Data Dependent Prefetcher

ID 标签 759189
已更新 11/10/2022
版本 Latest
公共

author-image

作者

Some newer processors in the Intel® Core™ Processor Family support a new hardware prefetcher feature that can be classified as a Data-Dependent Prefetcher (DDP). Traditionally, hardware prefetchers have decided what memory addresses to prefetch based on being “trained” by the addresses of previous accesses to memory. DDPs may also examine data values in memory (examined memory data values), to determine the addresses of cache lines to prefetch. Which memory values are examined is based on the addresses of previous accesses to memory.

Prefetches can affect the contents of the cache or other microarchitectural processor structures. Since the addresses of DDP prefetches are based on data values from memory, these side effects could allow a malicious actor to infer some information about examined memory data values. However, such side effects would not allow such actors to infer any information about the contents of the dereferenced memory address1 which is prefetched by the DDP.

For example, a DDP could trigger due to a load from address 0x1000. Such a prefetcher could decide to prefetch the examined memory at address 0x1040. If the value in memory at 0x1040 is 0x6010 (the examined memory data value) then a DDP could decide to prefetch the memory cache-line holding 0x6000 to 0x603F. A malicious attacker could use cache-based side channels to observe that the cache-line at 0x6000 has been prefetched. However, the contents of the memory at this dereferenced memory address (0x6000) will only be prefetched by the DDP, and not further examined by DDP. As such, malicious actors would be unable to infer any information about the contents of that prefetched memory based on DDP behavior alone, since the DDP behavior does not depend on the data at the dereferenced memory address.

On Intel processors, DDPs exhibit several properties which are designed to restrict their potential use for side channel attacks. These properties include not operating at supervisor or other privileged modes, preventing cross-domain training, and preventing recursive dereferencing (meaning the DDP will not use the contents of dereferenced memory addresses for further prefetches). This documentation provides further information about these properties that are designed to reduce the risk of any potential side channel attacks, as well as documenting how software can disable the DDP feature as an option.

Table 1: Data Dependent Prefetcher Examples
Example Address Contents
Triggering program load 0x1000 < used by program >
Prefetch 1 0x1040 0x6010
Prefetch 2 0x6000 < not examined >

 

Data Dependent Prefetcher Properties

Intel processors that support DDP maintain several properties to help reduce the risk that a malicious actor could infer information about examined memory data values. These properties are intended to provide isolation of DDP training between different domains, as well as to provide mechanisms to disable DDP where desired. 

Privileged Modes

DDP is neither trained by nor triggered by supervisor-mode accesses. Similarly, DDP is disabled in modes that always behave as if Speculative Store Bypass Disable (SSBD) is set—specifically system management mode (SMM) and Intel® Software Guard Extensions (Intel® SGX). 

Cross-domain and Cross-thread Isolation

The following properties support isolation between different security domains: 

  • Activity in Virtual Machine Extensions (VMX) guest (non-root) mode does not control DDP in host (root) mode. 
  • Activity on one logical processor does not control DDP on another logical processor. 
  • Indirect Branch Predictor Barrier (IBPB) serves as a DDP training barrier. Activity before the barrier on a logical processor does not control DDP after the barrier.   

DDP Prefetch Address Limitations

A data-dependent prefetch is a prefetch operation based on memory contents. Memory contents dereferenced by the DDP are limited to those with a memory type that allows speculative reads and that are architecturally readable by the currently executing user-mode context.

DDP will not recursively dereference the memory contents of a data-dependent prefetched location – this means that it will not generate prefetches based on the value at the “dereferenced memory address” which was itself fetched by the DDP.

DDP Disable Controls

DDP is implicitly disabled whenever IA32_SPEC_CTRL.SSBD MSR bit is set to 1. All processors that support DDP also support Speculative Store Bypass Disable (SSBD).

DDP is also disabled whenever IA32_SPEC_CTRL.DDPD_U (bit 8, as enumerated by CPUID.(EAX=7,ECX=2).EDX[3]) is set to 1. This control will be supported by all processors that support DDP. (Note that there is no equivalent supervisor control, since DDP is always disabled in supervisor mode.)

Because DDP prefetch may affect the timing of a code sequence in a way that depends on values in memory, Intel considers DDP to be an example of non-data-operand-independent timing behavior. Processors that support DDP behavior will also support the Data Operand Independent Timing Mode control2 and DDP will be prevented whenever the DOITM control is 1. 

Software Guidance

The combination of processor domain isolation, along with software invocation of IBPB as discussed in the IBPB guidance, prevents cross-domain DDP training. However, as with Speculative Store Bypass, language-based security environments (for example, a managed runtime) present the most likely environment where a potential malicious actor may seek to influence the generation of code. When such environments are already offering and/or employing mitigations for Speculative Store Bypass (Spectre variant 4), such as process isolation or the SSBD control, they may require no further changes for DDP. 

Enumeration

Table 2: Structured Extended Feature Flags Enumeration Leaf (Output depends on ECX input value)
Initial EAX Value Information Provided About the Processor Notes
07H EDX Leaf 07H main leaf (ECX = 2).
If ECX contains an invalid subleaf index, EAX/EBX/ECX/EDX return 0.
    Bit 3: DDP_CTRL

 

Table 3: IA32_SPEC_CTRL MSR Details
Register Address Hex Register Address DEC Architectural MSR Name /
Bit Fields
MSR / Bit Description Comment
48H 72 IA32_SPEC_CTRL Speculation Control (R/W) If any one of the enumeration conditions for the defined bit field positions holds.
48H 72 8 DDPD_U: If IA32_SPEC_CTRL.DDPD_U (bit 8) is set to 1, Data Dependent Prefetcher which examine data values in memory (in any case limited to user-mode) is disabled. Enumerated by CPUID.(EAX=7,ECX=2).EDX[3]

 

Footnotes

  1. A dereferenced memory address is the address of memory prefetched as a result of examining the value in memory. The address may exactly be a pointer value in memory but could also be something else (for example, an address resulting from adding an index in memory to some base value).
  2. The Data Operand Independent Timing Mode control is IA32_UARCH_MISC_CTL[DOITM].
"