By: Maynard Handley (name99.delete@this.name99.org), August 17, 2020 4:34 pm
Room: Moderated Discussions
Anon3 (anon3.delete@this.anon3.invalid) on August 17, 2020 4:10 pm wrote:
> Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 11:51 am wrote:
> > Beyond that, my guess is that IBM's attitude to "jump to the second instruction of a pair"
>
> You can't determine what an arbitrary destination is. This is why x86 has terrible problems with gadgets
> made out of unintentional instructions produced by jumping in to the middle of intentional ones.
>
> The solution to this problem is control flow integrity instructions such as Intel
> CET or ARM BTI. I've not seen a similar proposal for POWER which surprises me.
>
You are talking about something different.
I am suggesting that IBM is allowed to, eg, mark in the I-cache, or a loop buffer, or a µOp cache or wherever that two paired instructions corresponds to a single unit. And that if you (deliberately, because the compiler isn't going to do this) choose to jump into the middle of this pair, IBM doesn't owe you any sort of rational execution from this point onward.
You are suggesting that jumping into the middle of a paid may be a security hole. Perhaps, who knows, but that's of little interest to me. I fail to see why it's any more of a security hold than an ability to jump anywhere in the instruction stream; it would very much depend on the details of exactly how these pair instructions are implemented.
x86 has this as a security problem because they promise that jumping into such an instruction stream will work. IBM has less of a problem if they don't make that promise. They don't even have to make an effort to catch every such jump; all they have to do is catch some of them and fault when they do detect such a jump (same way as the CPU would fault if you jumped to an odd address).
Question is: what is the ARCHITECTURAL promise regarding pairs? That jumping in the middle of one
- behaves like x86?
- is guaranteed to fault?
- or is undefined behavior (which could be a fault sometimes, other times random execution, behaving eg, as if you'd jumped to either one instruction earlier or one instruction later).
> Maynard Handley (name99.delete@this.name99.org) on August 17, 2020 11:51 am wrote:
> > Beyond that, my guess is that IBM's attitude to "jump to the second instruction of a pair"
>
> You can't determine what an arbitrary destination is. This is why x86 has terrible problems with gadgets
> made out of unintentional instructions produced by jumping in to the middle of intentional ones.
>
> The solution to this problem is control flow integrity instructions such as Intel
> CET or ARM BTI. I've not seen a similar proposal for POWER which surprises me.
>
You are talking about something different.
I am suggesting that IBM is allowed to, eg, mark in the I-cache, or a loop buffer, or a µOp cache or wherever that two paired instructions corresponds to a single unit. And that if you (deliberately, because the compiler isn't going to do this) choose to jump into the middle of this pair, IBM doesn't owe you any sort of rational execution from this point onward.
You are suggesting that jumping into the middle of a paid may be a security hole. Perhaps, who knows, but that's of little interest to me. I fail to see why it's any more of a security hold than an ability to jump anywhere in the instruction stream; it would very much depend on the details of exactly how these pair instructions are implemented.
x86 has this as a security problem because they promise that jumping into such an instruction stream will work. IBM has less of a problem if they don't make that promise. They don't even have to make an effort to catch every such jump; all they have to do is catch some of them and fault when they do detect such a jump (same way as the CPU would fault if you jumped to an odd address).
Question is: what is the ARCHITECTURAL promise regarding pairs? That jumping in the middle of one
- behaves like x86?
- is guaranteed to fault?
- or is undefined behavior (which could be a fault sometimes, other times random execution, behaving eg, as if you'd jumped to either one instruction earlier or one instruction later).
| Topic | Posted By | Date |
|---|---|---|
| IBM introduces POWER10 | Crystal S. Diamond | 2020/08/16 10:20 PM |
| "New ISA Prefix Fusion" | QAnon | 2020/08/16 11:21 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 06:59 AM |
| "New ISA Prefix Fusion" | Kevin G | 2020/08/17 10:51 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 11:51 AM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 04:10 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/17 04:34 PM |
| "New ISA Prefix Fusion" | Anon3 | 2020/08/17 05:34 PM |
| "New ISA Prefix Fusion" | Adrian | 2020/08/17 06:39 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/17 09:24 PM |
| "New ISA Prefix Fusion" | Doug S | 2020/08/17 09:58 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 01:47 AM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 04:48 AM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 11:58 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/18 01:00 PM |
| "New ISA Prefix Fusion" | Michael S | 2020/08/18 01:48 PM |
| "New ISA Prefix Fusion" | hobold | 2020/08/18 02:29 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:46 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 03:42 PM |
| "New ISA Prefix Fusion" | anon2 | 2020/08/18 07:04 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/18 09:17 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 04:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 10:02 AM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 11:08 AM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 12:05 PM |
| "New ISA Prefix Fusion" | dmcq | 2020/08/19 02:14 PM |
| "New ISA Prefix Fusion" | Maynard Handley | 2020/08/19 02:44 PM |
| IBM introduces POWER10 | Thu | 2020/08/16 11:56 PM |
| IBM introduces POWER10 | Michael S | 2020/08/17 02:12 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 03:27 AM |
| IBM introduces POWER10 | TransientStudent | 2020/08/17 04:23 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:29 AM |
| IBM introduces POWER10 | Maynard Handley | 2020/08/17 10:44 AM |
| IBM introduces POWER10 | Kevin G | 2020/08/17 10:57 AM |
| IBM introduces POWER10 | Rayla | 2020/08/17 04:26 AM |
| IBM introduces POWER10 | Thu | 2020/08/17 05:00 PM |
| Matrix Math Accelerator | Adrian | 2020/08/17 01:01 AM |
| Matrix Math Accelerator | Michael S | 2020/08/17 02:32 AM |
| Matrix Math Accelerator | Adrian | 2020/08/17 02:46 AM |
| Matrix Math Accelerator | j | 2020/08/18 02:32 AM |
