Data Dependent Prefetcher
Some newer processors in the Intel® Core™ Processor Family support a new hardware prefetcher feature that can be classified as a Data-Dependent Prefetcher (DDP). Traditionally, hardware prefetchers have decided what memory addresses to prefetch based on being “trained” by the addresses of previous accesses to memory. DDPs may also examine data values in memory (examined memory data values), to determine the addresses of cache lines to prefetch. Which memory values are examined is based on the addresses of previous accesses to memory.
Prefetches can affect the contents of the cache or other microarchitectural processor structures. Since the addresses of DDP prefetches are based on data values from memory, these side effects could allow a malicious actor to infer some information about examined memory data values. However, such side effects would not allow such actors to infer any information about the contents of the dereferenced memory address1 which is prefetched by the DDP.
For example, a DDP could trigger due to a load from address 0x1000. Such a prefetcher could decide to prefetch the examined memory at address 0x1040. If the value in memory at 0x1040 is 0x6010 (the examined memory data value) then a DDP could decide to prefetch the memory cache-line holding 0x6000 to 0x603F. A malicious attacker could use cache-based side channels to observe that the cache-line at 0x6000 has been prefetched. However, the contents of the memory at this dereferenced memory address (0x6000) will only be prefetched by the DDP, and not further examined by DDP. As such, malicious actors would be unable to infer any information about the contents of that prefetched memory based on DDP behavior alone, since the DDP behavior does not depend on the data at the dereferenced memory address.
On Intel processors, DDPs exhibit several properties which are designed to restrict their potential use for side channel attacks. These properties include not operating at supervisor or other privileged modes, preventing cross-domain training, and preventing recursive dereferencing (meaning the DDP will not use the contents of dereferenced memory addresses for further prefetches). This documentation provides further information about these properties that are designed to reduce the risk of any potential side channel attacks, as well as documenting how software can disable the DDP feature as an option.
|Triggering program load||0x1000||< used by program >|
|Prefetch 2||0x6000||< not examined >|
Data Dependent Prefetcher Properties
Intel processors that support DDP maintain several properties to help reduce the risk that a malicious actor could infer information about examined memory data values. These properties are intended to provide isolation of DDP training between different domains, as well as to provide mechanisms to disable DDP where desired.
DDP is neither trained by nor triggered by supervisor-mode accesses. Similarly, DDP is disabled in modes that always behave as if Speculative Store Bypass Disable (SSBD) is set—specifically system management mode (SMM) and Intel® Software Guard Extensions (Intel® SGX).
Cross-domain and Cross-thread Isolation
The following properties support isolation between different security domains:
- Activity in Virtual Machine Extensions (VMX) guest (non-root) mode does not control DDP in host (root) mode.
- Activity on one logical processor does not control DDP on another logical processor.
- Indirect Branch Predictor Barrier (IBPB) serves as a DDP training barrier. Activity before the barrier on a logical processor does not control DDP after the barrier.
DDP Prefetch Address Limitations
A data-dependent prefetch is a prefetch operation based on memory contents. Memory contents dereferenced by the DDP are limited to those with a memory type that allows speculative reads and that are architecturally readable by the currently executing user-mode context.
DDP will not recursively dereference the memory contents of a data-dependent prefetched location – this means that it will not generate prefetches based on the value at the “dereferenced memory address” which was itself fetched by the DDP.
DDP Disable Controls
DDP is implicitly disabled whenever IA32_SPEC_CTRL.SSBD MSR bit is set to 1. All processors that support DDP also support Speculative Store Bypass Disable (SSBD).
DDP is also disabled whenever IA32_SPEC_CTRL.DDPD_U (bit 8, as enumerated by CPUID.(EAX=7,ECX=2).EDX) is set to 1. This control will be supported by all processors that support DDP. (Note that there is no equivalent supervisor control, since DDP is always disabled in supervisor mode.)
Because DDP prefetch may affect the timing of a code sequence in a way that depends on values in memory, Intel considers DDP to be an example of non-data-operand-independent timing behavior. Processors that support DDP behavior will also support the Data Operand Independent Timing Mode control2 and DDP will be prevented whenever the DOITM control is 1.
The combination of processor domain isolation, along with software invocation of IBPB as discussed in the IBPB guidance, prevents cross-domain DDP training. However, as with Speculative Store Bypass, language-based security environments (for example, a managed runtime) present the most likely environment where a potential malicious actor may seek to influence the generation of code. When such environments are already offering and/or employing mitigations for Speculative Store Bypass (Spectre variant 4), such as process isolation or the SSBD control, they may require no further changes for DDP.
|Initial EAX Value||Information Provided About the Processor||Notes|
|07H||EDX||Leaf 07H main leaf (ECX = 2).
If ECX contains an invalid subleaf index, EAX/EBX/ECX/EDX return 0.
|Bit 3: DDP_CTRL|
|Register Address Hex||Register Address DEC||Architectural MSR Name /
|MSR / Bit Description||Comment|
|48H||72||IA32_SPEC_CTRL||Speculation Control (R/W)||If any one of the enumeration conditions for the defined bit field positions holds.|
|48H||72||8||DDPD_U: If IA32_SPEC_CTRL.DDPD_U (bit 8) is set to 1, Data Dependent Prefetcher which examine data values in memory (in any case limited to user-mode) is disabled.||Enumerated by CPUID.(EAX=7,ECX=2).EDX|
- A dereferenced memory address is the address of memory prefetched as a result of examining the value in memory. The address may exactly be a pointer value in memory but could also be something else (for example, an address resulting from adding an index in memory to some base value).
- The Data Operand Independent Timing Mode control is IA32_UARCH_MISC_CTL[DOITM].