Microarchitectural Attacks and Defenses in JavaScript
|
|
- Rachel Quinn
- 5 years ago
- Views:
Transcription
1 Microarchitectural Attacks and Defenses in JavaScript Michael Schwarz, Daniel Gruss, Moritz Lipp Michael Schwarz, Daniel Gruss, Moritz Lipp
2 Microarchitecture Microarchitecture... is not defined on the architectural state 2 Michael Schwarz, Daniel Gruss, Moritz Lipp
3 Microarchitecture Microarchitecture... is not defined on the architectural state should not be visible to software 2 Michael Schwarz, Daniel Gruss, Moritz Lipp
4 Microarchitecture Microarchitecture... is not defined on the architectural state should not be visible to software is hardware specific and not fully documented 2 Michael Schwarz, Daniel Gruss, Moritz Lipp
5 Microarchitecture Microarchitecture... is not defined on the architectural state should not be visible to software is hardware specific and not fully documented changes to some extend with new processor generations 2 Michael Schwarz, Daniel Gruss, Moritz Lipp
6 Microarchitectural Attacks Microarchitectural states can be used for attacks Cache state data access 3 Michael Schwarz, Daniel Gruss, Moritz Lipp
7 Microarchitectural Attacks Microarchitectural states can be used for attacks Cache state data access DRAM buffers data access 3 Michael Schwarz, Daniel Gruss, Moritz Lipp
8 Microarchitectural Attacks Microarchitectural states can be used for attacks Cache state data access DRAM buffers data access Interrupts keystrokes 3 Michael Schwarz, Daniel Gruss, Moritz Lipp
9 Microarchitectural Attacks Microarchitectural states can be used for attacks Cache state data access DRAM buffers data access Interrupts keystrokes Branch predictors program flow 3 Michael Schwarz, Daniel Gruss, Moritz Lipp
10 Microarchitectural Attacks Microarchitectural states can be used for attacks Cache state data access DRAM buffers data access Interrupts keystrokes Branch predictors program flow Timings data values 3 Michael Schwarz, Daniel Gruss, Moritz Lipp
11 Side-Channel Attacks Side-channel attacks exploit side effects of operations Microarchitectural attacks are usually side-channel attacks 4 Michael Schwarz, Daniel Gruss, Moritz Lipp
12 Side-Channel Attacks Side-channel attacks exploit side effects of operations Microarchitectural attacks are usually side-channel attacks Sensors user activity 4 Michael Schwarz, Daniel Gruss, Moritz Lipp
13 Side-Channel Attacks Side-channel attacks exploit side effects of operations Microarchitectural attacks are usually side-channel attacks Sensors user activity Timings data values, activity 4 Michael Schwarz, Daniel Gruss, Moritz Lipp
14 One Important Component A core component of many such attacks: Timers 5 Michael Schwarz, Daniel Gruss, Moritz Lipp
15 One Important Component A core component of many such attacks: Timers Side-channel attacks often require high-resolution timers 5 Michael Schwarz, Daniel Gruss, Moritz Lipp
16 One Important Component A core component of many such attacks: Timers Side-channel attacks often require high-resolution timers Differences to measure are often in the range of nanoseconds or microseconds 5 Michael Schwarz, Daniel Gruss, Moritz Lipp
17 One Important Component A core component of many such attacks: Timers Side-channel attacks often require high-resolution timers Differences to measure are often in the range of nanoseconds or microseconds Microarchitectural attacks usually require highest precision 5 Michael Schwarz, Daniel Gruss, Moritz Lipp
18 Attacks in JavaScript
19 First Side-Channel Attack First side-channel attack in JavaScript Stone et al. (2013): Pixel perfect timing attacks with HTML5 6 Michael Schwarz, Daniel Gruss, Moritz Lipp
20 First Side-Channel Attack First side-channel attack in JavaScript Stone et al. (2013): Pixel perfect timing attacks with HTML5 Timing of various redraw events (e.g., visited state of links) 6 Michael Schwarz, Daniel Gruss, Moritz Lipp
21 First Side-Channel Attack First side-channel attack in JavaScript Stone et al. (2013): Pixel perfect timing attacks with HTML5 Timing of various redraw events (e.g., visited state of links) SVG filter timing to extract individual pixels (already 2011) 6 Michael Schwarz, Daniel Gruss, Moritz Lipp
22 First Side-Channel Attack First side-channel attack in JavaScript Stone et al. (2013): Pixel perfect timing attacks with HTML5 Timing of various redraw events (e.g., visited state of links) SVG filter timing to extract individual pixels (already 2011) High-resolution timer was available in browser 6 Michael Schwarz, Daniel Gruss, Moritz Lipp
23 First Microarchitectural Attack First microarchitectural attack in JavaScript Oren et al. (2015): The Spy in the Sandbox 7 Michael Schwarz, Daniel Gruss, Moritz Lipp
24 First Microarchitectural Attack First microarchitectural attack in JavaScript Oren et al. (2015): The Spy in the Sandbox Timing of memory accesses 7 Michael Schwarz, Daniel Gruss, Moritz Lipp
25 First Microarchitectural Attack First microarchitectural attack in JavaScript Oren et al. (2015): The Spy in the Sandbox Timing of memory accesses Allows to determine whether data is cached or uncached 7 Michael Schwarz, Daniel Gruss, Moritz Lipp
26 First Microarchitectural Attack First microarchitectural attack in JavaScript Oren et al. (2015): The Spy in the Sandbox Timing of memory accesses Allows to determine whether data is cached or uncached Possibility to infer info about other programs from browser 7 Michael Schwarz, Daniel Gruss, Moritz Lipp
27 8 Michael Schwarz, Daniel Gruss, Moritz Lipp
28 Timers in JavaScript We need a high-resolution timer to measure such small differences 9 Michael Schwarz, Daniel Gruss, Moritz Lipp
29 Timers in JavaScript We need a high-resolution timer to measure such small differences Native: rdtsc - timestamp in CPU cycles 9 Michael Schwarz, Daniel Gruss, Moritz Lipp
30 Timers in JavaScript We need a high-resolution timer to measure such small differences Native: rdtsc - timestamp in CPU cycles JavaScript: performance.now() has the highest resolution 9 Michael Schwarz, Daniel Gruss, Moritz Lipp
31 Timers in JavaScript We need a high-resolution timer to measure such small differences Native: rdtsc - timestamp in CPU cycles JavaScript: performance.now() has the highest resolution performance.now() [...] represent times as floating-point numbers with up to microsecond precision. Mozilla Developer Network 9 Michael Schwarz, Daniel Gruss, Moritz Lipp
32 ...up to microsecond precision? Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
33 ...up to microsecond precision? Edge 38 Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
34 ...up to microsecond precision? W3C standard 1 Edge 38 Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
35 ...up to microsecond precision? 0 0 Firefox 37/Chrome/Safari 5 W3C standard 5 1 Edge 38 Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
36 ...up to microsecond precision? 0 Tor 0 Firefox 37/Chrome/Safari 5 W3C standard 5 Edge 38 1 Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
37 ...up to microsecond precision? Fuzzyfox Tor Firefox 37/Chrome/Safari 5 W3C standard 5 Edge 38 1 Firefox Michael Schwarz, Daniel Gruss, Moritz Lipp
38 New timer
39 We require a higher resolution Current precision is not sufficient to measure cycle differences 11 Michael Schwarz, Daniel Gruss, Moritz Lipp
40 We require a higher resolution Current precision is not sufficient to measure cycle differences We have two possibilities 11 Michael Schwarz, Daniel Gruss, Moritz Lipp
41 We require a higher resolution Current precision is not sufficient to measure cycle differences We have two possibilities Recover a higher resolution from the available timer 11 Michael Schwarz, Daniel Gruss, Moritz Lipp
42 We require a higher resolution Current precision is not sufficient to measure cycle differences We have two possibilities Recover a higher resolution from the available timer Build our own high-resolution timer 11 Michael Schwarz, Daniel Gruss, Moritz Lipp
43 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
44 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks Average number of increments is the interpolation step 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
45 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks Average number of increments is the interpolation step To measure with high resolution: 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
46 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks Average number of increments is the interpolation step To measure with high resolution: Start measurement at clock edge 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
47 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks Average number of increments is the interpolation step To measure with high resolution: Start measurement at clock edge Increment a variable until next clock edge 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
48 Recovering resolution - Clock interpolation Measure how often we can increment a variable between two timer ticks Average number of increments is the interpolation step To measure with high resolution: Start measurement at clock edge Increment a variable until next clock edge Highly accurate: 500 ns (Firefox/Chrome), 15 µs (Tor) 12 Michael Schwarz, Daniel Gruss, Moritz Lipp
49 Recovering resolution - Edge thresholding We can get a higher resolution for a classifier only 13 Michael Schwarz, Daniel Gruss, Moritz Lipp
50 Recovering resolution - Edge thresholding We can get a higher resolution for a classifier only Often sufficient to see which of two functions takes longer 13 Michael Schwarz, Daniel Gruss, Moritz Lipp
51 Recovering resolution - Edge thresholding We can get a higher resolution for a classifier only Often sufficient to see which of two functions takes longer f slow f fast 13 Michael Schwarz, Daniel Gruss, Moritz Lipp
52 Recovering resolution - Edge thresholding We can get a higher resolution for a classifier only Often sufficient to see which of two functions takes longer f slow f fast Padding Padding Edge thresholding: apply padding such that the slow function crosses one more clock edge than the fast function. 13 Michael Schwarz, Daniel Gruss, Moritz Lipp
53 Recovering resolution - Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified 14 Michael Schwarz, Daniel Gruss, Moritz Lipp
54 Recovering resolution - Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified Yields nanosecond resolution 14 Michael Schwarz, Daniel Gruss, Moritz Lipp
55 Recovering resolution - Edge thresholding percentage unaligned aligned padded both correct f slow misclassified f fast misclassified Yields nanosecond resolution Firefox/Tor (2 ns), Edge (10 ns), Chrome (15 ns) 14 Michael Schwarz, Daniel Gruss, Moritz Lipp
56 Building a timer Goal: counter that does not block main thread 15 Michael Schwarz, Daniel Gruss, Moritz Lipp
57 Building a timer Goal: counter that does not block main thread Baseline settimeout: 4 ms (except Edge: 2 ms) 15 Michael Schwarz, Daniel Gruss, Moritz Lipp
58 Building a timer Goal: counter that does not block main thread Baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation: increase width of element as fast as possible 15 Michael Schwarz, Daniel Gruss, Moritz Lipp
59 Building a timer Goal: counter that does not block main thread Baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation: increase width of element as fast as possible Width of element is timestamp 15 Michael Schwarz, Daniel Gruss, Moritz Lipp
60 Building a timer Goal: counter that does not block main thread Baseline settimeout: 4 ms (except Edge: 2 ms) CSS animation: increase width of element as fast as possible Width of element is timestamp However, animation is limited to 60 fps 16 ms 15 Michael Schwarz, Daniel Gruss, Moritz Lipp
61 Building a timer - Web worker JavaScript can spawn new threads called web worker 16 Michael Schwarz, Daniel Gruss, Moritz Lipp
62 Building a timer - Web worker JavaScript can spawn new threads called web worker Web worker communicate using message passing 16 Michael Schwarz, Daniel Gruss, Moritz Lipp
63 Building a timer - Web worker JavaScript can spawn new threads called web worker Web worker communicate using message passing Let worker count and request timestamp in main thread 16 Michael Schwarz, Daniel Gruss, Moritz Lipp
64 Building a timer - Web worker JavaScript can spawn new threads called web worker Web worker communicate using message passing Let worker count and request timestamp in main thread Multiple possibilities: postmessage, MessageChannel or BroadcastChannel 16 Michael Schwarz, Daniel Gruss, Moritz Lipp
65 Building a timer - Web worker JavaScript can spawn new threads called web worker Web worker communicate using message passing Let worker count and request timestamp in main thread Multiple possibilities: postmessage, MessageChannel or BroadcastChannel Yields microsecond resolution (even on Tor and Fuzzyfox) 16 Michael Schwarz, Daniel Gruss, Moritz Lipp
66 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
67 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer Web worker can simultaneously read/write data 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
68 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer Web worker can simultaneously read/write data No message passing overhead 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
69 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer Web worker can simultaneously read/write data No message passing overhead One dedicated worker for incrementing the shared variable 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
70 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer Web worker can simultaneously read/write data No message passing overhead One dedicated worker for incrementing the shared variable Firefox/Fuzzyfox: 2 ns, Chrome: 15 ns 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
71 Building a timer - Web worker Experimental feature to share data: SharedArrayBuffer Web worker can simultaneously read/write data No message passing overhead One dedicated worker for incrementing the shared variable Firefox/Fuzzyfox: 2 ns, Chrome: 15 ns Sufficient for microarchitectural attacks 17 Michael Schwarz, Daniel Gruss, Moritz Lipp
72 Timer evaluation Number of cases cache hit cache miss Access time [SharedArrayBuffer increments] 18 Michael Schwarz, Daniel Gruss, Moritz Lipp
73 Attack Requirements
74 Attack requirements Timers were always the main focus 19 Michael Schwarz, Daniel Gruss, Moritz Lipp
75 Attack requirements Timers were always the main focus Reducing timer resolution is not sufficient 19 Michael Schwarz, Daniel Gruss, Moritz Lipp
76 Attack requirements Timers were always the main focus Reducing timer resolution is not sufficient Timers can (always) be built 19 Michael Schwarz, Daniel Gruss, Moritz Lipp
77 Attack requirements Timers were always the main focus Reducing timer resolution is not sufficient Timers can (always) be built Some attacks do not require timers at all 19 Michael Schwarz, Daniel Gruss, Moritz Lipp
78 Attack requirements Timers were always the main focus Reducing timer resolution is not sufficient Timers can (always) be built Some attacks do not require timers at all Important to understand requirements before designing countermeasures 19 Michael Schwarz, Daniel Gruss, Moritz Lipp
79
80 Identify requirements Currently 11 microarchitectural and side-channel attacks in JavaScript 20 Michael Schwarz, Daniel Gruss, Moritz Lipp
81 Identify requirements Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack 20 Michael Schwarz, Daniel Gruss, Moritz Lipp
82 Identify requirements Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories 20 Michael Schwarz, Daniel Gruss, Moritz Lipp
83 Identify requirements Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories Memory addresses Accurate timing Multithreading Shared data Sensor API 20 Michael Schwarz, Daniel Gruss, Moritz Lipp
84 Identify requirements Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories Memory addresses Accurate timing Multithreading Shared data Sensor API Every attack is in at least one category 20 Michael Schwarz, Daniel Gruss, Moritz Lipp
85 Attacks and Categories Memory addresses Accurate timing Multithreading Shared data Sensor API Rowhammer.js Practical Memory Deduplication Attacks in Sandboxed Javascript Fantastic Timers and Where to Find Them ASLR on the Line The spy in the sandbox Loophole Pixel perfect timing attacks with HTML5 The clock is still ticking Practical Keystroke Timing Attacks in Sandboxed JavaScript TouchSignatures Stealing sensitive browser data with the W3C Ambient Light Sensor API If accurate timing is not available, it can be approximated using a combination of multithreading and shared data. 21 Michael Schwarz, Daniel Gruss, Moritz Lipp
86 Memory Addresses Language does not provide addresses to programmer 22 Michael Schwarz, Daniel Gruss, Moritz Lipp
87 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices 22 Michael Schwarz, Daniel Gruss, Moritz Lipp
88 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices ArrayBuffer is page aligned, leaks 12 bits of address 22 Michael Schwarz, Daniel Gruss, Moritz Lipp
89 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices ArrayBuffer is page aligned, leaks 12 bits of address If 2 MB backing pages are used, 21 bits of address known 22 Michael Schwarz, Daniel Gruss, Moritz Lipp
90 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices ArrayBuffer is page aligned, leaks 12 bits of address If 2 MB backing pages are used, 21 bits of address known If not page aligned: detect page faults through timing 22 Michael Schwarz, Daniel Gruss, Moritz Lipp
91 Accurate Timing Nearly all attacks require accurate timing 23 Michael Schwarz, Daniel Gruss, Moritz Lipp
92 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences 23 Michael Schwarz, Daniel Gruss, Moritz Lipp
93 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences Required accuracy varies between milliseconds and nanoseconds 23 Michael Schwarz, Daniel Gruss, Moritz Lipp
94 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences Required accuracy varies between milliseconds and nanoseconds Such timers can be built if not available (e.g., message passing) 23 Michael Schwarz, Daniel Gruss, Moritz Lipp
95 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences Required accuracy varies between milliseconds and nanoseconds Such timers can be built if not available (e.g., message passing) If attack is repeatable, less accurate timing can be sufficient 23 Michael Schwarz, Daniel Gruss, Moritz Lipp
96 Multithreading JavaScript introduced multi threading with web workers 24 Michael Schwarz, Daniel Gruss, Moritz Lipp
97 Multithreading JavaScript introduced multi threading with web workers Enables new side-channel attacks 24 Michael Schwarz, Daniel Gruss, Moritz Lipp
98 Multithreading JavaScript introduced multi threading with web workers Enables new side-channel attacks Dispatch latency of event queue allows to infer activity of other tabs 24 Michael Schwarz, Daniel Gruss, Moritz Lipp
99 Multithreading JavaScript introduced multi threading with web workers Enables new side-channel attacks Dispatch latency of event queue allows to infer activity of other tabs Endless loop in worker allows to detect hardware interrupts 24 Michael Schwarz, Daniel Gruss, Moritz Lipp
100 Shared Data Usually no shared data between threads due to synchronization issues 25 Michael Schwarz, Daniel Gruss, Moritz Lipp
101 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer 25 Michael Schwarz, Daniel Gruss, Moritz Lipp
102 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer Only useful in combination with web workers 25 Michael Schwarz, Daniel Gruss, Moritz Lipp
103 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer Only useful in combination with web workers Allows to build timers with extremely high resolution (up to 1 ns) 25 Michael Schwarz, Daniel Gruss, Moritz Lipp
104 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer Only useful in combination with web workers Allows to build timers with extremely high resolution (up to 1 ns) Not enabled by default 25 Michael Schwarz, Daniel Gruss, Moritz Lipp
105 Sensor API Some side-channel attacks only require access to sensors 26 Michael Schwarz, Daniel Gruss, Moritz Lipp
106 Sensor API Some side-channel attacks only require access to sensors Several sensors are available in JavaScript 26 Michael Schwarz, Daniel Gruss, Moritz Lipp
107 Sensor API Some side-channel attacks only require access to sensors Several sensors are available in JavaScript Some require user consent, e.g., microphone 26 Michael Schwarz, Daniel Gruss, Moritz Lipp
108 Sensor API Some side-channel attacks only require access to sensors Several sensors are available in JavaScript Some require user consent, e.g., microphone Other can be used without user consent, e.g., ambient light 26 Michael Schwarz, Daniel Gruss, Moritz Lipp
109 Sensor API Some side-channel attacks only require access to sensors Several sensors are available in JavaScript Some require user consent, e.g., microphone Other can be used without user consent, e.g., ambient light There are attacks with these sensors 26 Michael Schwarz, Daniel Gruss, Moritz Lipp
110 Defenses
111 Countermeasures Countermeasures have to address all categories 27 Michael Schwarz, Daniel Gruss, Moritz Lipp
112 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer 27 Michael Schwarz, Daniel Gruss, Moritz Lipp
113 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer Implementation is on the microarchitectural level of JavaScript 27 Michael Schwarz, Daniel Gruss, Moritz Lipp
114 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer Implementation is on the microarchitectural level of JavaScript If no category is usable for attacks anymore, future attacks are hard 27 Michael Schwarz, Daniel Gruss, Moritz Lipp
115 Memory Addresses #1: Buffer ASLR 28 Michael Schwarz, Daniel Gruss, Moritz Lipp
116 Memory Addresses #1: Buffer ASLR Ensure arrays are not page aligned 28 Michael Schwarz, Daniel Gruss, Moritz Lipp
117 Memory Addresses #1: Buffer ASLR Ensure arrays are not page aligned Attacker cannot assume that least significant 12 bits are 0 28 Michael Schwarz, Daniel Gruss, Moritz Lipp
118 Memory Addresses #1: Buffer ASLR Ensure arrays are not page aligned Attacker cannot assume that least significant 12 bits are 0 Only works for the first page 28 Michael Schwarz, Daniel Gruss, Moritz Lipp
119 Memory Addresses #1: Buffer ASLR Ensure arrays are not page aligned Attacker cannot assume that least significant 12 bits are 0 Only works for the first page Consecutive page borders can be detected through page faults 28 Michael Schwarz, Daniel Gruss, Moritz Lipp
120 Memory Addresses #2: Preloading Instead of lazy initialization for arrays, ensure that they are always memory backed 29 Michael Schwarz, Daniel Gruss, Moritz Lipp
121 Memory Addresses #2: Preloading Instead of lazy initialization for arrays, ensure that they are always memory backed Attacker cannot detect page borders through page faults anymore 29 Michael Schwarz, Daniel Gruss, Moritz Lipp
122 Memory Addresses #2: Preloading Instead of lazy initialization for arrays, ensure that they are always memory backed Attacker cannot detect page borders through page faults anymore Does not work if swapping or page deduplication is enabled 29 Michael Schwarz, Daniel Gruss, Moritz Lipp
123 Memory Addresses #2: Preloading Instead of lazy initialization for arrays, ensure that they are always memory backed Attacker cannot detect page borders through page faults anymore Does not work if swapping or page deduplication is enabled Has to be combined with Buffer ASLR 29 Michael Schwarz, Daniel Gruss, Moritz Lipp
124 Memory Addresses #3: Non-determinism For every array access, add another random access 30 Michael Schwarz, Daniel Gruss, Moritz Lipp
125 Memory Addresses #3: Non-determinism For every array access, add another random access Makes page border detection infeasible without requiring significantly more memory 30 Michael Schwarz, Daniel Gruss, Moritz Lipp
126 Memory Addresses #3: Non-determinism For every array access, add another random access Makes page border detection infeasible without requiring significantly more memory Attacker always times two accesses 30 Michael Schwarz, Daniel Gruss, Moritz Lipp
127 Memory Addresses #3: Non-determinism For every array access, add another random access Makes page border detection infeasible without requiring significantly more memory Attacker always times two accesses Distinguishing cached from non-cached addresses is hard 30 Michael Schwarz, Daniel Gruss, Moritz Lipp
128 Memory Addresses #4: Array Index Randomization Ensures arrays are not linear 31 Michael Schwarz, Daniel Gruss, Moritz Lipp
129 Memory Addresses #4: Array Index Randomization Ensures arrays are not linear Use a random linear function to map array index to underlying buffer 31 Michael Schwarz, Daniel Gruss, Moritz Lipp
130 Memory Addresses #4: Array Index Randomization Ensures arrays are not linear Use a random linear function to map array index to underlying buffer Index x maps to f (x) = ax + b mod n, where n is array length and a and b are randomly chosen 31 Michael Schwarz, Daniel Gruss, Moritz Lipp
131 Memory Addresses #4: Array Index Randomization Ensures arrays are not linear Use a random linear function to map array index to underlying buffer Index x maps to f (x) = ax + b mod n, where n is array length and a and b are randomly chosen Has to be combined with Buffer ASLR and either Preloading or Non-determinism 31 Michael Schwarz, Daniel Gruss, Moritz Lipp
132 Memory Addresses The four defenses prevent attackers from getting virtual and physical addresses 32 Michael Schwarz, Daniel Gruss, Moritz Lipp
133 Memory Addresses The four defenses prevent attackers from getting virtual and physical addresses Prevents many microarchitectural attacks 32 Michael Schwarz, Daniel Gruss, Moritz Lipp
134 Memory Addresses The four defenses prevent attackers from getting virtual and physical addresses Prevents many microarchitectural attacks Have to be combined for maximum security 32 Michael Schwarz, Daniel Gruss, Moritz Lipp
135 Memory Addresses The four defenses prevent attackers from getting virtual and physical addresses Prevents many microarchitectural attacks Have to be combined for maximum security Side effect: make exploits harder where addresses are required 32 Michael Schwarz, Daniel Gruss, Moritz Lipp
136 Accurate Timing Reducing the resolution of performance.now() is a first step 33 Michael Schwarz, Daniel Gruss, Moritz Lipp
137 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient 33 Michael Schwarz, Daniel Gruss, Moritz Lipp
138 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient Fuzzy time (Vattikonda et al.) adds random jitter 33 Michael Schwarz, Daniel Gruss, Moritz Lipp
139 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient Fuzzy time (Vattikonda et al.) adds random jitter Timestamps are still monotonic, but clock edges are randomized 33 Michael Schwarz, Daniel Gruss, Moritz Lipp
140 Multithreading Only real solution is to prevent multithreading 34 Michael Schwarz, Daniel Gruss, Moritz Lipp
141 Multithreading Only real solution is to prevent multithreading We used a polyfill to not completely break websites 34 Michael Schwarz, Daniel Gruss, Moritz Lipp
142 Multithreading Only real solution is to prevent multithreading We used a polyfill to not completely break websites Some attacks can be prevented by adding random delays to postmessage 34 Michael Schwarz, Daniel Gruss, Moritz Lipp
143 Multithreading Only real solution is to prevent multithreading We used a polyfill to not completely break websites Some attacks can be prevented by adding random delays to postmessage Prevents certain timing primitives and attacks on the event-queue latency 34 Michael Schwarz, Daniel Gruss, Moritz Lipp
144 Shared Data Best countermeasures: do not allow shared data 35 Michael Schwarz, Daniel Gruss, Moritz Lipp
145 Shared Data Best countermeasures: do not allow shared data Many attacks are impossible without SharedArrayBuffer 35 Michael Schwarz, Daniel Gruss, Moritz Lipp
146 Shared Data Best countermeasures: do not allow shared data Many attacks are impossible without SharedArrayBuffer Alternative: delay access to buffer 35 Michael Schwarz, Daniel Gruss, Moritz Lipp
147 Shared Data Best countermeasures: do not allow shared data Many attacks are impossible without SharedArrayBuffer Alternative: delay access to buffer Still faster than message passing 35 Michael Schwarz, Daniel Gruss, Moritz Lipp
148 Shared Data Best countermeasures: do not allow shared data Many attacks are impossible without SharedArrayBuffer Alternative: delay access to buffer Still faster than message passing Degrades resolution of timing primitive to microseconds 35 Michael Schwarz, Daniel Gruss, Moritz Lipp
149 Sensor API Reduce resolution and update frequency of sensors 36 Michael Schwarz, Daniel Gruss, Moritz Lipp
150 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission 36 Michael Schwarz, Daniel Gruss, Moritz Lipp
151 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission Every sensor is usable for attacks, even ambient light sensor 36 Michael Schwarz, Daniel Gruss, Moritz Lipp
152 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission Every sensor is usable for attacks, even ambient light sensor To not break existing applications, sensors return constant value 36 Michael Schwarz, Daniel Gruss, Moritz Lipp
153 Implementation
154 Designing the Countermeasure Best solution is to implement defenses in the browser core 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
155 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
156 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
157 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
158 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard Implementation in JavaScript Virtual machine layering 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
159 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard Implementation in JavaScript Virtual machine layering Proof-of-concept is implemented as browser extension 37 Michael Schwarz, Daniel Gruss, Moritz Lipp
160 User Experience Some defenses might impair user experience, e.g., disable multithreading 38 Michael Schwarz, Daniel Gruss, Moritz Lipp
161 User Experience Some defenses might impair user experience, e.g., disable multithreading The user can choose one of several pre-defined protection levels 38 Michael Schwarz, Daniel Gruss, Moritz Lipp
162 User Experience Some defenses might impair user experience, e.g., disable multithreading The user can choose one of several pre-defined protection levels Protection levels apply different combinations of defenses 38 Michael Schwarz, Daniel Gruss, Moritz Lipp
163 User Experience Some defenses might impair user experience, e.g., disable multithreading The user can choose one of several pre-defined protection levels Protection levels apply different combinations of defenses Each defense can either be disabled, enabled, or require user permission 38 Michael Schwarz, Daniel Gruss, Moritz Lipp
164 Virtual Machine Layering Functions and properties are replaced by wrappers Page Context Script Extension Context Return Call Wrapper Call Filtered value Default value Allowed? Yes Original Function No 39 Michael Schwarz, Daniel Gruss, Moritz Lipp
165 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; 40 Michael Schwarz, Daniel Gruss, Moritz Lipp
166 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) 40 Michael Schwarz, Daniel Gruss, Moritz Lipp
167 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) // call the original function (only via reference) a l e r t ( o r i g i n a l r e f e r e n c e. c a l l ( window. performance ) ) ; 40 Michael Schwarz, Daniel Gruss, Moritz Lipp
168 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) // call the original function (only via reference) a l e r t ( o r i g i n a l r e f e r e n c e. c a l l ( window. performance ) ) ; Properties can be replaced by accessor properties 40 Michael Schwarz, Daniel Gruss, Moritz Lipp
169 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object 41 Michael Schwarz, Daniel Gruss, Moritz Lipp
170 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object All properties and functions are handled by the original object 41 Michael Schwarz, Daniel Gruss, Moritz Lipp
171 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object All properties and functions are handled by the original object Functions and properties can be overwritten in the proxy object 41 Michael Schwarz, Daniel Gruss, Moritz Lipp
172 Self Protection Attacker tries to circumvent JavaScript Zero 42 Michael Schwarz, Daniel Gruss, Moritz Lipp
173 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript 42 Michael Schwarz, Daniel Gruss, Moritz Lipp
174 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript Use closures to hide all references to original functions ( function ( ) { // original is only accessible in this scope var o r i g i n a l = window. performance. now ; window. performance. now =... } ) ( ) ; 42 Michael Schwarz, Daniel Gruss, Moritz Lipp
175 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript Use closures to hide all references to original functions ( function ( ) { // original is only accessible in this scope var o r i g i n a l = window. performance. now ; window. performance. now =... } ) ( ) ; Prevent objects from being modified: Object.freeze 42 Michael Schwarz, Daniel Gruss, Moritz Lipp
176 Evaluation
177 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) 43 Michael Schwarz, Daniel Gruss, Moritz Lipp
178 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array 43 Michael Schwarz, Daniel Gruss, Moritz Lipp
179 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array Iterate over array, measure access time 43 Michael Schwarz, Daniel Gruss, Moritz Lipp
180 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array Iterate over array, measure access time Page border raise pagefault, taking significantly longer to access 43 Michael Schwarz, Daniel Gruss, Moritz Lipp
181 Page Border Detection Access time [cycles] Array offset [KB] Michael Schwarz, Daniel Gruss, Moritz Lipp
182 Page Border Detection with Random Access Access time [cycles] ,000 2,000 3,000 4,000 5,000 Array offset [KB] 45 Michael Schwarz, Daniel Gruss, Moritz Lipp
183 Prime+Probe Find addresses (= array indices) that fall into same cache set 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
184 Prime+Probe Find addresses (= array indices) that fall into same cache set Physical address defines in which cache set the data is cached 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
185 Prime+Probe Find addresses (= array indices) that fall into same cache set Physical address defines in which cache set the data is cached Enough addresses in one set evicts the set (Prime) 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
186 Prime+Probe Find addresses (= array indices) that fall into same cache set Physical address defines in which cache set the data is cached Enough addresses in one set evicts the set (Prime) Iterate again over addresses (Probe) 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
187 Prime+Probe Find addresses (= array indices) that fall into same cache set Physical address defines in which cache set the data is cached Enough addresses in one set evicts the set (Prime) Iterate again over addresses (Probe) If it is fast, they are still cached 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
188 Prime+Probe Find addresses (= array indices) that fall into same cache set Physical address defines in which cache set the data is cached Enough addresses in one set evicts the set (Prime) Iterate again over addresses (Probe) If it is fast, they are still cached If it is slow, someone used this cache set and evicted our addresses 46 Michael Schwarz, Daniel Gruss, Moritz Lipp
189 Prime+Probe 47 Michael Schwarz, Daniel Gruss, Moritz Lipp
190 Prime+Probe with Random Access 48 Michael Schwarz, Daniel Gruss, Moritz Lipp
191 Interrupt Detection Multithreading allows to detect interrupts 49 Michael Schwarz, Daniel Gruss, Moritz Lipp
192 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window 49 Michael Schwarz, Daniel Gruss, Moritz Lipp
193 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window Different number of increments indicate interrupt 49 Michael Schwarz, Daniel Gruss, Moritz Lipp
194 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window Different number of increments indicate interrupt Fuzzy time prevents deterministic equally-sized time window 49 Michael Schwarz, Daniel Gruss, Moritz Lipp
195 Interrupt Detection Delta [counter] 1,850 1,800 1,750 tap tap tap tap 1, Runtime [s] 50 Michael Schwarz, Daniel Gruss, Moritz Lipp
196 Interrupt Detection with Fuzzy Time Delta [counter] tap tap tap tap Runtime [s] 51 Michael Schwarz, Daniel Gruss, Moritz Lipp
197 Event Queue Spying Messages between web workers are handled in the event queue 52 Michael Schwarz, Daniel Gruss, Moritz Lipp
198 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue 52 Michael Schwarz, Daniel Gruss, Moritz Lipp
199 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue Posting many messages allows to measure latency 52 Michael Schwarz, Daniel Gruss, Moritz Lipp
200 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue Posting many messages allows to measure latency Latency indicates user input 52 Michael Schwarz, Daniel Gruss, Moritz Lipp
201 Event Queue Spying Delta [ms] ,560 2,570 2,580 2,590 2,600 2,610 2,620 2,630 2,640 Runtime [ms] 53 Michael Schwarz, Daniel Gruss, Moritz Lipp
202 Event Queue Spying with Message Delay Delta [ms] ,860 2,870 2,880 2,890 2,900 2,910 2,920 2,930 2,940 Runtime [ms] 54 Michael Schwarz, Daniel Gruss, Moritz Lipp
203 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution 55 Michael Schwarz, Daniel Gruss, Moritz Lipp
204 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array 55 Michael Schwarz, Daniel Gruss, Moritz Lipp
205 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array Other worker uses this as a timestamp 55 Michael Schwarz, Daniel Gruss, Moritz Lipp
206 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array Other worker uses this as a timestamp Adding random delay to access degrades resolution 55 Michael Schwarz, Daniel Gruss, Moritz Lipp
207 SharedArrayBuffer 56 Michael Schwarz, Daniel Gruss, Moritz Lipp
208 SharedArrayBuffer with Random Delay 57 Michael Schwarz, Daniel Gruss, Moritz Lipp
209 Defense Prevents Rowham- Page Dedu- DRAM Covert Anti- Cache Keystroke Browser mer.js plication Channel ASLR Eviction Timing Buffer ASLR Array preloading Non-deterministic array Array index randomization Low-resolution timestamp Fuzzy time * * * * WebWorker polyfill Message delay Slow SharedArrayBuffer No SharedArrayBuffer * * * * Summary Symbols indicate whether a policy fully prevents an attack, ( ), partly prevents and attack by making it more difficult ( ), or does not prevent an attack ( ). A star (*) indicates that all policies marked with a star must be combined to prevent an attack. 58 Michael Schwarz, Daniel Gruss, Moritz Lipp
210 User Experience 59 Michael Schwarz, Daniel Gruss, Moritz Lipp
211 Conclusion Just rounding timers is not sufficient 60 Michael Schwarz, Daniel Gruss, Moritz Lipp
212 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers 60 Michael Schwarz, Daniel Gruss, Moritz Lipp
213 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment 60 Michael Schwarz, Daniel Gruss, Moritz Lipp
214 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment Efficient countermeasures can be implemented in browsers 60 Michael Schwarz, Daniel Gruss, Moritz Lipp
215 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment Efficient countermeasures can be implemented in browsers More microarchitectural attacks in JavaScript will appear 60 Michael Schwarz, Daniel Gruss, Moritz Lipp
Meltdown & Spectre. Side-channels considered harmful. Qualcomm Mobile Security Summit May, San Diego, CA. Moritz Lipp
Meltdown & Spectre Side-channels considered harmful Qualcomm Mobile Security Summit 2018 17 May, 2018 - San Diego, CA Moritz Lipp (@mlqxyz) Michael Schwarz (@misc0110) Flashback Qualcomm Mobile Security
More informationSoftware-based Microarchitectural Attacks
SCIENCE PASSION TECHNOLOGY Software-based Microarchitectural Attacks Daniel Gruss April 19, 2018 Graz University of Technology 1 Daniel Gruss Graz University of Technology Whoami Daniel Gruss Post-Doc
More informationImproving Loop-Gain Performance In Digital Power Supplies With Latest- Generation DSCs
ISSUE: March 2016 Improving Loop-Gain Performance In Digital Power Supplies With Latest- Generation DSCs by Alex Dumais, Microchip Technology, Chandler, Ariz. With the consistent push for higher-performance
More informationUsing Variable-MHz Microprocessors to Efficiently Handle Uncertainty in Real-Time Systems
Using Variable-MHz Microprocessors to Efficiently Handle Uncertainty in Real-Time Systems Eric Rotenberg Center for Embedded Systems Research (CESR) Department of Electrical & Computer Engineering North
More informationHow different FPGA firmware options enable digitizer platforms to address and facilitate multiple applications
How different FPGA firmware options enable digitizer platforms to address and facilitate multiple applications 1 st of April 2019 Marc.Stackler@Teledyne.com March 19 1 Digitizer definition and application
More informationHello, and welcome to this presentation of the STM32 Digital Filter for Sigma-Delta modulators interface. The features of this interface, which
Hello, and welcome to this presentation of the STM32 Digital Filter for Sigma-Delta modulators interface. The features of this interface, which behaves like ADC with external analog part and configurable
More informationOptimal Clock Synchronization in Networks. Christoph Lenzen Philipp Sommer Roger Wattenhofer
Optimal Clock Synchronization in Networks Christoph Lenzen Philipp Sommer Roger Wattenhofer Time in Sensor Networks Synchronized clocks are essential for many applications: Sensing TDMA Localization Duty-
More informationThe Nanokernel. David L. Mills University of Delaware 2-Aug-04 1
The Nanokernel David L. Mills University of Delaware http://www.eecis.udel.edu/~mills mailto:mills@udel.edu Sir John Tenniel; Alice s Adventures in Wonderland,Lewis Carroll 2-Aug-04 1 Going faster and
More informationTransient Execution Attacks
Transient Execution Attacks Daniel Gruss September 12, 2018 Graz University of Technology 1 Daniel Gruss Graz University of Technology Timeline Meltdown/Spectre (1) 19.02.2016: Daniel has an implementation
More informationProject 5: Optimizer Jason Ansel
Project 5: Optimizer Jason Ansel Overview Project guidelines Benchmarking Library OoO CPUs Project Guidelines Use optimizations from lectures as your arsenal If you decide to implement one, look at Whale
More informationArchitectural Core Salvaging in a Multi-Core Processor for Hard-Error Tolerance
Architectural Core Salvaging in a Multi-Core Processor for Hard-Error Tolerance Michael D. Powell, Arijit Biswas, Shantanu Gupta, and Shubu Mukherjee SPEARS Group, Intel Massachusetts EECS, University
More informationJS Lab 5 Due Thurs, Nov 30 (After Thanksgiving)
JS Lab 5 Due Thurs, Nov 30 (After Thanksgiving) With instructions for final project, due Dec 8 at bottom You may work on this lab with your final project partner, or you may work alone. This lab will be
More informationGame Architecture. 4/8/16: Multiprocessor Game Loops
Game Architecture 4/8/16: Multiprocessor Game Loops Monolithic Dead simple to set up, but it can get messy Flow-of-control can be complex Top-level may have too much knowledge of underlying systems (gross
More informationicwaves Inspector Data Sheet
Inspector Data Sheet icwaves Advanced pattern-based triggering device for generating time independent pulses to avoid jitter and time-related countermeasures in SCA or FI testing. Riscure icwaves 1/9 Introduction
More informationA fully digital clock and data recovery with fast frequency offset acquisition technique for MIPI LLI applications
LETTER IEICE Electronics Express, Vol.10, No.10, 1 7 A fully digital clock and data recovery with fast frequency offset acquisition technique for MIPI LLI applications June-Hee Lee 1, 2, Sang-Hoon Kim
More informationFinal Project: NOTE: The final project will be due on the last day of class, Friday, Dec 9 at midnight.
Final Project: NOTE: The final project will be due on the last day of class, Friday, Dec 9 at midnight. For this project, you may work with a partner, or you may choose to work alone. If you choose to
More informationData acquisition and Trigger (with emphasis on LHC)
Lecture 2 Data acquisition and Trigger (with emphasis on LHC) Introduction Data handling requirements for LHC Design issues: Architectures Front-end, event selection levels Trigger Future evolutions Conclusion
More informationPerformance Evaluation of Recently Proposed Cache Replacement Policies
University of Jordan Computer Engineering Department Performance Evaluation of Recently Proposed Cache Replacement Policies CPE 731: Advanced Computer Architecture Dr. Gheith Abandah Asma Abdelkarim January
More informationDesign of Embedded Systems - Advanced Course Project
2011-10-31 Bomberman A Design of Embedded Systems - Advanced Course Project Linus Sandén, Mikael Göransson & Michael Lennartsson et07ls4@student.lth.se, et07mg7@student.lth.se, mt06ml8@student.lth.se Abstract
More informationSV2C 28 Gbps, 8 Lane SerDes Tester
SV2C 28 Gbps, 8 Lane SerDes Tester Data Sheet SV2C Personalized SerDes Tester Data Sheet Revision: 1.0 2015-03-19 Revision Revision History Date 1.0 Document release. March 19, 2015 The information in
More informationWAFTL: A Workload Adaptive Flash Translation Layer with Data Partition
WAFTL: A Workload Adaptive Flash Translation Layer with Data Partition Qingsong Wei Bozhao Gong, Suraj Pathak, Bharadwaj Veeravalli, Lingfang Zeng and Kanzo Okada Data Storage Institute, A-STAR, Singapore
More informationCourse Introduction. Content 20 pages 3 questions. Learning Time 30 minutes
Purpose The intent of this course is to provide you with information about the main features of the S08 Timer/PWM (TPM) interface module and how to configure and use it in common applications. Objectives
More informationModels 2601B, 2602B and 2604B
Models 2601B, 2602B and 2604B Keithley Instruments, Inc. System SourceMeter 28775 Aurora Road Instrument Specifications Cleveland, Ohio 44139 1-888-KEITHLEY http://www.keithley.com SPECIFICATION CONDITIONS
More informationLV-Link 3.0 Software Interface for LabVIEW
LV-Link 3.0 Software Interface for LabVIEW LV-Link Software Interface for LabVIEW LV-Link is a library of VIs (Virtual Instruments) that enable LabVIEW programmers to access the data acquisition features
More informationDEEJAM: Defeating Energy-Efficient Jamming in IEEE based Wireless Networks
DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia Wireless Sensor Networks
More informationWireless Sensor Networks
DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks Anthony D. Wood, John A. Stankovic, Gang Zhou Department of Computer Science University of Virginia June 19, 2007 Wireless
More informationCiA Draft Standard Proposal 402. CANopen. Device Profile Drives and Motion Control. This draft standard proposal is not recommended for implementation
CiA Draft Standard Proposal 402 CANopen Device Profile Drives and Motion Control This draft standard proposal is not recommended for implementation Version 2.0 Date: 26. July 2002 CAN in Automation e.v.
More informationEnhancing System Architecture by Modelling the Flash Translation Layer
Enhancing System Architecture by Modelling the Flash Translation Layer Robert Sykes Sr. Dir. Firmware August 2014 OCZ Storage Solutions A Toshiba Group Company Introduction This presentation will discuss
More informationModels 2634B, 2635B and 2636B
Models 2634B, 2635B and 2636B Keithley Instruments, Inc. System SourceMeter 28775 Aurora Road Instrument Specifications Cleveland, Ohio 44139 1-888-KEITHLEY http://www.keithley.com SPECIFICATION CONDITIONS
More informationTrack and Vertex Reconstruction on GPUs for the Mu3e Experiment
Track and Vertex Reconstruction on GPUs for the Mu3e Experiment Dorothea vom Bruch for the Mu3e Collaboration GPU Computing in High Energy Physics, Pisa September 11th, 2014 Physikalisches Institut Heidelberg
More informationThe Xbox One System on a Chip and Kinect Sensor
The Xbox One System on a Chip and Kinect Sensor John Sell, Patrick O Connor, Microsoft Corporation 1 Abstract The System on a Chip at the heart of the Xbox One entertainment console is one of the largest
More informationModel 2651A Specifications
Keithley Instruments 28775 Aurora Road Cleveland, Ohio 44139 1-800-935-55 http://www.tek.com/keithley Model 2651A Specifications High Power System SourceMeter Instrument Specifications SPECIFICATION CONDITIONS
More informationMicroprocessor & Interfacing Lecture Programmable Interval Timer
Microprocessor & Interfacing Lecture 30 8254 Programmable Interval Timer P A R U L B A N S A L A S S T P R O F E S S O R E C S D E P A R T M E N T D R O N A C H A R Y A C O L L E G E O F E N G I N E E
More informationΕΠΛ 605: Προχωρημένη Αρχιτεκτονική
ΕΠΛ 605: Προχωρημένη Αρχιτεκτονική Υπολογιστών Presentation of UniServer Horizon 2020 European project findings: X-Gene server chips, voltage-noise characterization, high-bandwidth voltage measurements,
More informationData acquisition and Trigger (with emphasis on LHC)
Lecture 2! Introduction! Data handling requirements for LHC! Design issues: Architectures! Front-end, event selection levels! Trigger! Upgrades! Conclusion Data acquisition and Trigger (with emphasis on
More informationGFT1504 4/8/10 channel Delay Generator
Features 4 independent Delay Channels (10 in option) 100 ps resolution (1ps in option) 25 ps RMS jitter (channel to channel) 10 second range Channel Output pulse 6 V/50 Ω, 3 ns rise time Independent control
More informationIVI STEP TYPES. Contents
IVI STEP TYPES Contents This document describes the set of IVI step types that TestStand provides. First, the document discusses how to use the IVI step types and how to edit IVI steps. Next, the document
More informationAdvances in Antenna Measurement Instrumentation and Systems
Advances in Antenna Measurement Instrumentation and Systems Steven R. Nichols, Roger Dygert, David Wayne MI Technologies Suwanee, Georgia, USA Abstract Since the early days of antenna pattern recorders,
More informationCS649 Sensor Networks IP Lecture 9: Synchronization
CS649 Sensor Networks IP Lecture 9: Synchronization I-Jeng Wang http://hinrg.cs.jhu.edu/wsn06/ Spring 2006 CS 649 1 Outline Description of the problem: axes, shortcomings Reference-Broadcast Synchronization
More informationNyquist filter FIFO. Amplifier. Impedance matching. 40 MHz sampling ADC. DACs for gain and offset FPGA. clock distribution (not yet implemented)
The Digital Gamma Finder (DGF) Firewire clock distribution (not yet implemented) DSP One of four channels Inputs Camac for 4 channels 2 cm System FPGA Digital part Analog part FIFO Amplifier Nyquist filter
More informationCS 354R: Computer Game Technology
CS 354R: Computer Game Technology Introduction to Game AI Fall 2018 What does the A stand for? 2 What is AI? AI is the control of every non-human entity in a game The other cars in a car game The opponents
More informationKillzone Shadow Fall: Threading the Entity Update on PS4. Jorrit Rouwé Lead Game Tech, Guerrilla Games
Killzone Shadow Fall: Threading the Entity Update on PS4 Jorrit Rouwé Lead Game Tech, Guerrilla Games Introduction Killzone Shadow Fall is a First Person Shooter PlayStation 4 launch title In SP up to
More informationGame Programming Paradigms. Michael Chung
Game Programming Paradigms Michael Chung CS248, 10 years ago... Goals Goals 1. High level tips for your project s game architecture Goals 1. High level tips for your project s game architecture 2.
More informationRamon Canal NCD Master MIRI. NCD Master MIRI 1
Wattch, Hotspot, Hotleakage, McPAT http://www.eecs.harvard.edu/~dbrooks/wattch-form.html http://lava.cs.virginia.edu/hotspot http://lava.cs.virginia.edu/hotleakage http://www.hpl.hp.com/research/mcpat/
More informationTable of Contents HOL ADV
Table of Contents Lab Overview - - Horizon 7.1: Graphics Acceleartion for 3D Workloads and vgpu... 2 Lab Guidance... 3 Module 1-3D Options in Horizon 7 (15 minutes - Basic)... 5 Introduction... 6 3D Desktop
More informationKeysight Technologies PNA-X Series Microwave Network Analyzers
Keysight Technologies PNA-X Series Microwave Network Analyzers Active-Device Characterization in Pulsed Operation Using the PNA-X Application Note Introduction Vector network analyzers (VNA) are the common
More informationDesigning with STM32F3x
Designing with STM32F3x Course Description Designing with STM32F3x is a 3 days ST official course. The course provides all necessary theoretical and practical know-how for start developing platforms based
More informationGFT1012 2/4 Channel Precise Slave Generator
Features Two Independent Delay Channels (Four channels available as an option) 1 ps Time Resolution < 5 ps RMS Jitter (Slave-to-Slave) < 6 ps / C Drift (Slave-to-slave) 1 Second Range Output Pulse Up to
More informationUsing Signaling Rate and Transfer Rate
Application Report SLLA098A - February 2005 Using Signaling Rate and Transfer Rate Kevin Gingerich Advanced-Analog Products/High-Performance Linear ABSTRACT This document defines data signaling rate and
More informationFall 2015 COMP Operating Systems. Lab #7
Fall 2015 COMP 3511 Operating Systems Lab #7 Outline Review and examples on virtual memory Motivation of Virtual Memory Demand Paging Page Replacement Q. 1 What is required to support dynamic memory allocation
More information2601 System SourceMeter 2602 Multi-Channel I-V Test Solutions
601 System SourceMeter 60 Multi-Channel I-V Test Solutions SPECIFICATION CONDITIONS This document contains specifications and supplemental information for the Models 601 and 60. Specifications are the
More informationRANA: Towards Efficient Neural Acceleration with Refresh-Optimized Embedded DRAM
RANA: Towards Efficient Neural Acceleration with Refresh-Optimized Embedded DRAM Fengbin Tu, Weiwei Wu, Shouyi Yin, Leibo Liu, Shaojun Wei Institute of Microelectronics Tsinghua University The 45th International
More informationProduct type designation. General information. Supply voltage
Data sheet SIMATIC S7-300, CPU 313C, COMPACT CPU WITH MPI, 24 DI/16 DO, 4AI, 2AO 1 PT100, 3 FAST COUNTERS (30 KHZ), INTEGRATED 24V DC POWER SUPPLY, 128 KBYTE WORKING MEMORY, FRONT CONNECTOR (2 X 40PIN)
More informationV-edge: Fast Self-constructive Power Modeling of Smartphones Based on Battery Voltage Dynamics
V-edge: Fast Self-constructive Power Modeling of Smartphones Based on Battery Voltage Dynamics Fengyuan Xu Yunxin Liu Qun Li Yongguang Zhang College of William and Mary Microsoft Research Asia Abstract
More informationDigital Systems Design
Digital Systems Design Clock Networks and Phase Lock Loops on Altera Cyclone V Devices Dr. D. J. Jackson Lecture 9-1 Global Clock Network & Phase-Locked Loops Clock management is important within digital
More informationMeasuring Distance Using Sound
Measuring Distance Using Sound Distance can be measured in various ways: directly, using a ruler or measuring tape, or indirectly, using radio or sound waves. The indirect method measures another variable
More informationSupporting x86-64 Address Translation for 100s of GPU Lanes. Jason Power, Mark D. Hill, David A. Wood
Supporting x86-64 Address Translation for 100s of GPU s Jason Power, Mark D. Hill, David A. Wood Summary Challenges: CPU&GPUs physically integrated, but logically separate; This reduces theoretical bandwidth,
More informationdspic30f Quadrature Encoder Interface Module
DS Digital Signal Controller dspic30f Quadrature Encoder Interface Module 2005 Microchip Technology Incorporated. All Rights Reserved. dspic30f Quadrature Encoder Interface Module 1 Welcome to the dspic30f
More informationModel 2635A/2636A System SourceMeter Specifications
1. SPECIFICATION CONDITIONS This document contains specifications and supplemental information for the Models 2635A and 2636A System SourceMeters. are the standards against which the Models 2635A and 2636A
More informationCamera Test Protocol. Introduction TABLE OF CONTENTS. Camera Test Protocol Technical Note Technical Note
Technical Note CMOS, EMCCD AND CCD CAMERAS FOR LIFE SCIENCES Camera Test Protocol Introduction The detector is one of the most important components of any microscope system. Accurate detector readings
More informationEvolution of DSP Processors. Kartik Kariya EE, IIT Bombay
Evolution of DSP Processors Kartik Kariya EE, IIT Bombay Agenda Expected features of DSPs Brief overview of early DSPs Multi-issue DSPs Case Study: VLIW based Processor (SPXK5) for Mobile Applications
More informationStress Testing the OpenSimulator Virtual World Server
Stress Testing the OpenSimulator Virtual World Server Introduction OpenSimulator (http://opensimulator.org) is an open source project building a general purpose virtual world simulator. As part of a larger
More informationSpartan Tetris. Sources. Concept. Design. Plan. Jeff Heckey ECE /12/13.
Jeff Heckey ECE 253 12/12/13 Spartan Tetris Sources https://github.com/jheckey/spartan_tetris Concept Implement Tetris on a Spartan 1600E Starter Kit. This involves developing a new VGA Pcore for integrating
More informationTraditional analog QDC chain and Digital Pulse Processing [1]
Giuliano Mini Viareggio April 22, 2010 Introduction The aim of this paper is to compare the energy resolution of two gamma ray spectroscopy setups based on two different acquisition chains; the first chain
More informationAn Arduino-based DCC Accessory Decoder for Model Railroad Turnouts. Eric Thorstenson 11/1/17
An Arduino-based DCC Accessory Decoder for Model Railroad Turnouts Eric Thorstenson 11/1/17 Introduction Earlier this year, I decided to develop an Arduino-based DCC accessory decoder for model railroad
More informationUnderstanding OpenGL
This document provides an overview of the OpenGL implementation in Boris Red. About OpenGL OpenGL is a cross-platform standard for 3D acceleration. GL stands for graphics library. Open refers to the ongoing,
More informationIncreasing Broadcast Reliability for Vehicular Ad Hoc Networks. Nathan Balon and Jinhua Guo University of Michigan - Dearborn
Increasing Broadcast Reliability for Vehicular Ad Hoc Networks Nathan Balon and Jinhua Guo University of Michigan - Dearborn I n t r o d u c t i o n General Information on VANETs Background on 802.11 Background
More informationLecture Topics. Announcements. Today: Memory Management (Stallings, chapter ) Next: continued. Self-Study Exercise #6. Project #4 (due 10/11)
Lecture Topics Today: Memory Management (Stallings, chapter 7.1-7.4) Next: continued 1 Announcements Self-Study Exercise #6 Project #4 (due 10/11) Project #5 (due 10/18) 2 Memory Hierarchy 3 Memory Hierarchy
More informationESM Calibration and Testing Using the Giga-tronics 2500B Series Microwave Signal Generators
ESM Calibration and Testing Using the Giga-tronics 2500B Series Microwave Signal Generators Product Note Frequency switching speed as fast as 350 µs per point. The Giga-tronics 2500B Series Microwave Signal
More informationAN EFFICIENT ALGORITHM FOR THE REMOVAL OF IMPULSE NOISE IN IMAGES USING BLACKFIN PROCESSOR
AN EFFICIENT ALGORITHM FOR THE REMOVAL OF IMPULSE NOISE IN IMAGES USING BLACKFIN PROCESSOR S. Preethi 1, Ms. K. Subhashini 2 1 M.E/Embedded System Technologies, 2 Assistant professor Sri Sai Ram Engineering
More informationHigh Performance Imaging Using Large Camera Arrays
High Performance Imaging Using Large Camera Arrays Presentation of the original paper by Bennett Wilburn, Neel Joshi, Vaibhav Vaish, Eino-Ville Talvala, Emilio Antunez, Adam Barth, Andrew Adams, Mark Horowitz,
More informationLive Agent for Administrators
Live Agent for Administrators Salesforce, Spring 17 @salesforcedocs Last updated: April 3, 2017 Copyright 2000 2017 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationNI 951x C Series Modules Object Dictionary
NI 951x C Series Modules Object Dictionary Contents This document contains the NI 951x C Series drive interface modules vendor extensions to the object dictionary. Input/Output & Feedback Objects... 3
More informationAnalogue Interfacing. What is a signal? Continuous vs. Discrete Time. Continuous time signals
Analogue Interfacing What is a signal? Signal: Function of one or more independent variable(s) such as space or time Examples include images and speech Continuous vs. Discrete Time Continuous time signals
More informationCAMAC products. CAEN Short Form Catalog Function Model Description Page
products Function Model Description Page Controller C111C Ethernet Crate Controller 44 Discriminator C808 16 Channel Constant Fraction Discriminator 44 Discriminator C894 16 Channel Leading Edge Discriminator
More informationWireless Sensor Network based Shooter Localization
Wireless Sensor Network based Shooter Localization Miklos Maroti, Akos Ledeczi, Gyula Simon, Gyorgy Balogh, Branislav Kusy, Andras Nadas, Gabor Pap, Janos Sallai ISIS - Vanderbilt University Overview CONOPS
More informationPulse Shape Analysis for a New Pixel Readout Chip
Abstract Pulse Shape Analysis for a New Pixel Readout Chip James Kingston University of California, Berkeley Supervisors: Daniel Pitzl and Paul Schuetze September 7, 2017 1 Table of Contents 1 Introduction...
More informationFIFO WITH OFFSETS HIGH SCHEDULABILITY WITH LOW OVERHEADS. RTAS 18 April 13, Björn Brandenburg
FIFO WITH OFFSETS HIGH SCHEDULABILITY WITH LOW OVERHEADS RTAS 18 April 13, 2018 Mitra Nasri Rob Davis Björn Brandenburg FIFO SCHEDULING First-In-First-Out (FIFO) scheduling extremely simple very low overheads
More informationIntroduction to Game Design. Truong Tuan Anh CSE-HCMUT
Introduction to Game Design Truong Tuan Anh CSE-HCMUT Games Games are actually complex applications: interactive real-time simulations of complicated worlds multiple agents and interactions game entities
More informationPACSystems* RX3i IC695MDL765
March 2011 PACSystems* RX3i IC695MDL765 Digital Output Module with Diagnostics 16-Channel The 24/125 volt DC 2A Smart Digital Output module, IC695MDL765, provides 16 discrete outputs in two isolated groups
More informationHello, and welcome to this presentation of the FlexTimer or FTM module for Kinetis K series MCUs. In this session, you ll learn about the FTM, its
Hello, and welcome to this presentation of the FlexTimer or FTM module for Kinetis K series MCUs. In this session, you ll learn about the FTM, its main features and the application benefits of leveraging
More informationVR-Plugin. for Autodesk Maya.
VR-Plugin for Autodesk Maya 1 1 1. Licensing process Licensing... 3 2 2. Quick start Quick start... 4 3 3. Rendering Rendering... 10 4 4. Optimize performance Optimize performance... 11 5 5. Troubleshooting
More informationIntroduction to Real-Time Systems
Introduction to Real-Time Systems Real-Time Systems, Lecture 1 Martina Maggio and Karl-Erik Årzén 16 January 2018 Lund University, Department of Automatic Control Content [Real-Time Control System: Chapter
More informationVersaMax Mixed Discrete / High-Speed Counter Module
Product Description The VersaMax Mixed Discrete High-Speed Counter module, IC200MDD841, has twenty 24VDC positive-logic type inputs and twelve positive-logic 24VDC 0.5Amp outputs. In its default configuration,
More informationTime Synchronization in Acoustic Localization for
Time Synchronization in Acoustic Localization for Mobile Open-Source Network Deployment Scott Almquist Worcester Polytechnic Institute Major Qualifying Project 18 December 2009 Embedded Digital Systems
More informationReverse Auction Addon
Reverse Auction Addon Purpose This addon allows you to setup Reverse Auctions for products on your site. A Reverse Auction is where the price of an item ticks downward until either the auction expires,
More informationProgramming an Othello AI Michael An (man4), Evan Liang (liange)
Programming an Othello AI Michael An (man4), Evan Liang (liange) 1 Introduction Othello is a two player board game played on an 8 8 grid. Players take turns placing stones with their assigned color (black
More informationFinal Report: DBmbench
18-741 Final Report: DBmbench Yan Ke (yke@cs.cmu.edu) Justin Weisz (jweisz@cs.cmu.edu) Dec. 8, 2006 1 Introduction Conventional database benchmarks, such as the TPC-C and TPC-H, are extremely computationally
More informationContents. 2 qutag Manual
qutag Manual V1.0.0 Contents 1. Introduction... 3 2. Safety and Maintenance... 3 2.1. Legend... 3 2.2. General Instructions... 3 2.3. Environmental Conditions... 4 2.4. Electrical Installation... 4 2.5.
More informationINTERFACING WITH INTERRUPTS AND SYNCHRONIZATION TECHNIQUES
Faculty of Engineering INTERFACING WITH INTERRUPTS AND SYNCHRONIZATION TECHNIQUES Lab 1 Prepared by Kevin Premrl & Pavel Shering ID # 20517153 20523043 3a Mechatronics Engineering June 8, 2016 1 Phase
More informationApplication Note Model 765 Pulse Generator for Semiconductor Applications
Application Note Model 765 Pulse Generator for Semiconductor Applications Non-Volatile Memory Cells Characterization The trend of memory research is to develop a new memory called Non-Volatile RAM that
More informationExtending and Using GNU Radio Performance Counters
Extending and Using GNU Radio Performance Counters Using the Linux Perf API Nathan West September 18, 2014 Nathan West Extending and Using GNU Radio Performance Counters September 18, 2014 1 / 19 Abstract
More informationImage Processing Architectures (and their future requirements)
Lecture 16: Image Processing Architectures (and their future requirements) Visual Computing Systems Smart phone processing resources Example SoC: Qualcomm Snapdragon Image credit: Qualcomm Apple A7 (iphone
More informationFrequency Hopping Pattern Recognition Algorithms for Wireless Sensor Networks
Frequency Hopping Pattern Recognition Algorithms for Wireless Sensor Networks Min Song, Trent Allison Department of Electrical and Computer Engineering Old Dominion University Norfolk, VA 23529, USA Abstract
More informationQuickBuilder PID Reference
QuickBuilder PID Reference Doc. No. 951-530031-006 2010 Control Technology Corp. 25 South Street Hopkinton, MA 01748 Phone: 508.435.9595 Fax: 508.435.2373 Thursday, March 18, 2010 2 QuickBuilder PID Reference
More informationLive Agent for Administrators
Live Agent for Administrators Salesforce, Summer 16 @salesforcedocs Last updated: July 28, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationproducts PC Control
products PC Control 04 2017 PC Control 04 2017 products Image processing directly in the PLC TwinCAT Vision Machine vision easily integrated into automation technology Automatic detection, traceability
More informationUTILIZATION OF AN IEEE 1588 TIMING REFERENCE SOURCE IN THE inet RF TRANSCEIVER
UTILIZATION OF AN IEEE 1588 TIMING REFERENCE SOURCE IN THE inet RF TRANSCEIVER Dr. Cheng Lu, Chief Communications System Engineer John Roach, Vice President, Network Products Division Dr. George Sasvari,
More informationHardware - Software Interface
Hardware - Software Interface (HSI) allpixa camera Revision: 1.12 Change History: Date Version Description Author 06.06.2012 R1.0 Initial Version based on former document Musterle 15.02.2014 R1.1 allpixa
More informationTAPR TICC Timestamping Counter Operation Manual. Introduction
TAPR TICC Timestamping Counter Operation Manual Revised: 23 November 2016 2016 Tucson Amateur Packet Radio Corporation Introduction The TAPR TICC is a two-channel timestamping counter ("TSC") implemented
More information