diff options
| author | Iru Cai <mytbk920423@gmail.com> | 2019-05-16 14:31:04 +0800 |
|---|---|---|
| committer | Iru Cai <mytbk920423@gmail.com> | 2019-05-16 14:31:04 +0800 |
| commit | a2df7f968fc7c011bd67b33265bd1c722495f29a (patch) | |
| tree | 66bff2242417a51aa1d5d94b75d336b414bef181 | |
| parent | 256aad6ceba41c3a65d9076021599545df3ed9b6 (diff) | |
| download | dissertation-a2df7f968fc7c011bd67b33265bd1c722495f29a.tar.xz | |
upd
| -rw-r--r-- | chap/abs.tex | 8 | ||||
| -rw-r--r-- | chap/chap2.tex | 13 | ||||
| -rw-r--r-- | chap/chap3.tex | 22 | ||||
| -rw-r--r-- | chap/chap6.tex | 4 | ||||
| -rw-r--r-- | thesis.bib | 152 |
5 files changed, 133 insertions, 66 deletions
diff --git a/chap/abs.tex b/chap/abs.tex index 6ce4199..8131207 100644 --- a/chap/abs.tex +++ b/chap/abs.tex @@ -12,7 +12,7 @@ 本文基于 gem5 模拟平台,设计了一种用于防御 Spectre 攻击的微体系结构,并 对其进行评估。主要工作内容如下: - \begin{enumerate} + \begin{itemize} \item 调研现有的侧信道攻击、Meltdown 和 Spectre 攻击技术,深入分析这 些攻击技术的原理。 \item 调研现有的 Meltdown 和 Spectre 防御方案,分析这些方案的设计思 @@ -26,7 +26,7 @@ 的验证程序进行测试,表明设计的微体系结构满足本文的安全特性。用 SPEC CPU2006 进行性能评测,平均性能开销为 8.5\%,优于只使用动态信息流追 踪检测技术或只使用 InvisiSpec 的模型的性能。 - \end{enumerate} + \end{itemize} \end{cabstract} \begin{eabstract} @@ -46,7 +46,7 @@ This thesis designs a microarchitecture to defend against Spectre attack, based on the gem5 simulation platform, and evaluates the design. The contribution of this thesis is as follows: - \begin{enumerate} + \begin{itemize} \item Investigate on current side-channel attack, Meltdown and Spectre attack, and analyze how these attacks work \item Investigate on current defenses of Meltdown and Spectre @@ -64,7 +64,7 @@ feature. Evaluated with SPEC CPU2006, this microarchitecture has an average performance overhead of 8.5\%, better than using DIFT or InvisiSpec only. - \end{enumerate} + \end{itemize} \end{eabstract} % vim:ts=4:sw=4 diff --git a/chap/chap2.tex b/chap/chap2.tex index c8afa39..ff33fb0 100644 --- a/chap/chap2.tex +++ b/chap/chap2.tex @@ -775,11 +775,6 @@ Evict+Reload 的远程缓存攻击方式,将 Spectre 攻击用于网络场景 NetSpectre 攻击在网络上使用,需要攻击者访问受害者提供的网络接口,并且 向受害者发送大量网络数据包。这些操作不一定需要在短时间内进行。 -与本地幽灵攻击相比,我们的NetSpectre攻击并没有分为两个阶段。相反,攻击 -者不断执行操作以使处理器出错,这将使其经常遇到可利用的错误推测执行。 -NetSpectre不会跨越进程边界,而是通过将有效和无效值交替地传递给暴露的接 -口(例如,有效和无效的网络数据包)来就地进行训练。 - 在 NetSpectre 攻击中,攻击者需要利用两个 Spectre 组件:泄露组件和传输 组件,这些组件在收到网络数据包时执行。泄漏组件在攻击者控制的内存地址处 访问数据,并根据访问的数据改变一些微体系结构状态。传输组件可以进行任意操作, @@ -803,13 +798,13 @@ if (x < bitstream_length) 为了在远程攻击中使目标系统在推测式执行中改变微体系结构状态,攻击者采用原始 Spectre 的方法。为了触发远程系统的推测式执行,攻击者进行以下操作: -\begin{enumerate} +\begin{itemize} \item 攻击者发送多个网络数据包,使得攻击者选择的 x 值总是在边界内,训 练分支预测器在后续执行此边界检查的分支时,预测 x 在边界内 \item 攻击者发送一个数据包,使得 x 越界,\verb|bitstream[x]| 是目标系 统中的一个秘密数据位 \item 分支预测器预测边界检查结果为真,推测式执行存储器的访问 -\end{enumerate} +\end{itemize} 在图\ref{fig:netspectre_leak}的代码中,虽然 flag 的值没有被修改,但是 flag 的缓存状态会发生变化。如果 \verb|bitstream[x]| 为 1,则 flag 会进 @@ -834,8 +829,8 @@ flag 的缓存状态会发生变化。如果 \verb|bitstream[x]| 为 1,则 flag \subsection{SgxPectre} SgxPectre \supercite{sgxpectre} 将 Spectre 攻击用于泄露 Intel SGX 环境 -中的数据。通过在 SGX enclave 之外污染 BTB,可以改变 SGX enclave 中的控 -制流,进行 Spectre-BTB 攻击。 +中的数据。通过在 SGX enclave 之外污染 enclave 的 BTB 和 RSB,改变 SGX +enclave 中的控制流,将秘密数据泄露至 SGX 之外。 \subsection{MeltdownPrime 和 SpectrePrime} diff --git a/chap/chap3.tex b/chap/chap3.tex index 90e8133..d888b48 100644 --- a/chap/chap3.tex +++ b/chap/chap3.tex @@ -90,7 +90,7 @@ Webkit 在数组访问中使用索引掩码(index masking)\supercite{webkit} 在数组大小范围内。 % poison value -Webkit 还使用了指针投毒(pointer poisoning)\supercite{webkit}的方式, +Webkit 还使用了指针投毒(pointer poisoning)\supercite{webkit}的方法, 它考虑分支用于做类型检查的情形。对于不同类型的数据,Webkit 将这种类型的 指针和一个类型对应的值异或,要使用的时候再异或这个值得到指向数据的指针, 如果类型不匹配,则得到的指针会指向一个程序无法访问的内存区域。通过这种 @@ -408,11 +408,11 @@ Meltdown 和 Spectre 提供了新了构造数据通道的方式。通过利用 预测错误,使处理器沿着攻击者选择的路径推测式执行,这在受害者中形成了数 据通道。因此,构建数据通道有三种方法: -\begin{enumerate} +\begin{itemize} \item 数据通道在受害者的代码中已经存在,例如对 RSA 的攻击 \item 攻击者编写了这个数据通道,如 Meltdown \item 攻击者从受害者已有的代码中合成数据通道 -\end{enumerate} +\end{itemize} 这个框架可以用于除缓存状态之外的侧通道,描述通过分支预测器或 TLB 状态造 成的数据泄露。在未来,可能有更多种类的构造数据通道的方法。 @@ -447,7 +447,7 @@ DAWG 的目标是阻止任何攻击者和受害者安全域之间的基于缓存 域对应的安全策略。 在 zsim 模拟器中使用 SPEC CPU2006, PARSEC, GAPBS 进行模拟,相对于 -Intel CAT,在不同的评测程序和划分方式下,大多数程序性能下降为 4\%\~7\%. +Intel CAT,在不同的评测程序和划分方式下,大多数程序性能下降为 4\% 至 7\%. \subsubsection{Context-Sensitive Fencing} @@ -485,6 +485,12 @@ Decoding (CSD)\supercite{context-sensitive-decoding},一种微码翻译机制 的扩展,用于动态按需自定义微操作指令流。CSF 利用 CSD,在微指令流中注入 fence 等微码,阻止不安全指令的推测式执行。 +CSD 是一种根据执行上下文,把指令翻译为不同的自定义的微码的技术。操作系 +统、运行时系统等软件可以通过配置 MSR,设定不同的微码翻译模式。它可以在 +不重新编译的情况下,使不安全的程序变为安全的程序,把优化性能的代码变为 +功耗优化的代码。系统软件可以利用已有的微码更新功能将自定义的微码更新至 +寄存器。CSD 可以通过多种事件触发自定义微码翻译模式。 + CSF 由以下几个关键部件组成: \begin{itemize} \item 微码自定义机制 CSD:使处理器精确地在指令流中插入 fence,减轻推测 @@ -645,7 +651,7 @@ X 对应的一列将会重置,意味着待发射指令和 X 的之间的安全 险过滤器,检测这些指令中安全的指令。在这些攻击中,Spectre 组件的执行中 包含两个特殊的访存指令,记为 A 和 B,它们有如下的行为: -\begin{enumerate} +\begin{itemize} \item A 推测式地访问敏感数据,B 推测式地访问攻击者和受害者共享的内存区 域,用于构造受害者和攻击者之间的侧信道。通常秘密数据的内存区域和用于 构造侧信道的共享内存区域在不同的内存页,因此它们访问不同的页。 @@ -655,17 +661,17 @@ X 对应的一列将会重置,意味着待发射指令和 X 的之间的安全 要 B 在缓存中不命中。 \item 指令 B 依赖于指令 A,A的结果用于计算共享内存区域的索引。这种设计 也是攻击者推断处秘密数据要点。 -\end{enumerate} +\end{itemize} 在 TPBuf 过滤器中,以上行为模式称为 S-pattern. 如果观察到推测式执行的 指令序列具有以下特征,则认为它具有 S-pattern: -\begin{enumerate} +\begin{itemize} \item 至少有两个指令 A 和 B 访问不同的内存页 \item 指令 B 导致一级缓存缺失 \item B 依赖于 A \item A 和 B 之间可能有多个指令 -\end{enumerate} +\end{itemize} TPBuf 它记录了所有推测式的存储器访问请求,当一个新的请求在一级缓存中缺 失时,其页地址将会和 TPBuf 中其他访问的页地址比较,如果有至少一个访问访 diff --git a/chap/chap6.tex b/chap/chap6.tex index cedcc8b..2b40f0d 100644 --- a/chap/chap6.tex +++ b/chap/chap6.tex @@ -10,7 +10,7 @@ 升,是一个值得研究的问题。只通过软件的修改难以防御多种类型的 Spectre 攻击,因此需要通过改进微架构的设计,以解决 Spectre 攻击的问题。本文主 要工作如下: -\begin{enumerate} +\begin{itemize} \item 首先调研已有的 Meltdown 和 Spectre 的攻击变体,包括 对 Meltdown 和 Spectre 的分类,各类攻击的原理,和它们的利用方式。 \item 调研已有的 Meltdown 和 Spectre 的防御方法,包括软件防御、硬件防御 @@ -25,7 +25,7 @@ 的性能开销,使用 SPEC CPU2006 评测了这种微架构的性能,和原有的不安全 的处理器相比,性能开销为 8.5\%,优于只用 InvisiSpec 执行推测式执行的 指令或阻止检测出的不安全指令的方法。 -\end{enumerate} +\end{itemize} \section{未来工作展望} @@ -9,6 +9,7 @@ Dmitry Evtyushkin and Daniel Gruss}, title = {A Systematic Evaluation of Transient Execution Attacks and Defenses}, + type = {J}, journal = {CoRR}, volume = {abs/1811.05441}, year = {2018}, @@ -25,6 +26,7 @@ title = {Meltdown: Reading Kernel Memory from User Space}, booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)}, year = {2018}, + type = {C}, } @inproceedings{spectre, @@ -32,6 +34,7 @@ title = {Spectre Attacks: Exploiting Speculative Execution}, booktitle = {40th IEEE Symposium on Security and Privacy (S\&P'19)}, year = {2019}, + type = {C}, } @inproceedings{ret2libc, @@ -50,6 +53,7 @@ publisher = {ACM}, address = {New York, NY, USA}, keywords = {instruction set, return-into-libc, turing completeness}, + type = {C}, } @online{msvc, @@ -76,7 +80,8 @@ year={2018}, eprint={1802.03802}, archivePrefix={arXiv}, - primaryClass={cs.CR} + primaryClass={cs.CR}, + type = {R}, } @inproceedings{foreshadow, @@ -87,7 +92,8 @@ year = {2018}, month = Aug, publisher = {{USENIX} Association}, - note={See also technical report Foreshadow-NG~\cite{foreshadowNG}} + note= {See also technical report Foreshadow-NG~\supercite{foreshadowNG}}, + type = {C}, } @article{foreshadowNG, @@ -96,7 +102,8 @@ Piessens, Frank and Silberstein, Mark and Strackx, Raoul and Wenisch, Thomas F. and Yarom, Yuval}, journal={Technical report}, year={2018}, - note={See also {USENIX} Security paper Foreshadow~\cite{foreshadow}} + note={See also {USENIX} Security paper Foreshadow~\cite{foreshadow}}, + type = {R}, } @article{netspectre, @@ -113,7 +120,8 @@ eprint = {1807.10535}, timestamp = {Mon, 13 Aug 2018 16:46:22 +0200}, biburl = {https://dblp.org/rec/bib/journals/corr/abs-1807-10535}, - bibsource = {dblp computer science bibliography, https://dblp.org} + bibsource = {dblp computer science bibliography, https://dblp.org}, + type = {J}, } @article{sgxpectre, @@ -132,41 +140,48 @@ eprint = {1802.09085}, timestamp = {Mon, 13 Aug 2018 16:48:38 +0200}, biburl = {https://dblp.org/rec/bib/journals/corr/abs-1802-09085}, - bibsource = {dblp computer science bibliography, https://dblp.org} + bibsource = {dblp computer science bibliography, https://dblp.org}, + type = {J}, } @online{sgx, url={https://software.intel.com/en-us/sgx}, title={Intel Software Guard Extensions (Intel SGX)}, + type = {OL}, } @online{signal-sgx, url = {https://signal.org/blog/private-contact-discovery/}, title = {Technology preview: Private contact discovery for Signal}, year = {2017}, - month = 9 + month = 9, + type = {OL}, } @online{sawtooth, url = {https://sawtooth.hyperledger.org/docs/core/releases/latest/introduction.html}, - title = {Sawtooth} + title = {Sawtooth}, + type = {OL}, } @online{mobilecoin, url = {https://www.mobilecoin.com/whitepaper-en.pdf}, - title = {MobileCoin} + title = {MobileCoin}, + type = {OL}, } @online{intel-spec, title = {Intel 64 and IA-32 Architectures Software Developer Manuals}, url = {https://software.intel.com/en-us/articles/intel-sdm}, - author = {Intel} + author = {Intel}, + type = {OL}, } @online{l1tf, - title={Deep Dive: Intel Analysis of L1 Terminal Fault}, - url={https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-l1-terminal-fault}, - year={2018}, + title={Deep Dive: Intel Analysis of L1 Terminal Fault}, + url={https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-l1-terminal-fault}, + year={2018}, + type = {OL}, } @online{intel-spectre, @@ -176,6 +191,7 @@ year = {2018}, month = 7, version = {Revision 4.0}, + type = {OL}, } @online{amd-spectre, @@ -184,6 +200,7 @@ author = {AMD}, year = {2018}, version = {Revision 7.10.18}, + type = {OL}, } @inproceedings{branchscope, @@ -202,6 +219,7 @@ publisher = {ACM}, address = {New York, NY, USA}, keywords = {SGX, attack, branch predictor, microarchitecture security, performance counters, side-channel, timing attacks}, + type = {C}, } @inproceedings{flushreload, @@ -209,21 +227,24 @@ author={Yarom, Yuval and Falkner, Katrina}, booktitle={23rd $\{$USENIX$\}$ Security Symposium ($\{$USENIX$\}$ Security 14)}, pages={719--732}, - year={2014} + year={2014}, + type = {C}, } @online{spec-store-bypass, title={speculative execution, variant 4: speculative store bypass}, author={Jann Horn}, url={https://bugs.chromium.org/p/project-zero/issues/detail?id=1528}, - year={2018} + year={2018}, + type = {OL}, } @online{store-load-forwarding, title={Store-to-Load Forwarding and Memory Disambiguation in x86 Processors}, author={Henry Wong}, year={2014}, - url={http://blog.stuffedcow.net/2014/01/x86-memory-disambiguation/} + url={http://blog.stuffedcow.net/2014/01/x86-memory-disambiguation/}, + type={OL}, } @@ -233,7 +254,8 @@ booktitle={International Symposium on Engineering Secure Software and Systems}, pages={161--176}, year={2017}, - organization={Springer} + organization={Springer}, + type = {C}, } @online{retpoline, @@ -241,6 +263,7 @@ url = {https://support.google.com/faqs/answer/7625886}, author = {Paul Turner}, year = {2018}, + type = {OL}, } @online{webkit, @@ -248,14 +271,16 @@ url = {https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/}, author = {Filip Pizlo}, year = {2018}, - month = Jan + month = Jan, + type = {OL}, } @inproceedings{js-timer, title={Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript}, author={Michael Schwarz and Cl{\'e}mentine Maurice and Daniel Gruss and Stefan Mangard}, booktitle={Financial Cryptography}, - year={2017} + year={2017}, + type={J}, } @misc{here-to-stay, @@ -264,7 +289,8 @@ year={2019}, eprint={1902.05178}, archivePrefix={arXiv}, - primaryClass={cs.PL} + primaryClass={cs.PL}, + type={R}, } @online{spec-load-hardening, @@ -272,7 +298,8 @@ author={Chandler Carruth}, year={2018}, month=Mar, - url={https://releases.llvm.org/8.0.0/docs/SpeculativeLoadHardening.html} + url={https://releases.llvm.org/8.0.0/docs/SpeculativeLoadHardening.html}, + type={OL}, } @misc{oo7, @@ -281,7 +308,8 @@ year={2018}, eprint={1807.05843}, archivePrefix={arXiv}, - primaryClass={cs.CR} + primaryClass={cs.CR}, + type={R}, } @misc{spectector, @@ -290,13 +318,15 @@ year={2018}, eprint={1812.08639}, archivePrefix={arXiv}, - primaryClass={cs.CR} + primaryClass={cs.CR}, + type={R}, } @online{linux-spec, url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/speculation.txt}, year={2018}, - } + type={OL}, +} % looks like there's some useful references @@ -316,7 +346,8 @@ eprint = {1806.05179}, timestamp = {Mon, 13 Aug 2018 16:48:54 +0200}, biburl = {https://dblp.org/rec/bib/journals/corr/abs-1806-05179}, - bibsource = {dblp computer science bibliography, https://dblp.org} + bibsource = {dblp computer science bibliography, https://dblp.org}, + type={J}, } @INPROCEEDINGS{invisispec, @@ -330,7 +361,9 @@ pages={428-441}, keywords={cache storage;cryptography;microprocessor chips;multiprocessing systems;parallel architectures;program compilers;speculative execution invisible;side channel attacks;speculative execution attacks;microarchitectural state;hardware speculation attacks;InvisiSpec blocks microarchitectural;multiprocessor data cache hierarchy;unsafe speculative loads;speculative buffer;futuristic attacks;Spectre attacks;execution slowdown;memory consistency;Hardware;Load modeling;Receivers;Coherence;Security;Monitoring;Transient analysis;hardware security;speculation;side channel;memory hierarchy}, doi={10.1109/MICRO.2018.00042}, ISSN={}, -month=Oct,} +month=Oct, +type={C} +} @ARTICLE{cain-lapasti, author={H. W. {Cain} and M. H. {Lipasti}}, @@ -343,7 +376,9 @@ pages={110-117}, keywords={content-addressable storage;data integrity;data structures;instruction sets;memory architecture;reduced instruction set computing;storage management;memory ordering;value-based replay;load instructions;first-in-first-out buffer;heuristics filter;cache storage;content addressable memory;memory consistency;Insulation;Bandwidth;Hazards;Computer aided manufacturing;CADCAM;Scalability;Costs;Filters;Degradation;Computer aided instruction}, doi={10.1109/MM.2004.81}, ISSN={0272-1732}, -month={Nov},} +month=11, +type={C} +} @INPROCEEDINGS{dawg, author={V. {Kiriansky} and I. {Lebedev} and S. {Amarasinghe} and S. {Devadas} and J. {Emer}}, @@ -356,7 +391,9 @@ pages={974-987}, keywords={cache storage;security of data;cache timing attacks;dynamically allocated way guard;Intels Cache Allocation Technology;memory caches;generic mechanism;cache state covert channel;entire attack surface;patch specific attacks;existing defense mechanisms;exfiltration channel;cache tag state;speculative processor architectures;channel attacks;speculative execution processors;cache subsystem;minimal modifications;service mechanisms;set associative structure;DAWG;Receivers;Program processors;Security;Transmitters;Metadata;Hardware;cache partitioning;side channel attacks;speculative execution}, doi={10.1109/MICRO.2018.00083}, ISSN={}, -month=Oct,} +month=Oct, +type={C} +} @inproceedings{dift, title={Secure program execution via dynamic information flow tracking}, @@ -366,7 +403,8 @@ month=Oct,} number={11}, pages={85--96}, year={2004}, - organization={ACM} + organization={ACM}, + type={J}, } @inproceedings{raksha, @@ -385,13 +423,15 @@ month=Oct,} publisher = {ACM}, address = {New York, NY, USA}, keywords = {dynamic, semantic vulnerabilities, software security}, + type={C}, } @inproceedings{context-sensitive-fencing, title={Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization}, author={Taram, Mohammadkazem and Venkat, Ashish and Tullsen, Dean}, booktitle={Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems}, - year={2019} + year={2019}, + type={C}, } @inproceedings{context-sensitive-decoding, @@ -400,12 +440,14 @@ month=Oct,} booktitle={2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA)}, pages={624--637}, year={2018}, - organization={IEEE} + organization={IEEE}, + type={C}, } @article{csd-gomactech, title={Fast and Efficient Deployment of Security Defenses Via Context Sensitive Decoding}, - author={Taram, Mohammadkazem and Tullsen, Dean and Venkat, Ashish and Homayoun, Houman and PD, Sai Manoj} + author={Taram, Mohammadkazem and Tullsen, Dean and Venkat, Ashish and Homayoun, Houman and PD, Sai Manoj}, + type={R}, } @article{spec-buffer-overflow, @@ -420,7 +462,8 @@ month=Oct,} eprint = {1807.03757}, timestamp = {Mon, 13 Aug 2018 16:48:44 +0200}, biburl = {https://dblp.org/rec/bib/journals/corr/abs-1807-03757}, - bibsource = {dblp computer science bibliography, https://dblp.org} + bibsource = {dblp computer science bibliography, https://dblp.org}, + type={J}, } % https://www.usenix.org/conference/woot18/presentation/koruyeh @@ -428,7 +471,8 @@ month=Oct,} title={Spectre returns! speculation attacks using the return stack buffer}, author={Koruyeh, Esmaeil Mohammadian and Khasawneh, Khaled N and Song, Chengyu and Abu-Ghazaleh, Nael}, booktitle={12th $\{$USENIX$\}$ Workshop on Offensive Technologies ($\{$WOOT$\}$ 18)}, - year={2018} + year={2018}, + type={J}, } @inproceedings{ret2spec, @@ -447,6 +491,7 @@ month=Oct,} publisher = {ACM}, address = {New York, NY, USA}, keywords = {hardware security, javascript, side channel attacks}, + type={C}, } @article{lazyfp, @@ -460,7 +505,8 @@ archivePrefix = "arXiv", year = 2018, month = jun, adsurl = {http://adsabs.harvard.edu/abs/2018arXiv180607480S}, - adsnote = {Provided by the SAO/NASA Astrophysics Data System} + adsnote = {Provided by the SAO/NASA Astrophysics Data System}, + type={J}, } @inproceedings{Shen:2018:RCF:3243734.3278522, @@ -479,11 +525,13 @@ archivePrefix = "arXiv", publisher = {ACM}, address = {New York, NY, USA}, keywords = {side-channel defenses, spectre attacks, speculative execution}, + type={C}, } @article{spectrum, title={Spectrum: Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture}, - author={Gonzalez, Abraham and Korpan, Ben and Younis, Ed and Zhao, Jerry} + author={Gonzalez, Abraham and Korpan, Ben and Younis, Ed and Zhao, Jerry}, + type={R}, } @phdthesis{boom, @@ -501,7 +549,8 @@ To facilitate architecture research during this fallow period of Moore’s Law, Our processor generator is called BOOM, and it designed for use in education, research, and industry. Like most contemporary high-performance cores, BOOM is superscalar (able to execute multiple instructions per cycle) and out-of-order (able to execute instructions as their dependencies are resolved and not restricted to their program order). The BOOM generator was implemented using the Chisel hardware construction language, allowing for the rapid implementation of parameterized designs. The Chisel description generates synthesizable implementations of BOOM that can target both FPGAs and ASIC tool-flows. The BOOM effort culminated in a test chip that was fabricated in the TSMC 28 nm HPM process (high performance mobile) using the foundry-provided standard-cell library and memory compiler. -This thesis highlights two aspects of the BOOM design: its industry-competitive branch prediction and its configurable execution datapath. The remainder of the thesis discusses the BOOM tape-out, which was performed by two graduate students and demonstrated the ability to quickly adapt the design to the physical design issues that arose.} +This thesis highlights two aspects of the BOOM design: its industry-competitive branch prediction and its configurable execution datapath. The remainder of the thesis discusses the BOOM tape-out, which was performed by two graduate students and demonstrated the ability to quickly adapt the design to the physical design issues that arose.}, + type={D}, } @misc{oisa, @@ -510,6 +559,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive howpublished = {Cryptology ePrint Archive, Report 2018/808}, year = {2018}, note = {\url{https://eprint.iacr.org/2018/808}}, + type={J}, } @INPROCEEDINGS{conditional-speculation, @@ -523,7 +573,9 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive keywords={cache storage;computer architecture;microprocessor chips;program diagnostics;security of data;trusted page buffer;cachehit based hazard filter;conditional speculation;spectre vulnerabilities;false security hazards;unsafe instructions;safe instructions;classic out-of-order pipeline;suspect speculation flags;security-dependent instructions;potential security risk;speculative memory instructions;security dependence;software transparent defense mechanism;security consideration;speculative execution;spectre attacks;out-of-order execution;Security;Hazards;Out of order;Microprocessors;Registers;Spectre vulnerabilities defense;Security dependence;Speculative execution side-channel vulnerabilities}, doi={10.1109/HPCA.2019.00043}, ISSN={2378-203X}, - month=Feb,} + month=Feb, + type={C} +} @inproceedings{spectreguard, title={SpectreGuard : An Efficient Data-centric Defense Mechanism against Spectre Attacks}, @@ -531,6 +583,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive year={2019}, booktitle = {Proceedings of the 56th Annual Design Automation Conference}, series = {DAC '19}, + type={C}, } % looks useful... @@ -546,6 +599,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive doi={10.1109/MICRO.2016.7783741}, ISSN={}, month=Oct, + type={C}, } % related article @@ -557,7 +611,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive number={1}, pages={1--27}, year={2018}, - publisher={Springer} + publisher={Springer}, + type={J}, } % about multiplier timing @@ -567,7 +622,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive booktitle={2015 IEEE Symposium on Security and Privacy}, pages={623--639}, year={2015}, - organization={IEEE} + organization={IEEE}, + type={C}, } % side channel @@ -584,6 +640,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive acmid = {706156}, publisher = {Springer-Verlag}, address = {London, UK, UK}, + type={C}, } @book{MOP2010, @@ -592,6 +649,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive year = {2010}, edition = {1st}, publisher = {Springer Publishing Company, Incorporated}, + type={M}, } @misc{EMpower, @@ -600,6 +658,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive howpublished = {Cryptology ePrint Archive, Report 2001/037}, year = {2001}, note = {\url{https://eprint.iacr.org/2001/037}}, + type={J}, } @inproceedings{hutter, @@ -608,7 +667,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive booktitle={International Conference on Smart Card Research and Advanced Applications}, pages={219--235}, year={2013}, - organization={Springer} + organization={Springer}, + type={C}, } @inproceedings{acoustic, @@ -616,7 +676,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive author={Backes, Michael and D{\"u}rmuth, Markus and Gerling, Sebastian and Pinkal, Manfred and Sporleder, Caroline}, booktitle={USENIX Security symposium}, pages={307--322}, - year={2010} + year={2010}, + type={C}, } @phdthesis{gruss, @@ -624,6 +685,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive title = {Software-based Microarchitectural Attacks}, school = {Graz University of Technology}, year = 2017, + type={D}, } @article{gem5, @@ -634,7 +696,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive number={2}, pages={1--7}, year={2011}, - publisher={ACM} + publisher={ACM}, + type={J}, } @article{m5, @@ -655,6 +718,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive publisher = {IEEE Computer Society Press}, address = {Los Alamitos, CA, USA}, keywords = {M5, M5, network I/O, TCP/IP, networked systems, TCP/IP, network I/O, networked systems}, + type={J}, } @article{gems, @@ -674,6 +738,7 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive acmid = {1105747}, publisher = {ACM}, address = {New York, NY, USA}, + type={J}, } @inproceedings{jump-over-aslr, @@ -682,7 +747,8 @@ This thesis highlights two aspects of the BOOM design: its industry-competitive booktitle={The 49th Annual IEEE/ACM International Symposium on Microarchitecture}, pages={40}, year={2016}, - organization={IEEE Press} + organization={IEEE Press}, + type={J} } % vim:ts=4:sw=4 |