5

Can an instruction with lock prefix starve rest of the CPUs (virtual machines) for memory bandwidth in a virtualized environment ?

For example, consider the following piece of code 

loop:
    lock inc dword [rax]
    jmp loop

Now assume that rax contains the address of an uncacheable memory location. (Using PAT or MTRR to set the memory type to UC).

This will force the CPU to lock the memory bus and slow down memory accesses of rest of the CPU which makes it a potential tool for denial of service.

Do modern processors have mechanisms to partition memory bandwidth among virtual machines to prevent attacks like this?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
joz
  • 319
  • 1
  • 9
  • Normal processes can't map uncacheable memory at all under most OSes. Oh, but that's why you said guest VMs. But if `rax` points to the last byte of a cache-line, this could still be quite expensive (because a simple cache-lock wouldn't work). Anyway, neat idea; this could be more expensive than simply looping `memset` over a big array with vector stores, especially on a many-core Xeon where single-threaded memory bandwidth is only a fraction of aggregate memory bandwidth. – Peter Cordes May 30 '18 at 20:48
  • I agree that a typical user space process do not have the privilege to alter caching behavior of its pages. However, here I am referring to a slightly sophisticated user with malicious intentions who can run the above piece of code from kernel space. – joz May 30 '18 at 20:55
  • @PeterCordes Not sure about the definition, but isn't 'uncacheable' (as in, cannot be cached) something else than 'uncached' (as in, has not been accessed recently) ? – LWimsey May 30 '18 at 21:50
  • @LWimsey: Yes, "uncached" would normally describe a cache line that happens to be cold. The OP here is talking about x86's UC memory type, set with PAT or MTRR, and it should be described as "uncacheable". Good point, edited the question to fix that ambiguity / error. – Peter Cordes May 30 '18 at 23:28
  • 6
    The answer is definitely Yes. This is a well-known attack. In fact, it is possible in certain situations to perform a very serious DoS attack completely from user-mode without using the UC memory type. By the way, locked instructions can also be used to perform side-channel attacks. Regarding your last question, currently no. Memory bandwidth partitioning is a planned feature and it's not clear whether it might help to mitigate such attacks. – Hadi Brais May 31 '18 at 02:06
  • BTW, Broadwell Xeons have [Cache Allocation Technology](https://software.intel.com/en-us/articles/introduction-to-cache-allocation-technology) which lets you dedicate some L3 cache to a VM, protecting it from eviction by other VMs. And other neat cache management stuff. But that's only for cache, not memory, and is separate from this. – Peter Cordes May 31 '18 at 06:49
  • @HadiBrais, I'm very curious, would you mind elaborating? Thank you very much! – Margaret Bloom May 31 '18 at 17:32
  • @MargaretBloom Sure. I'll have to dedicate some time to write the answer. I'll do that whenever I get the chance. Although a complete answer could simply be "yes" to the first part of the question and "no" to the second part of the question, but it might not be a very satisfying answer :P – Hadi Brais May 31 '18 at 18:56
  • 2
    @HadiBrais, Memory Bandwidth Allocation (MBA) can partition BW (although unrelated with bus locks and the first half of the question). It's part of the RDT (resource director technologies) - https://xenbits.xen.org/docs/unstable/features/intel_psr_mba.html – Leeor Jun 14 '18 at 01:29
  • @Leeor I thought MBA is not supported yet in any existing uarch. It seems that it is supported in Skylake server processors, which were released a year ago. Do you know whether it is supported in Kaby Lake server processors? The webpage you linked says "MBA is supported on Skylake Server and beyond". So I guess it is. Thanks. – Hadi Brais Jun 14 '18 at 01:52
  • Do you mean Cascade Lake or some high end client based server? Either way, I suppose as long as it's sold under the Xeon brand it should be there :) – Leeor Jun 14 '18 at 08:02

0 Answers0