Initial commit

e48f19dc · Adam Blank · e48f19dc · e48f19dc · e48f19dc · e48f19dc
Commit e48f19dc authored 4 years ago by Adam Blank
Hide whitespace changes
Inline Side-by-side

Showing

with 269 additions and 0 deletions
+269 -0
--- a/.gitignore
+++ b/.gitignore
+bin
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+run:
+    script: "echo -n $GITLAB_USER_LOGIN | sudo tee \"/sys/kernel/kernel_data/user\"; /usr/bin/meltdown_tester.sh"
\ No newline at end of file
--- a/Makefile
+++ b/Makefile
+CC = gcc
+CFLAGS = -O3 -Wall -Wextra -Iinclude
+
+all: bin/cache_timing bin/index_guesser bin/recover_local_secret bin/recover_protected_local_secret bin/exploit
+
+bin/cache_timing: src/cache_timing.c lib/util.c
+	$(CC) $(CFLAGS) $^ -o $@
+
+bin/index_guesser: src/index_guesser.c lib/util.c
+	$(CC) $(CFLAGS) $^ -o $@
+
+bin/recover_local_secret: src/recover_local_secret.c lib/util.c 
+	$(CC) $(CFLAGS) $^ -o $@
+
+bin/recover_protected_local_secret: src/recover_protected_local_secret.c lib/util.c 
+	$(CC) $(CFLAGS) $^ -o $@
+
+
+bin/exploit: src/exploit.c lib/util.c  
+	$(CC) $(CFLAGS) $^ -o $@
+
+
+clean:
+	rm -f bin/cache_timing src/index_guesser bin/recover_local_secret bin/recover_protected_local_secret bin/exploit
--- a/answers.md
+++ b/answers.md
--- a/include/stage2.h
+++ b/include/stage2.h
+void do_access(page_t *pages) {
+    force_read(&pages[24]);
+}
--- a/include/stage3.h
+++ b/include/stage3.h
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+char *SECRET = "CLOCK";
+
+static inline char access_secret(size_t i) {
+    return SECRET[i];
+}
--- a/include/stage4.h
+++ b/include/stage4.h
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+char *SECRET = "CACHE";
+
+static inline void cache_secret() {
+    for (size_t i = 0; i < strlen(SECRET); i++) {
+        *(volatile char *)(SECRET + i);
+    }
+}
+
+static inline char access_secret(size_t i) {
+    *(volatile char *)(0xFFFF|(i << 10));
+    return SECRET[i];
+}
--- a/include/util.h
+++ b/include/util.h
+#ifndef _UTIL_H
+#define _UTIL_H
+
+#include <stdint.h>
+
+#define PAGE_SIZE 4096
+
+typedef uint8_t page_t[PAGE_SIZE];
+
+// Forces a memory read of the byte at address p. This will result in the byte
+// being loaded into cache.
+void force_read(const void *p);
+
+// Flushes the cache line containing the provided address
+void flush_cache_line(const void *memory);
+
+// Returns the number of clocks taken to read the provided byte of memory.
+uint64_t time_read(const void *memory);
+
+#endif /* _UTIL_H */
--- a/lib/util.c
+++ b/lib/util.c
+#include <x86intrin.h>
+
+#include "util.h"
+
+void force_read(const void *p) {
+    *(volatile char *) p;
+}
+
+void flush_cache_line(const void *memory) {
+    _mm_clflush(memory);
+    _mm_mfence();
+    for (volatile int i = 0; i < 10000; i++) {}
+}
+
+uint64_t time_read(const void *memory) {
+    uint64_t start = __rdtsc();
+    _mm_lfence();
+    force_read(memory);
+    _mm_mfence();
+    _mm_lfence();
+    uint64_t result = __rdtsc() - start;
+    _mm_mfence();
+    _mm_lfence();
+    return result;
+}
--- a/src/cache_timing.c
+++ b/src/cache_timing.c
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <math.h>
+
+#include "util.h"
+
+const uint64_t REPEATS = 100000;
+
+int main() {
+    uint64_t min_miss = INT64_MAX;
+    uint64_t max_hit = 0.0;
+
+    // TODO: Implement the algorithm as described in the specification here
+
+    printf("min miss = %ld\n", min_miss);
+    printf("max hit  = %ld\n", max_hit);
+}
--- a/src/exploit.c
+++ b/src/exploit.c
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#define __USE_GNU
+#include <signal.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "util.h"
+
+// TODO: Copy your code from the previous stage and make the necessary edits to do_access() 
+//       Note that this code WILL NOT WORK on compute-cpu2.  You must push it to gitlab to get it to run
+//       on one of the meltdown machines.
--- a/src/index_guesser.c
+++ b/src/index_guesser.c
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "util.h"
+
+#include "stage2.h"
+
+const uint64_t MIN_CHOICE = 1;
+const uint64_t MAX_CHOICE = 256;
+
+static inline page_t *init_pages() {
+    return calloc(MAX_CHOICE, sizeof(page_t));
+}
+
+static inline void flush_all_pages(page_t *pages) {
+    // TODO: Implement me!
+}
+
+static inline size_t guess_accessed_page(page_t *pages) {
+    // TODO: Implement me! 
+
+    return 0;
+}
+
+int main() {
+    page_t *pages = init_pages();
+
+    flush_all_pages(pages);
+
+    do_access(pages);
+    
+    size_t guess = guess_accessed_page(pages);
+    if (guess) { 
+        printf("%zu\n", guess);
+    }
+}
--- a/src/recover_local_secret.c
+++ b/src/recover_local_secret.c
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "util.h"
+
+#include "stage3.h"
+
+const uint64_t MIN_CHOICE = 'A' - 1;
+const uint64_t MAX_CHOICE = 'Z' + 1;
+const uint64_t SECRET_LENGTH = 5;
+
+static inline page_t *init_pages() {
+    return calloc(MAX_CHOICE, sizeof(page_t));
+}
+
+static inline void flush_all_pages(page_t *pages) {
+    // TODO: Copy me from the previous stage
+}
+
+static inline size_t guess_accessed_page(page_t *pages) {
+    // TODO: Copy me from the previous stage
+    return 0;
+}
+
+static inline void do_access(page_t *probe_array, size_t idx) {
+    // TODO: Implement me using force_read.  I am a very short function.
+}
+
+int main() {
+    page_t *probe_array = init_pages();
+
+    // TODO: Copy me from the previous stage and edit me so I loop over SECRET_LENGTH characters.
+
+    printf("\n");
+}
--- a/src/recover_protected_local_secret.c
+++ b/src/recover_protected_local_secret.c
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#define __USE_GNU
+#include <signal.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "util.h"
+
+#include "stage4.h"
+
+extern char label[];
+
+const uint64_t MIN_CHOICE = 'A' - 1;
+const uint64_t MAX_CHOICE = 'Z' + 1;
+const uint64_t SECRET_LENGTH = 5;
+
+static inline page_t *init_pages() {
+    return calloc(MAX_CHOICE, sizeof(page_t));
+}
+
+
+static inline void flush_all_pages(page_t *pages) {
+    // TODO: Copy me from the previous stage
+}
+
+static inline size_t guess_accessed_page(page_t *pages) {
+    // TODO: Copy me from the previous stage
+    return 0;
+}
+
+static inline void do_access(page_t *probe_array, size_t idx) {
+    // TODO: Copy me from the previous stage.  
+    //       Don't forget to call cache_secret() to ensure the secret is in memory.
+}
+
+
+
+// TODO: Implement a SIGSEGV handler
+
+
+int main() {
+    // TODO: Implement install your SIGSEGV handler
+    // TODO: For the remainder of the function, copy from the previous stage and edit the following:
+    //          1. Add asm volatile("label:") to the location you want the SIGSEGV handler to return to.
+    //          2. For each letter, it might take more than one attempt to get a valid guess.  Throw all the logic in an inner loop.
+}