xen-devel

[Top] [All Lists]

Re: [Xen-devel] HT Vulnerability CAN-2005-0109

from [Mark Williamson]

[Permanent Link][Original]

To:	"Jonathan S. Shapiro" <shap@xxxxxxxxxxx>
Subject:	Re: [Xen-devel] HT Vulnerability CAN-2005-0109
From:	Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date:	Wed, 18 May 2005 18:14:26 +0100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Wed, 18 May 2005 17:19:43 +0000
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<1116435235.6073.0.camel@xxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Organization:	University of Cambridge
References:	<200505181527.j4IFR2Dd028682@xxxxxxxxxxxxxxx> <200505181744.19853.mark.williamson@xxxxxxxxxxxx> <1116435235.6073.0.camel@xxxxxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	KMail/1.8

> > But the bandwidth for L2 cache channel using this technique will also be
> > lower than for the L1....
>
> This isn't immediately obvious. It depends on how effectively the
> transmitter can achieve "line resident in L2 but not in L1".

OK, I should have qualified that statement :-)  It's a fair cop...

The L2 bandwidth for this channel is lower on current Intel CPUs because you 
have the added complication of TLB misses whilst trying to exploit the covert 
channel.  This is a significant issue because the TLB on the P4 apparently 
can only map half of the address space the cache can hold...

On current P4s the associativity of the L2 is 8 way, rather than 4 way, which 
also reduces the efficiency of the miss-generating technique.

My original statement implicitly assumes that these factors will continue to 
be present as the chips evolve.  If Intel change the TLB size relative to the 
L2 cache, or the associativity of the L1 / L2 caches, then this situation 
could still change.

It's not entirely clear to me how much code for exploiting this channel was 
produced by Colin Percival vs. how much of his data is based on calculated 
estimates.  Does anyone know of a proof-of-concept exploit?

Cheers,
Mark

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] HT Vulnerability CAN-2005-0109, Nils Toedtmann Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Mark Williamson Re: [Xen-devel] HT Vulnerability CAN-2005-0109, David Hopwood Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Mark Williamson Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Nils Toedtmann Re: [Xen-devel] HT Vulnerability CAN-2005-0109, David Hopwood Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Jonathan S. Shapiro Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Mark Williamson Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Jonathan S. Shapiro Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Mark Williamson <= RE: [Xen-devel] HT Vulnerability CAN-2005-0109, Ian Pratt RE: [Xen-devel] HT Vulnerability CAN-2005-0109, Nils Toedtmann

Previous by Date:	Re: [Xen-devel] linux/arch/xen/i386 or linux/arch/i386/xen, Chris Wright
Next by Date:	RE: [Xen-devel] Genapic, Nakajima, Jun
Previous by Thread:	Re: [Xen-devel] HT Vulnerability CAN-2005-0109, Jonathan S. Shapiro
Next by Thread:	RE: [Xen-devel] HT Vulnerability CAN-2005-0109, Ian Pratt
Indexes:	[Date] [Thread] [Top] [All Lists]