![Page 1: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/1.jpg)
Analyzing Performance Vulnerabilitydue to Resource Denial-Of-Service
Attackon Chip Multiprocessors
Dong Hyuk Woo Georgia TechHsien-Hsin “Sean” Lee Georgia Tech
![Page 2: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/2.jpg)
2
Cores are hungry..
“Yeah, I’m still hungry..”
![Page 3: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/3.jpg)
3
Cores are hungry..
• More bus bandwidth?– Power..– Manufacturing cost..– Routing complexity..– Signal integrity..– Pin counts..
• More cache space?– Access latency..– Fixed power budget..– Fixed area budget..
![Page 4: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/4.jpg)
4
Competition is intensive..
“Mommy, I’m also hungry!”
![Page 5: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/5.jpg)
5
What if one core is malicious?
“Stay away from my food..”
![Page 6: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/6.jpg)
6
Type 1: Attack BSB Bandwidth!
• Generate L1 D$ misses as frequently as possible!– Constantly load data with a stride size of 64B
(line size)– Memory footprint: 2 x (L1 D$ size)
Normal Core
L1 I$ L1 D$
Malicious Core
L1 I$ L1 D$
Shared L2$
![Page 7: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/7.jpg)
7
Type 2: Attack the L2 Cache!
• Generate L1 D$ misses as frequently as possible!
• And occupy entire L2$ space!– Constantly load data with a stride size of 64B
(line size)– Memory footprint: (L2$ size)
• Note that this attack also saturates BSB bandwidth!
![Page 8: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/8.jpg)
8
Type 3: Attack FSB Bandwidth!
• Generate L2$ misses as frequently as possible!
• And occupy entire L2$ space!– Constantly load data with a stride size of 64B
(line size)– Memory footprint: 2 x (L2$ size)
• Note that this attack is also expected to– saturate BSB bandwidth!– occupy large space of the L2 cache!
![Page 9: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/9.jpg)
9
Type 4: LRU/Inclusion Property Attack• Variant of the attack against the L2 cache• LRU
– A common replacement algorithm• Inclusion property
– Preferred for efficient coherent protocol implementation
• Normal core accesses shared resources more frequently.
set
way
![Page 10: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/10.jpg)
10
To be more aggressive..
• Class II– Attacks using Locked Atomic Operation
• Bus locking operations– To implement Read-Modify-Write instruction
• Class III– Distributed Denial-of-Service Attack
• What would happen if the number of malicious threads increases?
![Page 11: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/11.jpg)
11
Simulation
• SESC simulator• SPEC2006 benchmarkNumber of Cores 4Issue width 3
L1 I$ 2-way set associative 32KB cache with 64B line (1 cycle hit latency)
L1 D$2-way set associative 32KB cache with 64B line (1 cycle hit latency)8-entry MSHR
BSB data bus B/W 64 GBps (2GHz * 256 bits)
L2$8-way set associative 2MB cache with 64B line (14 cycle hit latency)Shared MSHR
FSB bandwidth 16 GBpsDRAM latency 100 ns
![Page 12: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/12.jpg)
12
Vulnerability due to DoS Attack
Normal Normal
vs.
![Page 13: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/13.jpg)
13
Vulnerability due to DoS Attack
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Norm
aliz
ed IP
C
astar lbm mcf soplex harmonic mean
Load/BSB Load/L2 Load/Incl. Load/FSB Atomic/BSB Atomic/L2 Atomic/Incl.
High L1 miss rateHigh L2 miss rate
![Page 14: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/14.jpg)
14
Vulnerability due to DDoS Attack
Normal Normal
vs.
Normal Normal
![Page 15: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/15.jpg)
15
Vulnerability due to DDoS Attack
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Norm
aliz
ed IP
C
Load/BSB Load/L2 Load/Incl. Load/FSB Atomic/BSB Atomic/L2 Atomic/Incl.
1 malicious thread 2 malicious threads 3 malicious threads
![Page 16: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/16.jpg)
16
Suggested Solutions
• OS level solution– Policy based eviction– Isolating voracious applications by process
scheduling
• Adaptive hardware solution– Dynamic Miss Status Handler Register (DMSHR)– Dedicated management core in many-core era
![Page 17: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/17.jpg)
17
DMSHR
Entry 0Entry 1Entry 2Entry 3Entry 4Entry 5Entry 6Entry 7
MSHR full
Compare
Counter
MSHR full
Decision from monitoring
functionality
![Page 18: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/18.jpg)
18
Conclusion and Future Work
• Shared resources in CMPs are vulnerable to (Distributed) Denial-of-Service Attacks.– Performance degradation up to 91%
• DoS vulnerability in future many-core architecture will be more interesting.– Embedded ring architecture
• Distributed arbitration– Network-on-Chip
• A large number of buffers are used in cores and routers.
![Page 19: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/19.jpg)
19
Q&A
Grad students are also hungry..
Please feed them well..Otherwise, you might face Denial-of-??? soon..
![Page 20: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/20.jpg)
Thank you.
http://arch.ece.gatech.edu
![Page 21: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/21.jpg)
21
Difference from fairness work
• They are only interested in the capacity issue
• They might be even more vulnerable..– Partitioning based on
• IPC• Miss rates
– They may result in a guarantee of a large space to the malicious thread.
![Page 22: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/22.jpg)
22
Difference between CMPs and SMPs
• Degree of sharing– More frequent access to shared resources in CMPs
• Sensitivity of shared resources– DRAM (shared resource of SMPs) >> L2$ (that of
CMPs)
• Different eviction policies– OS managed eviction vs. hardware managed
eviction
![Page 23: Dong Hyuk Woo Georgia Tech Hsien-Hsin “Sean” LeeGeorgia Tech](https://reader035.vdocument.in/reader035/viewer/2022062521/568149e9550346895db71404/html5/thumbnails/23.jpg)
23
Difference between CMPs and SMTs
• An SMT is more tightly-coupled shared architecture.– More vulnerable to the attack
• Grunwald and Ghiasi, MICRO-35– Malicious execution unit occupation– Flushing the pipeline– Flushing the trace cache
– Lower-level shared resources are ignored.