[PATCH] Statclock aliasing by LAPIC

Bruce Evans brde at optusnet.com.au
Tue Dec 1 16:32:00 UTC 2009 

On Wed, 2 Dec 2009, Bruce Evans wrote:

> ...  However, the
> defaults with the lapic timer give an even larger beat frequency than
> before, so I don't see how using the lapic timer can increase the
> problem much.  (The beat frequency of (1000, 128) is 16000.  The beat
> frequency of (1000, 133) is 133000.  The latter means that, with
> defaults, statclock and hardclock() ticks are only perfectly synced
> once in every 133 seconds.  Misconfiguring hz to a multiple of 128 can
> give perfect synchronization, which may be a more of a problem, or a
> fix -- see below).

PS (the see below part): with perfect sync, statclock() ticks can be
kept perfectly out of phase, and this might work well.  E.g.:

(1) hz = 1000, stathz = 125, lapic_timer_hz = 2000: hz ticks on lapic
     ticks # 0, 2, 4, ...; stathz ticks on lapic ticks # 7, 15, 23, ...
     Malicious programs can still easily hide from statclock().

(2) hz = 100, stathz = 100, lapic_timer hz = 200: hz ticks on lapic
     ticks # 0, 2, 4, ...; stathz ticks on lapic ticks # 1, 3, 5, ...
     Malicious programs can easily predict statclock(), but can't
     easily use more than half of the CPU: e.g.,
     - run from hz tick N+epsilon to N+0.5-epsilon (seems to need frequent
       clock_gettime() calls to determine when to give up control;
       timeouts are no use since none can occur until tick N+1-epsilon)
     - usleep(1) and/or give up control to another process.  If the
       former only, then there can be no timeout until hz tick N+1-epsilon,
       and we can hog at most half the CPU.  If the latter, then we
       will need to find a different one quite often, else the victim
       processes will accumulate ticks instead of use and they will be
       de-scheduled instead of us.  fork() by us must not be cost-free,
       else we can generate cooperating victim processes too easily for
       this and other types of hogging.

With a randomized statclock(), the randomness would have to be quite
large and not just a small glitch on the increment like I said before,
else maliciousness like in (2) would work to the extent that the
non-glitch part is large.

Bruce

More information about the freebsd-arch mailing list