerabilities machines, kernel, SGX and CPU-internal components. are subject to addressing restrictions and how this provides Second, and perhaps more importantly, RIDL bypasses defenders convenient anchor points for “spot” software all existing “spot” mitigations in software (e.g., KPTI, mitigations, we consider their most prominent examples. PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even Spectre [2] allows attackers to manipulate the state by more heavyweight defenses (e.g., L1D flushing or of the branch prediction unit and abuse the mispredicted disabling SMT). RIDL questions the sustainability of a branch to leak arbitrary data within the accessible address per-variant, spot mitigation strategy and suggests more space via a side channel (e.g., cache). This primitive by fundamental mitigations are needed to contain ever- itself is useful in sandbox (e.g., JavaScript) escape scenar- emerging speculative execution attacks. ios, but needs to resort to confused-deputy attacks [10] to implement cross-address space (e.g., kernel) memory I. Introduction disclosure. In such attacks, the attacker needs to lure Since the original Meltdown and Spectre disclosure, the the victim component into speculatively executing specific family of memory disclosure attacks abusing speculative “gadgets”, disclosing data from the victim address space execution 1 has grown steadily [1], [2], [3], [4], [5]. While back to the attacker. This requirement opened the door these attacks can leak sensitive information across secu- to a number of practical software mitigations, ranging rity boundaries, they are all subject to strict addressing from halting speculation when accessing untrusted point- restrictions. In particular, Spectre variants [2], [4], [5] allow ers or indices [7] to not speculating across vulnerable attacker-controlled code to only leak within the loaded branches [6]. virtual address space. Meltdown [1] and Foreshadow [3] Meltdown [1] somewhat loosens the restrictions of the require the target physical address to at least appear in addresses reachable from attacker-controlled code. Rather the loaded address translation data structures. Such re- than restricting the code to valid addresses, an unpriv- strictions have exposed convenient anchor points to deploy ileged attacker can also access privileged address space ‡ Work started during internship at Microsoft Research. mappings that are normally made inaccessible by the 1Unless otherwise noted, we loosely refer to both speculative and supervisor bit in the translation data structures. The out-of-order execution as speculative execution in this paper. reason is that, while any access to a privileged address will eventually trigger an error condition (i.e., invalid in both cross-thread and same-thread (no SMT) scenarios. page fault), before properly handling it, the CPU already This applies to all the existing Intel systems with the exposes the privileged data to out-of-order execution, al- latest (microcode) updates and all the defenses up. In lowing disclosure. This enables cross-address space (user- particular, RIDL bypasses all the practical mitigations to-kernel) attacks, but only in a traditional user/kernel against existing attacks and even the more heavyweight, unified address space design. This requirement opened the default-off mitigations such as periodic L1 flushing. The door to practical software mitigations such as KPTI [9], lesson learned is that mitigating RIDL-like attacks with where the operating system (OS) isolates the kernel in its practical software mitigations is non-trivial and we need own address space rather than relying on the supervisor more fundamental mitigations to end the speculative exe- bit for isolation. cution attacks era. Foreshadow [3] further loosens the addressing restric- Contributions. We make the following contributions: tions. Rather than restricting attacker-controlled code to • valid and privileged addresses, the attacker can also access We present RIDL, a new class of speculative exe- physical addresses mapped by invalid (e.g., non-present) cution vulnerabilities pervasive in commodity Intel translation data structure entries. Similar to Meltdown, CPUs. RIDL enables unprivileged attackers to craft the target physical address is accessed via the cache, address-agnostic memory disclosure primitives across data is then passed to out-of-order execution, and subse- arbitrary security boundaries for the first time and has been rewarded by the Intel Bug Bounty Program. quently leaked before the corresponding invalid page fault • is detected. Unlike Meltdown, given the milder addressing We investigate the root cause of practical RIDL in- restrictions, Foreshadow enables arbitrary cross-address stances abusing Line Fill Buffers (LFBs), presenting space attacks. But this is only possible when the attacker the first reverse engineering effort to analyze LFB behavior and related micro-optimizations. can surgically control the physical address of some invalid • translation structure entry. This requirement opened the We present a number of real-world exploits that door to practical software mitigations such as PTE inver- demonstrate an unprivileged RIDL-enabled attacker sion [8], where the OS simply masks the physical address can leak data across arbitrary security boundaries, of any invalidated translation structure entry. including process, kernel, VM and SGX, even with all mitigations against existing attacks enabled. For A new RIDL. With RIDL, we show our faith in practi- example, we can leak the contents of the /etc/shadow cal, “spot” mitigations being able to address known and in another VM using a RIDL attack. Demos of these future speculative execution attacks was misplaced. As RIDL exploits can be found at https://ridl.eu. we shall see, RIDL can leak in-flight data of a victim • We place RIDL in the context of state-of-the-art at- process even if that process is not speculating (e.g., due to tacks and mitigation efforts. Our analysis shows that, Spectre mitigations) and it does not require control over unlike existing attacks, RIDL is ill-suited to practical address translation data structures at all. These properties mitigations in software and more fundamental miti- remove all the assumptions that spot mitigations rely on. gations are necessary moving forward. Translation data structures, specifically, enforce basic secu- rity mechanisms such as isolation, access permissions and II. Background privileges. Relaxing the requirement on translation data structures allows RIDL to mount powerful cross-address 3 Memory Pipeline L1i TLB L2 TLB space speculative execution attacks directly from error-free L1i L2 Cache and branchless unprivileged execution
Load more

Recommended publications
  • IEEE Paper Template in A4
    Vasantha.N.S. et al, International Journal of Computer Science and Mobile Computing, Vol.6 Issue.6, June- 2017, pg. 302-306 Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320–088X IMPACT FACTOR: 6.017 IJCSMC, Vol. 6, Issue. 6, June 2017, pg.302 – 306 Enhancing Performance in Multiple Execution Unit Architecture using Tomasulo Algorithm Vasantha.N.S.1, Meghana Kulkarni2 ¹Department of VLSI and Embedded Systems, Centre for PG Studies, VTU Belagavi, India ²Associate Professor Department of VLSI and Embedded Systems, Centre for PG Studies, VTU Belagavi, India 1 [email protected] ; 2 [email protected] Abstract— Tomasulo’s algorithm is a computer architecture hardware algorithm for dynamic scheduling of instructions that allows out-of-order execution, designed to efficiently utilize multiple execution units. It was developed by Robert Tomasulo at IBM. The major innovations of Tomasulo’s algorithm include register renaming in hardware. It also uses the concept of reservation stations for all execution units. A common data bus (CDB) on which computed values broadcast to all reservation stations that may need them is also present. The algorithm allows for improved parallel execution of instructions that would otherwise stall under the use of other earlier algorithms such as scoreboarding. Keywords— Reservation Station, Register renaming, common data bus, multiple execution unit, register file I. INTRODUCTION The instructions in any program may be executed in any of the 2 ways namely sequential order and the other is the data flow order. The sequential order is the one in which the instructions are executed one after the other but in reality this flow is very rare in programs.
    [Show full text]
  • Computer Science 246 Computer Architecture Spring 2010 Harvard University
    Computer Science 246 Computer Architecture Spring 2010 Harvard University Instructor: Prof. David Brooks [email protected] Dynamic Branch Prediction, Speculation, and Multiple Issue Computer Science 246 David Brooks Lecture Outline • Tomasulo’s Algorithm Review (3.1-3.3) • Pointer-Based Renaming (MIPS R10000) • Dynamic Branch Prediction (3.4) • Other Front-end Optimizations (3.5) – Branch Target Buffers/Return Address Stack Computer Science 246 David Brooks Tomasulo Review • Reservation Stations – Distribute RAW hazard detection – Renaming eliminates WAW hazards – Buffering values in Reservation Stations removes WARs – Tag match in CDB requires many associative compares • Common Data Bus – Achilles heal of Tomasulo – Multiple writebacks (multiple CDBs) expensive • Load/Store reordering – Load address compared with store address in store buffer Computer Science 246 David Brooks Tomasulo Organization From Mem FP Op FP Registers Queue Load Buffers Load1 Load2 Load3 Load4 Load5 Store Load6 Buffers Add1 Add2 Mult1 Add3 Mult2 Reservation To Mem Stations FP adders FP multipliers Common Data Bus (CDB) Tomasulo Review 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 LD F0, 0(R1) Iss M1 M2 M3 M4 M5 M6 M7 M8 Wb MUL F4, F0, F2 Iss Iss Iss Iss Iss Iss Iss Iss Iss Ex Ex Ex Ex Wb SD 0(R1), F0 Iss Iss Iss Iss Iss Iss Iss Iss Iss Iss Iss Iss Iss M1 M2 M3 Wb SUBI R1, R1, 8 Iss Ex Wb BNEZ R1, Loop Iss Ex Wb LD F0, 0(R1) Iss Iss Iss Iss M Wb MUL F4, F0, F2 Iss Iss Iss Iss Iss Ex Ex Ex Ex Wb SD 0(R1), F0 Iss Iss Iss Iss Iss Iss Iss Iss Iss M1 M2
    [Show full text]
  • Dynamic Scheduling
    Dynamically-Scheduled Machines ! • In a Statically-Scheduled machine, the compiler schedules all instructions to avoid data-hazards: the ID unit may require that instructions can issue together without hazards, otherwise the ID unit inserts stalls until the hazards clear! • This section will deal with Dynamically-Scheduled machines, where hardware- based techniques are used to detect are remove avoidable data-hazards automatically, to allow ‘out-of-order’ execution, and improve performance! • Dynamic scheduling used in the Pentium III and 4, the AMD Athlon, the MIPS R10000, the SUN Ultra-SPARC III; the IBM Power chips, the IBM/Motorola PowerPC, the HP Alpha 21264, the Intel Dual-Core and Quad-Core processors! • In contrast, static multiple-issue with compiler-based scheduling is used in the Intel IA-64 Itanium architectures! • In 2007, the dual-core and quad-core Intel processors use the Pentium 5 family of dynamically-scheduled processors. The Itanium has had a hard time gaining market share.! Ch. 6, Advanced Pipelining-DYNAMIC, slide 1! © Ted Szymanski! Dynamic Scheduling - the Idea ! (class text - pg 168, 171, 5th ed.)" !DIVD ! !F0, F2, F4! ADDD ! !F10, F0, F8 !- data hazard, stall issue for 23 cc! SUBD ! !F12, F8, F14 !- SUBD inherits 23 cc of stalls! • ADDD depends on DIVD; in a static scheduled machine, the ID unit detects the hazard and causes the basic pipeline to stall for 23 cc! • The SUBD instruction cannot execute because the pipeline has stalled, even though SUBD does not logically depend upon either previous instruction! • suppose the machine architecture was re-organized to let the SUBD and subsequent instructions “bypass” the previous stalled instruction (the ADDD) and proceed with its execution -> we would allow “out-of-order” execution! • however, out-of-order execution would allow out-of-order completion, which may allow RW (Read-Write) and WW (Write-Write) data hazards ! • a RW and WW hazard occurs when the reads/writes complete in the wrong order, destroying the data.
    [Show full text]
  • United States Patent (19) 11 Patent Number: 5,680,565 Glew Et Al
    USOO568.0565A United States Patent (19) 11 Patent Number: 5,680,565 Glew et al. 45 Date of Patent: Oct. 21, 1997 (54) METHOD AND APPARATUS FOR Diefendorff, "Organization of the Motorola 88110 Super PERFORMING PAGE TABLE WALKS INA scalar RISC Microprocessor.” IEEE Micro, Apr. 1996, pp. MCROPROCESSOR CAPABLE OF 40-63. PROCESSING SPECULATIVE Yeager, Kenneth C. "The MIPS R10000 Superscalar Micro INSTRUCTIONS processor.” IEEE Micro, Apr. 1996, pp. 28-40 Apr. 1996. 75 Inventors: Andy Glew, Hillsboro; Glenn Hinton; Smotherman et al. "Instruction Scheduling for the Motorola Haitham Akkary, both of Portland, all 88.110" Microarchitecture 1993 International Symposium, of Oreg. pp. 257-262. Circello et al., “The Motorola 68060 Microprocessor.” 73) Assignee: Intel Corporation, Santa Clara, Calif. COMPCON IEEE Comp. Soc. Int'l Conf., Spring 1993, pp. 73-78. 21 Appl. No.: 176,363 "Superscalar Microprocessor Design" by Mike Johnson, Advanced Micro Devices, Prentice Hall, 1991. 22 Filed: Dec. 30, 1993 Popescu, et al., "The Metaflow Architecture.” IEEE Micro, (51) Int. C. G06F 12/12 pp. 10-13 and 63–73, Jun. 1991. 52 U.S. Cl. ........................... 395/415: 395/800; 395/383 Primary Examiner-David K. Moore 58) Field of Search .................................. 395/400, 375, Assistant Examiner-Kevin Verbrugge 395/800, 414, 415, 421.03 Attorney, Agent, or Firm-Blakely, Sokoloff, Taylor & 56 References Cited Zafiman U.S. PATENT DOCUMENTS 57 ABSTRACT 5,136,697 8/1992 Johnson .................................. 395/586 A page table walk is performed in response to a data 5,226,126 7/1993 McFarland et al. 395/.394 translation lookaside buffer miss based on a speculative 5,230,068 7/1993 Van Dyke et al.
    [Show full text]
  • Identifying Bottlenecks in a Multithreaded Superscalar
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by KITopen Identifying Bottlenecks in a Multithreaded Sup erscalar Micropro cessor Ulrich Sigmund and Theo Ungerer VIONA DevelopmentGmbH Karlstr D Karlsruhe Germany University of Karlsruhe Dept of Computer Design and Fault Tolerance D Karlsruhe Germany Abstract This pap er presents a multithreaded sup erscalar pro cessor that p ermits several threads to issue instructions to the execution units of a wide sup erscalar pro cessor in a single cycle Instructions can simul taneously b e issued from up to threads with a total issue bandwidth of instructions p er cycle Our results show that the threaded issue pro cessor reaches a throughput of instructions p er cycle Intro duction Current micropro cessors utilize instructionlevel parallelism by a deep pro cessor pip eline and by the sup erscalar technique that issues up to four instructions p er cycle from a single thread VLSItechnology will allow future generations of micropro cessors to exploit instructionlevel parallelism up to instructions p er cycle or more However the instructionlevel parallelism found in a conventional instruction stream is limited The solution is the additional utilization of more coarsegrained parallelism The main approaches are the multipro cessor chip and the multithreaded pro ces pro cessors on a sor The multipro cessor chip integrates two or more complete single chip Therefore every unit of a pro cessor is duplicated and used indep en dently of its copies on the chip
    [Show full text]
  • Advanced Processor Designs
    Advanced processor designs We’ve only scratched the surface of CPU design. Today we’ll briefly introduce some of the big ideas and big words behind modern processors by looking at two example CPUs. —The Motorola PowerPC, used in Apple computers and many embedded systems, is a good example of state-of-the-art RISC technologies. —The Intel Itanium is a more radical design intended for the higher-end systems market. April 9, 2003 ©2001-2003 Howard Huang 1 General ways to make CPUs faster You can improve the chip manufacturing technology. — Smaller CPUs can run at a higher clock rates, since electrons have to travel a shorter distance. Newer chips use a “0.13µm process,” and this will soon shrink down to 0.09µm. — Using different materials, such as copper instead of aluminum, can improve conductivity and also make things faster. You can also improve your CPU design, like we’ve been doing in CS232. — One of the most important ideas is parallel computation—executing several parts of a program at the same time. — Being able to execute more instructions at a time results in a higher instruction throughput, and a faster execution time. April 9, 2003 Advanced processor designs 2 Pipelining is parallelism We’ve already seen parallelism in detail! A pipelined processor executes many instructions at the same time. All modern processors use pipelining, because most programs will execute faster on a pipelined CPU without any programmer intervention. Today we’ll discuss some more advanced techniques to help you get the most out of your pipeline. April 9, 2003 Advanced processor designs 3 Motivation for some advanced ideas Our pipelined datapath only supports integer operations, and we assumed the ALU had about a 2ns delay.
    [Show full text]
  • Computer Architecture Out-Of-Order Execution
    Computer Architecture Out-of-order Execution By Yoav Etsion With acknowledgement to Dan Tsafrir, Avi Mendelson, Lihu Rappoport, and Adi Yoaz 1 Computer Architecture 2013– Out-of-Order Execution The need for speed: Superscalar • Remember our goal: minimize CPU Time CPU Time = duration of clock cycle × CPI × IC • So far we have learned that in order to Minimize clock cycle ⇒ add more pipe stages Minimize CPI ⇒ utilize pipeline Minimize IC ⇒ change/improve the architecture • Why not make the pipeline deeper and deeper? Beyond some point, adding more pipe stages doesn’t help, because Control/data hazards increase, and become costlier • (Recall that in a pipelined CPU, CPI=1 only w/o hazards) • So what can we do next? Reduce the CPI by utilizing ILP (instruction level parallelism) We will need to duplicate HW for this purpose… 2 Computer Architecture 2013– Out-of-Order Execution A simple superscalar CPU • Duplicates the pipeline to accommodate ILP (IPC > 1) ILP=instruction-level parallelism • Note that duplicating HW in just one pipe stage doesn’t help e.g., when having 2 ALUs, the bottleneck moves to other stages IF ID EXE MEM WB • Conclusion: Getting IPC > 1 requires to fetch/decode/exe/retire >1 instruction per clock: IF ID EXE MEM WB 3 Computer Architecture 2013– Out-of-Order Execution Example: Pentium Processor • Pentium fetches & decodes 2 instructions per cycle • Before register file read, decide on pairing Can the two instructions be executed in parallel? (yes/no) u-pipe IF ID v-pipe • Pairing decision is based… On data
    [Show full text]
  • CSE 586 Computer Architecture Lecture 4
    Highlights from last week CSE 586 Computer Architecture • ILP: where can the compiler optimize – Loop unrolling and software pipelining – Speculative execution (we’ll see predication today) Lecture 4 • ILP: Dynamic scheduling in a single issue machine – Scoreboard Jean-Loup Baer – Tomasulo’s algorithm http://www.cs.washington.edu/education/courses/586/00sp CSE 586 Spring 00 1 CSE 586 Spring 00 2 Highlights from last week (c’ed) -- Highlights from last week (c’ed) – Scoreboard Tomasulo’s algorithm • The scoreboard keeps a record of all data dependencies • Decentralized control • The scoreboard keeps a record of all functional unit • Use of reservation stations to buffer and/or rename occupancies registers (hence gets rid of WAW and WAR hazards) • The scoreboard decides if an instruction can be issued • Results –and their names– are broadcast to reservations • The scoreboard decides if an instruction can store its result stations and register file • Implementation-wise, scoreboard keeps track of which • Instructions are issued in order but can be dispatched, registers are used as sources and destinations and which executed and completed out-of-order functional units use them CSE 586 Spring 00 3 CSE 586 Spring 00 4 Highlights from last week (c’ed) Multiple Issue Alternatives • Register renaming: avoids WAW and WAR hazards • Superscalar (hardware detects conflicts) • Is performed at “decode” time to rename the result register – Statically scheduled (in order dispatch and hence execution; cf DEC Alpha 21164) • Two basic implementation schemes – Dynamically scheduled (in order issue, out of order dispatch and – Have a separate physical register file execution; cf MIPS 10000, IBM Power PC 620 and Intel Pentium – Use of reorder buffer and reservation stations (cf.
    [Show full text]
  • Superscalar Instruction Dispatch with Exception Handling
    Superscalar Instruction Dispatch With Exception Handling Design and Testing Report Joseph McMahan December 2013 Contents 1 Design 3 1.1 Overview . ............. ............. 3 1.1.1 The Tomasulo Algorithm . ............. 4 1.1.2 Two-Phase Cloc"ing .......... ............. 4 1.1.3 #esolving Data Hazards . ............. ' 1.1.4 (oftware Interface............ ............. + 1.2 High ,evel Design ............. ............. 10 1.3 ,ow ,evel Design ............. ............. 12 1.3.1 Buses . ............. ............. 12 1.3.2 .unctional /nits ............. ............ 13 1.3.3 Completion File ............. ............. 14 1.3.4 Bus !0cles . ............. ............. 17 1.3.' *nstruction Deco&e an& Dispatch . ............. 18 2 Testing 23 2.1 Tests . ............. ............. 23 2.1.1 ,oa& Data2 Ad& ............. ............. 23 2.1.2 #esource Hazard3 Onl0 One (tation Available ......... 24 2.1.3 Multipl0 . ............. ............. 26 2.1.4 #esource Hazard3 Two Instructions o) (ame Type . 26 2.1.' Data Hazar&3 #A5........... ............. 29 2.1.4 Data Hazar&3 5A5 .......... ............. 31 2.1.+ Data Hazar&3 5AR . ............. 31 2.1.1 Memor0 Hazar&3 5AR . ............. 35 2.1.6 #esource Hazard3 No (tations Available ............ 3' 2.1.10 (tall on .ull Completion File . ............ 31 2.1.11 Han&le 89ception............ ............. 40 1 3 Code 43 3.1 Mo&ules . ............. ............. 43 3.1.1 rstation.v . ............. ............. 43 3.1.2 reg.v . ............. ............. 49 3.1.3 fetch.v . ............. ............. 53 3.1.4 store.v . ............. ............. '6 3.1.' mem-unit.v . ............. ............. 63 3.1.4 ID.v . ............. ............. 70 3.1.+ alu.v . ............. ............. 84 3.1.1 alu-unit.v . ............. ............. 14 3.1.6 mult.v . ............. ............. 90 3.1.10 mp-unit.v . ............. ............. 92 3.1.11 cf.v .
    [Show full text]
  • MIPS Architecture with Tomasulo Algorithm [12]
    CALIFORNIA STATE UNIVERSITY NORTHRIDGE TOMASULO ARCHITECTURE BASED MIPS PROCESSOR A graduate project submitted in partial fulfilment for the requirement Of the degree of Master of Science In Electrical Engineering By Sameer S Pandit May 2014 The graduate project of Sameer Pandit is approved by: ______________________________________ ____________ Dr. Ali Amini, Ph.D. Date _______________________________________ ____________ Dr. Shahnam Mirzaei, Ph.D. Date _______________________________________ ____________ Dr. Ramin Roosta, Ph.D., Chair Date California State University Northridge ii ACKNOWLEDGEMENT I would like to express my gratitude towards all the members of the project committee and would like to thank them for their continuous support and mentoring me for every step that I have taken towards the completion of this project. Dr. Roosta, for his guidance, Dr. Shahnam for his ideas, and Dr. Ali Amini for his utmost support. I would also like to thank my family and friends for their love, care and support through all the tough times during my graduation. iii Table of Contents SIGNATURE PAGE .......................................................................................................... ii ACKNOWLEDGEMENT ................................................................................................. iii LIST OF FIGURES .......................................................................................................... vii ABSTRACT .......................................................................................................................
    [Show full text]
  • In-Line Interrupt Handling and Lock-Up Free Translation Lookaside Buffers (Tlbs)
    IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 5, MAY 2006 1 In-Line Interrupt Handling and Lock-Up Free Translation Lookaside Buffers (TLBs) Aamer Jaleel, Student Member, IEEE, and Bruce Jacob, Member, IEEE Abstract—The effects of the general-purpose precise interrupt mechanisms in use for the past few decades have received very little attention. When modern out-of-order processors handle interrupts precisely, they typically begin by flushing the pipeline to make the CPU available to execute handler instructions. In doing so, the CPU ends up flushing many instructions that have been brought in to the reorder buffer. In particular, these instructions may have reached a very deep stage in the pipeline—representing significant work that is wasted. In addition, an overhead of several cycles and wastage of energy (per exception detected) can be expected in refetching and reexecuting the instructions flushed. This paper concentrates on improving the performance of precisely handling software managed translation look-aside buffer (TLB) interrupts, one of the most frequently occurring interrupts. The paper presents a novel method of in-lining the interrupt handler within the reorder buffer. Since the first level interrupt-handlers of TLBs are usually small, they could potentially fit in the reorder buffer along with the user-level code already there. In doing so, the instructions that would otherwise be flushed from the pipe need not be refetched and reexecuted. Additionally, it allows for instructions independent of the exceptional instruction to continue to execute in parallel with the handler code. By in-lining the TLB interrupt handler, this provides lock-up free TLBs.
    [Show full text]
  • Improving the Precise Interrupt Mechanism of Software- Managed TLB Miss Handlers
    Improving the Precise Interrupt Mechanism of Software- Managed TLB Miss Handlers Aamer Jaleel and Bruce Jacob Electrical & Computer Engineering University of Maryland at College Park {ajaleel,blj}@eng.umd.edu Abstract. The effects of the general-purpose precise interrupt mechanisms in use for the past few decades have received very little attention. When modern out-of-order processors handle interrupts precisely, they typically begin by flushing the pipeline to make the CPU available to execute handler instructions. In doing so, the CPU ends up flushing many instructions that have been brought in to the reorder buffer. In par- ticular, many of these instructions have reached a very deep stage in the pipeline - representing significant work that is wasted. In addition, an overhead of several cycles can be expected in re-fetching and re-executing these instructions. This paper concentrates on improving the performance of precisely handling software managed translation lookaside buffer (TLB) interrupts, one of the most frequently occurring interrupts. This paper presents a novel method of in-lining the interrupt handler within the reorder buffer. Since the first level interrupt-handlers of TLBs are usually small, they could potentially fit in the reorder buffer along with the user-level code already there. In doing so, the instructions that would otherwise be flushed from the pipe need not be re-fetched and re-executed. Additionally, it allows for instructions independent of the exceptional instruction to continue to execute in parallel with the handler code. We simulate two different schemes of in-lining the interrupt on a pro- cessor with a 4-way out-of-order core similar to the Alpha 21264.
    [Show full text]