intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping
前面介绍了row hammer,理论上很完美,实际操作的时候会面临很尴尬的问题:内存存储数据最小的单位是cell(就是个电容,充电是1,放电是0),无数个横着的cell组成row,无数个竖着的cell组成colume;数个row和colume组成bank,多个bank组成chip,然后是rank,接着是dimm、channel,总的逻辑包含顺序是:channel->dimm->rank->chip->bak->row/colume->cell;怎么把物理地址映射到具体的cell了?换句话说:比如知道了某个能提权数据位的虚拟地址,linux和windwos都能调用系统API查找到相应的物理地址,又怎么根据物理地址映射到bank/row/colume了? 否则怎么精准hammer?Intel 并未公开映射算法,怎么通过一些逆向的方式、方法猜测出物理地址到dram 的address mapping了?
1、百度的同学公开一种算法,https://cloud.tencent.com/developer/article/1620354 这里有算法的说明,但本人并未找到该工具(自称DRAMDig)的源代码,也未找到该工具下载的地址,未能验证证其效果;为方便理解,整理了一个导图,如下:
通过DRAMDig测试的结果如下,由此可见:不同cpu型号、不同内存大小,对应不同的row、colume、bank function,情况较为复杂;
2、国外有团队做了row hammer测试,根据测试结果猜测出了物理地址映射到DRAM的方法,具体参考:http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html
对应的测试代码:https://github.com/google/rowhammer-test/tree/master/extended_test 下面详细说明代码的思路和倒推映射算法的思路;
(1)整个流程大致如下: 先分配1GB内存,每个bit全部初始化为1;再盲选40个地址反复hammer,选出成功flip的地址后两两组合继续hammer,再取消两两组合后继续hammer;
(2)新问题来了:作者一开始盲选地址hammer,成功flip后为啥要narrow to pair down后再hammer了?——为了更准确地确认物理地址和反转flip的关系,看看到底是哪个地址导致了哪些cell flip,借此更精确的地逆向address mapping;下面会打印hammer的地址和被flip的地址,然后根据这些信息逆向address mapping;
if (check(&bit_flip_info)) {
found = true;
printf("RESULT PAIR,0x%" PRIx64 ",0x%" PRIx64 ",0x%" PRIx64 ",%i,%i\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2),
get_physical_addr((uintptr_t) bit_flip_info.victim_virtual_addr),
bit_flip_info.bit_number,
bit_flip_info.flips_to);
}
作者耗费6小时,反转了22个地址,分别如下:
RESULT PAIR,0x6ccc1000,0x6cd59000,0x6cd1f680,,
RESULT PAIR,0x708f1000,0x70969000,0x7092ef08,,
RESULT PAIR,0x1a1d57000,0x1a1ddc000,0x1a1d9b718,,
RESULT PAIR,0x1a14de000,0x72367000,0x72321c20,,
RESULT PAIR,0x194d63000,0x194cf8000,0x194d27b30,,
RESULT PAIR,0x7b664000,0x7b6ed000,0x7b622d30,,
RESULT PAIR,0x72366000,0x61503000,0x72321c20,,
RESULT PAIR,0x72366000,0x5e9cf000,0x72321c20,,
RESULT PAIR,0x193606000,0x193825000,0x193643c10,,
RESULT PAIR,0x171417000,0x171236000,0x171272980,,
RESULT PAIR,0x17a644000,0x17a865000,0x17a822f00,,
RESULT PAIR,0x80af9000,0x17ebaf000,0x80a34310,,
RESULT PAIR,0x1961ec000,0x196165000,0x1961abd10,,
RESULT PAIR,0x7248f000,0x72515000,0x724c8d88,,
RESULT PAIR,0x1716b7000,0x7eb69000,0x1716f1ea0,,
RESULT PAIR,0x16f3d6000,0x16f1f6000,0x16f3930b0,,
RESULT PAIR,0x72901000,0x177232000,0x1772775a0,,
RESULT PAIR,0x772fc000,0x77277000,0x77231830,,
RESULT PAIR,0x7bcf3000,0x7bd69000,0x7bd2ef10,,
RESULT PAIR,0x7e275000,0x7e456000,0x7e412a30,,
RESULT PAIR,0x1730d7000,0x17305d000,0x1730910a8,,
RESULT PAIR,0x80afb000,0x78671000,0x80a34310,,
怎么根据这些flip的位反推物理地址和row、colume、bank了?作者cpu是sandy brige,ubuntu系统,4GB内存,先用decode-dimms初步查看了内存信息,如下:
Size MB
Banks x Rows x Columns x Bits x x x
Ranks
这里有2个rank,8个bank;每个bank包含了2^15 = 32768 rows;每个row的容量 2^10*64=8KB;总容量 = 8 kbytes per row * 32768 rows * 2 ranks * 8 banks = 4GB;通过该命令,初步确认了row、colume和bank的位数;结合上述被filp的地址,连带着各种猜测和不停的尝试,作者把地址做出了以下分解:
result:
diff=-
addr=0x06cd1f680 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x06cd59000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x06ccc1000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-3a0f8
addr=0x07092ef08 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x070969000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x0708f1000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-408e8
addr=0x1a1d9b718 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1a1ddc000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1a1d57000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-453e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072367000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1a14de000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=2fb30
addr=0x194d27b30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x194cf8000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x194d63000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
unusual?
result:
diff=-412d0
addr=0x07b622d30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07b664000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07b6ed000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-443e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072366000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x061503000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-443e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072366000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x05e9cf000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3dc10
addr=0x193643c10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x193606000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x193825000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3c980
addr=0x171272980 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x171236000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x171417000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-
addr=0x17a822f00 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x17a865000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x17a644000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-c4cf0
addr=0x080a34310 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x080af9000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x17ebaf000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=False
unusual?
result:
diff=-402f0
addr=0x1961abd10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1961ec000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x196165000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=39d88
addr=0x0724c8d88 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07248f000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x072515000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3aea0
addr=0x1716f1ea0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1716b7000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07eb69000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-42f50
addr=0x16f3930b0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x16f3d6000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x16f1f6000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=455a0
addr=0x1772775a0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x177232000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x072901000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-457d0
addr=0x077231830 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x077277000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x0772fc000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-3a0f0
addr=0x07bd2ef10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07bd69000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07bcf3000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-435d0
addr=0x07e412a30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07e456000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07e275000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=340a8
addr=0x1730910a8 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x17305d000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1730d7000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
unusual?
result:
diff=-c6cf0
addr=0x080a34310 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x080afb000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x078671000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=False
unusual?
仔细观察:(1)aggressor1距离victim更近(22个样本中,20个样本的位数只差1,两个样本差3),大概率是影响victim 的地址 (2)victims和两个aggressor都在同一个bank
进而得出了以下address mapping的结论:
- Bits 0-5: These are the lower 6 bits of the byte index within a row (i.e. the 6-bit index into a 64-byte cache line).
- Bit 6: This is a 1-bit channel number, which selects between the 2 DIMMs.
- Bits 7-13: These are the upper 7 bits of the index within a row (i.e. the upper bits of the column number).
- Bits 14-16: These are XOR'd with the bottom 3 bits of the row number to give the 3-bit bank number.
- Bit 17: This is a 1-bit rank number, which selects between the 2 ranks of a DIMM (which are typically the two sides of the DIMM's circuit board).
- Bits 18-32: These are the 15-bit row number.
- Bits 33+: These may be set because physical memory starts at physical addresses greater than 0.
内存管理器这么映射物理地址,有啥好处了?
- 0~5bit一共有6位,刚好是2^6=64byte 一个cache line的大小,这么做可以让两个channel同时并行访问不同的cache line,提升速度;
- bank 并行:8个bank可以同时并行读写,提升速度
- bank function: bank bit之间的XOR,可以在大范围读取数据时让地址映射到不同的bank,减少thrashing碰撞的概率
(3)最核心的hammer代码如下: 对特定地址读54万次;每次读后cflush清空cache line,强迫cpu每次都去DRAM读取,使得对应地址的row反复充放电,达到hammer的效果;
//inner的每个地址分别读数据,再清除缓存,如此重复54万次;
static void row_hammer_inner(struct InnerSet inner) {
if (TEST_MODE &&
inner.addrs[] == g_inject_addr1 &&
inner.addrs[] == g_inject_addr2) {
printf("Test mode: Injecting bit flip...\n");
g_mem[] ^= ;
} uint32_t sum = ;
for (int i = ; i < toggles; i++) {//重复54万次
for (int a = ; a < ADDR_COUNT; a++)
sum += *inner.addrs[a] + ;//分别从4个内层地址读数据,可以把这4个地址存储的数据放进rowbuffer,原地址的cell读一次会充放电一次,影响其周边的cell;
if (!TEST_MODE) {
for (int a = ; a < ADDR_COUNT; a++)
//上面4个地址的内容从cache line清除,确保下次cpu还是从内存去读,才能保证row hammer的效果
asm volatile("clflush (%0)" : : "r" (inner.addrs[a]) : "memory");
}
} // Sanity check. We don't expect this to fail, because reading
// these rows refreshes them.
if (sum != ) {
printf("error: sum=%x\n", sum);
exit();
}
}
完整代码如下:精华都在注释(英文是原作者,中文是我加的)
// Copyright 2015, Google, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License. // This is required on Mac OS X for getting PRI* macros #defined.
#define __STDC_FORMAT_MACROS #include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h> #if !defined(TEST_MODE)
# define TEST_MODE
#endif const size_t mem_size = << ;//1GB
const int toggles = ; char *g_mem;
void *g_inject_addr1;
void *g_inject_addr2; uint64_t g_address_sets_tried;
int g_errors_found; /*从g_mem开始随机选个物理地址,偏移是页的整数倍,大小不超过1GB
http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html 原作者自己的硬件环境:
Bits 0-5: These are the lower 6 bits of the byte index within a row (i.e. the 6-bit index into a 64-byte cache line).
Bit 6: This is a 1-bit channel number, which selects between the 2 DIMMs.
Bits 7-13: These are the upper 7 bits of the index within a row (i.e. the upper bits of the column number).
物理地址依次增加0x1000,也就是不同的物理地址低12位是相同的,那么这些物理地址的:1、channel是一样的 2、colume是一样的 3、bank和row可能不同
*/
char *pick_addr() {
//offset是页(1<<12=4096)的整数倍
size_t offset = (rand() << ) % mem_size;
return g_mem + offset;
}
//虚拟地址转成物理地址,http://0x4c43.cn/2018/0508/linux-dynamic-link/ 有详细说明
uint64_t get_physical_addr(uintptr_t virtual_addr) {
int fd = open("/proc/self/pagemap", O_RDONLY);
assert(fd >= ); int kPageSize = 0x1000;
off_t pos = lseek(fd, (virtual_addr / kPageSize) * , SEEK_SET);
assert(pos >= );
uint64_t value;
int got = read(fd, &value, );
assert(got == );
int rc = close(fd);
assert(rc == ); uint64_t frame_num = value & ((1ULL << ) - );
return (frame_num * kPageSize) | (virtual_addr & (kPageSize - ));
} class Timer {
struct timeval start_time_; public:
Timer() {
// Note that we use gettimeofday() (with microsecond resolution)
// rather than clock_gettime() (with nanosecond resolution) so
// that this works on Mac OS X, because OS X doesn't provide
// clock_gettime() and we don't really need nanosecond resolution.
int rc = gettimeofday(&start_time_, NULL);
assert(rc == );
} double get_diff() {
struct timeval end_time;
int rc = gettimeofday(&end_time, NULL);
assert(rc == );
return (end_time.tv_sec - start_time_.tv_sec
+ (double) (end_time.tv_usec - start_time_.tv_usec) / 1e6);
}
}; #define ADDR_COUNT 4
#define ITERATIONS 10 struct InnerSet {
uint32_t *addrs[ADDR_COUNT];//4个32位的地址
};
struct OuterSet {
struct InnerSet inner[ITERATIONS];//10个内层结构,每个内层结构4个32位地址
}; /*g_mem每bit都置1,后续按照一定频率反复读写某些地址的数据。如果发生flip,
会导致其内容不再是1,后续会在check函数检查是否发生了bit flip*/
static void reset_mem() {
memset(g_mem, 0xff, mem_size);
} //从g_mem开始随机选择40个物理地址保存在set;物理地址的偏移是页的整数倍,大小超过1GB;
static void pick_addrs(struct OuterSet *set) {
for (int j = ; j < ITERATIONS; j++) {
for (int a = ; a < ADDR_COUNT; a++) {
set->inner[j].addrs[a] = (uint32_t *) pick_addr();
}
}
} //inner的每个地址分别读数据,再清除缓存,如此重复54万次;
static void row_hammer_inner(struct InnerSet inner) {
if (TEST_MODE &&
inner.addrs[] == g_inject_addr1 &&
inner.addrs[] == g_inject_addr2) {
printf("Test mode: Injecting bit flip...\n");
g_mem[] ^= ;
} uint32_t sum = ;
for (int i = ; i < toggles; i++) {//重复54万次
for (int a = ; a < ADDR_COUNT; a++)
sum += *inner.addrs[a] + ;//分别从4个内层地址读数据,可以把这4个地址存储的数据放进rowbuffer,原地址的cell读一次会充放电一次,影响其周边的cell;
if (!TEST_MODE) {
for (int a = ; a < ADDR_COUNT; a++)
//上面4个地址的内容从cache line清除,确保下次cpu还是从内存去读,才能保证row hammer的效果
asm volatile("clflush (%0)" : : "r" (inner.addrs[a]) : "memory");
}
} // Sanity check. We don't expect this to fail, because reading
// these rows refreshes them.
if (sum != ) {
printf("error: sum=%x\n", sum);
exit();
}
} static void row_hammer(struct OuterSet *set) {
Timer timer;
for (int j = ; j < ITERATIONS; j++) {
//读取inner的地址、清空缓存,重复54万次;
row_hammer_inner(set->inner[j]);
g_address_sets_tried++;
} // Print statistics derived from the time and number of accesses.
double time_taken = timer.get_diff();
printf(" Took %.1f ms per address set\n",//1个set = 1个1inner(一共4个地址),耗时58~59ms,平局每个地址的读取耗时14.5~15ms(每个地址重复了54万次,并且上次读取后清空了缓存);
time_taken / ITERATIONS * 1e3);
printf(" Took %g sec in total for %i address sets\n",
time_taken, ITERATIONS);
int memory_accesses = ITERATIONS * ADDR_COUNT * toggles;
printf(" Took %.3f nanosec per memory access (for %i memory accesses)\n",
time_taken / memory_accesses * 1e9,//每个地址的读取时间在27~29ns之间
memory_accesses);
int refresh_period_ms = ;//内存控制器每64ms刷新一次;每个刷新周期内,每个地址访问53~58万次;
printf(" This gives %i accesses per address per %i ms refresh period\n",
(int) (refresh_period_ms * 1e- * ITERATIONS * toggles / time_taken),
refresh_period_ms);
} struct BitFlipInfo {
uintptr_t victim_virtual_addr;
int bit_number;
uint8_t flips_to; // 1 if this is a 0 -> 1 bit flip, 0 otherwise.
}; static bool check(struct BitFlipInfo *result) {
uint64_t *end = (uint64_t *) (g_mem + mem_size);
uint64_t *ptr;
bool found_error = false;
for (ptr = (uint64_t *) g_mem; ptr < end; ptr++) {
uint64_t got = *ptr;
uint64_t expected = ~(uint64_t) ;//g_mem每个bit初始都置1
if (got != expected) {
printf("error at %p (phys 0x%" PRIx64 "): got 0x%" PRIx64 "\n",
ptr, get_physical_addr((uintptr_t) ptr), got);
found_error = true;
g_errors_found++; if (result) {
result->victim_virtual_addr = (uintptr_t) ptr;//保存flip的地址
result->bit_number = -;//0xff,初始值;
for (int bit = ; bit < ; bit++) {//上面每次比对取64bit,这里继续看看到底是哪个bit被flip了
if (((got >> bit) & ) != ((expected >> bit) && )) {
result->bit_number = bit;//找到了flip的位,最终flip的位=victim_virtual_addr+bit_number;
result->flips_to = (got >> bit) & ;
}
}
assert(result->bit_number != -);
}
}
}
return found_error;
}
/*
用发生flip的地址两两组合形成新inner地址,缩小范围后继续hammer
*/
bool narrow_to_pair(struct InnerSet *inner) {
bool found = false;
for (int idx1 = ; idx1 < ADDR_COUNT; idx1++) {
for (int idx2 = idx1 + ; idx2 < ADDR_COUNT; idx2++) {
//0+1、1+2、2+3组合发生反转的地址
uint32_t *addr1 = inner->addrs[idx1];
uint32_t *addr2 = inner->addrs[idx2];
struct InnerSet new_set;
// This is slightly hacky: We reuse row_hammer_inner(), which
// always expects to hammer ADDR_COUNT addresses. Rather than
// making another version that takes a pair of addresses, we
// just pass our 2 addresses to row_hammer_inner() multiple
// times. 新的inner分别放这两个发生过flip的地址组合
for (int a = ; a < ADDR_COUNT; a++) {
new_set.addrs[a] = a % == ? addr1 : addr2;
}
printf("Trying pair: 0x%" PRIx64 ", 0x%" PRIx64 "\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2));
reset_mem();
row_hammer_inner(new_set);
struct BitFlipInfo bit_flip_info;
if (check(&bit_flip_info)) {
found = true;
printf("RESULT PAIR,0x%" PRIx64 ",0x%" PRIx64 ",0x%" PRIx64 ",%i,%i\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2),
get_physical_addr((uintptr_t) bit_flip_info.victim_virtual_addr),
bit_flip_info.bit_number,
bit_flip_info.flips_to);
}
}
}
return found;
}
//继续hammer,把发生flip的inner地址保存后
bool narrow_down(struct OuterSet *outer) {
bool found = false;
for (int j = ; j < ITERATIONS; j++) {
reset_mem();
row_hammer_inner(outer->inner[j]);
if (check(NULL)) {
printf("hammered addresses:\n");
struct InnerSet *inner = &outer->inner[j];//把发生flip的地址保存在inner结构
for (int a = ; a < ADDR_COUNT; a++) {
printf(" logical=%p, physical=0x%" PRIx64 "\n",
inner->addrs[a],
get_physical_addr((uintptr_t) inner->addrs[a]));
}
found = true; printf("Narrowing down to a specific pair...\n");
int tries = ;
while (!narrow_to_pair(inner)) {
if (++tries >= ) {
printf("Narrowing to pair: Giving up after %i tries\n", tries);
break;
}
}
}
}
return found;
} void main_prog() {
printf("RESULT START_TIME,%" PRId64 "\n", time(NULL)); g_mem = (char *) mmap(NULL, mem_size, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -, );
assert(g_mem != MAP_FAILED); printf("Clearing memory...\n");
reset_mem();//分配的1G内存全部值0xFF Timer t;
int iter = ;
for (;;) {
printf("Iteration %i (after %.2fs)\n", iter++, t.get_diff());
struct OuterSet addr_set;
pick_addrs(&addr_set);
if (TEST_MODE && iter == ) {
printf("Test mode: Will inject a bit flip...\n");
g_inject_addr1 = addr_set.inner[].addrs[];
g_inject_addr2 = addr_set.inner[].addrs[];
}
row_hammer(&addr_set); Timer check_timer;
bool found_error = check(NULL);
printf(" Checking for bit flips took %f sec\n", check_timer.get_diff()); if (iter % == || found_error) {
// Report general progress stats:
// - Time since start, in seconds
// - Current Unix time (seconds since epoch)
// - Number of address sets tried
// - Number of bit flips found (not necessarily unique ones)
printf("RESULT STAT,%.2f,%" PRId64 ",%" PRId64 ",%i\n",
t.get_diff(),
(uint64_t) time(NULL),
g_address_sets_tried,
g_errors_found);
} if (found_error) {
printf("\nNarrowing down to set of %i addresses...\n", ADDR_COUNT);
int tries = ;
while (!narrow_down(&addr_set)) {
if (++tries >= ) {
printf("Narrowing to address set: Giving up after %i tries\n", tries);
break;
}
} printf("\nRunning retries...\n");
for (int i = ; i < ; i++) {
printf("Retry %i\n", i);
reset_mem();
row_hammer(&addr_set);
check(NULL);
}
if (TEST_MODE)
exit();
}
}
} int main() {
// Turn off unwanted buffering for when stdout is a pipe.
setvbuf(stdout, NULL, _IONBF, ); // Start with an empty line in case previous output was truncated
// mid-line.
printf("\n"); if (TEST_MODE) {
printf("Running in safe test mode...\n");
} // Fork a subprocess so that we can print the test process's exit
// status, and to prevent reboots or kernel panics if we are running
// as PID 1.
int pid = fork();
if (pid == ) {
main_prog();
_exit();
} int status;
if (waitpid(pid, &status, ) == pid) {
printf("** exited with status %i (0x%x)\n", status, status);
} if (getpid() == ) {
// We're the "init" process. Avoid exiting because that would
// cause a kernel panic, which can cause a reboot or just obscure
// log output and prevent console scrollback from working.
for (;;) {
sleep();
}
}
return ;
}
参考:
1、 http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html How physical addresses map to rows and banks in DRAM
2、 https://cloud.tencent.com/developer/article/1620354 逆向DRAM地址映射
3、 DRAMDig: A Knowledge-assisted Tool to Uncover DRAM Address Mapping
intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping的更多相关文章
- intel:spectre&Meltdown侧信道攻击(一)
只要平时对安全领域感兴趣的读者肯定都听过spectre&Meltdown侧信道攻击,今天简单介绍一下这种攻击的原理( https://www.bilibili.com/video/av1814 ...
- intel:spectre&Meltdown侧信道攻击(三)—— raw hammer
今天介绍raw hammer攻击的原理:这次有点“标题党”了.事实上,raw hammer是基于DRAM内存的攻击:所以理论上,只要是用了DRAM内存的设备,不论是什么cpu(intel.amd,或则 ...
- intel:spectre&Meltdown侧信道攻击(二)
上面一篇介绍了spectre&meltdown基本原理和简单的demo方案,今天继续学习一下该漏洞发现团队原始的POC:https://spectreattack.com/spectre.pd ...
- intel:spectre&Meltdown侧信道攻击(四)—— cache mapping
前面简单介绍了row hammer攻击的原理和方法,为了更好理解这种底层硬件类攻击,今天介绍一下cpu的cache mapping: 众所周知,cpu从内存读数据,最开始用的是虚拟地址,需要通过分页机 ...
- 第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法
第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法 原文地址:http://bristolcrypto.blogspot.com/2015/08/52-things-number-45-de ...
- 第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御
第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御 原文地址:http://bristolcrypto.blogspot.com/2015/07/52-things-numbe ...
- 侧信道攻击,从喊666到入门之——Unicorn的环境构建
作者:backahasten 发表于小米安全中心微信公众号 0x00 前言 Unicorn可以模拟多种指令集的代码,在很多安全研究领域有很强大的作用,但是由于需要从头自己布置栈空间,代码段等虚拟执行环 ...
- 嵌入式 -- WINKHUB 边信道攻击 (NAND Glitch)
0x00 前言 随着物联网IOT的飞速发展,各类嵌入式设备, 路由器安全研究也越来越火. 但因为跟以往纯软件安全研究的要求不同, 这类研究往往需要结合相应的硬件知识. 很多朋友困惑如何开始, 甚至卡在 ...
- ORW-测信道攻击
做SCTF时碰到一个没看过的题型,比赛结束之后才知道是orw的一个玩法,测信道攻击.主要特点就是只给使用open,read,但是不给write,即无法把flag输出到终端.这里可以通过把flag读到栈 ...
随机推荐
- 「疫期集训day1」无言
正式集训第一天,感觉没啥特别大的感受,无非是奥赛时间延长了,效率提高了,身外事少了 当然不止这些 感受1:有些曾经被恶的题现在仍然在恶心,例如昨天的farmcraft,今天的整数划分(和着多边形一块调 ...
- 使用Splunk监控SAP Dump
最近在尝试使用Splunk对SAP系统进行监控,以Dump监控为例,总结了一点相关信息,记录在这里. 本文链接:https://www.cnblogs.com/hhelibeb/p/13260385. ...
- Win10 环境变量
在你的环境变量前面加入下面的目录; 有奇效 %USERPROFILE%\AppData\Local\Microsoft\WindowsApps\
- 机器学习实战基础(三十):决策树(三) DecisionTreeRegressor
DecisionTreeRegressor class sklearn.tree.DecisionTreeRegressor (criterion=’mse’, splitter=’best’, ma ...
- CMDB01 /paramiko模块、项目概述、项目架构、项目实现
CMDB01 /paramiko模块.项目概述.项目架构.项目实现 目录 CMDB01 /paramiko模块.项目概述.项目架构.项目实现 1. paramiko 2. 基于xshell连接服务器 ...
- Django框架03 /视图相关
Django框架03 /视图相关 目录 Django框架03 /视图相关 1. 请求相关 2.响应相关 3.FBV和CBV 视图(视图函数和视图类) 3.1 类视图 CBV 3.2 视图函数 FBV ...
- java大数据最全课程学习笔记(1)--Hadoop简介和安装及伪分布式
Hadoop简介和安装及伪分布式 大数据概念 大数据概论 大数据(Big Data): 指无法在一定时间范围内用常规软件工具进行捕捉,管理和处理的数据集合,是需要新处理模式才能具有更强的决策力,洞察发 ...
- bzoj3374[Usaco2004 Mar]Special Serial Numbers 特殊编号*
bzoj3374[Usaco2004 Mar]Special Serial Numbers 特殊编号 题意: 求比一个数大的最小的一半以上的数位相同的数.数位数≤100. 题解: 模拟题.从低位枚举到 ...
- Ant-Design-Vue中关于Form组件的使用
1.创建form表单的两种方式,不同的方式在js中创建表单的方式也不同 方式1:一般使用在搜索表单中,只需要双向绑定数据即可,那就使用这种方法即可 <template> <a-for ...
- Android 性能优化 ---- 内存优化
1.Android内存管理机制 1.1 Java内存分配模型 先上一张JVM将内存划分区域的图 程序计数器:存储当前线程执行目标方法执行到第几行. 栈内存:Java栈中存放的是一个个栈帧,每个栈帧对应 ...