intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping
前面介绍了row hammer,理论上很完美,实际操作的时候会面临很尴尬的问题:内存存储数据最小的单位是cell(就是个电容,充电是1,放电是0),无数个横着的cell组成row,无数个竖着的cell组成colume;数个row和colume组成bank,多个bank组成chip,然后是rank,接着是dimm、channel,总的逻辑包含顺序是:channel->dimm->rank->chip->bak->row/colume->cell;怎么把物理地址映射到具体的cell了?换句话说:比如知道了某个能提权数据位的虚拟地址,linux和windwos都能调用系统API查找到相应的物理地址,又怎么根据物理地址映射到bank/row/colume了? 否则怎么精准hammer?Intel 并未公开映射算法,怎么通过一些逆向的方式、方法猜测出物理地址到dram 的address mapping了?
1、百度的同学公开一种算法,https://cloud.tencent.com/developer/article/1620354 这里有算法的说明,但本人并未找到该工具(自称DRAMDig)的源代码,也未找到该工具下载的地址,未能验证证其效果;为方便理解,整理了一个导图,如下:
通过DRAMDig测试的结果如下,由此可见:不同cpu型号、不同内存大小,对应不同的row、colume、bank function,情况较为复杂;
2、国外有团队做了row hammer测试,根据测试结果猜测出了物理地址映射到DRAM的方法,具体参考:http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html
对应的测试代码:https://github.com/google/rowhammer-test/tree/master/extended_test 下面详细说明代码的思路和倒推映射算法的思路;
(1)整个流程大致如下: 先分配1GB内存,每个bit全部初始化为1;再盲选40个地址反复hammer,选出成功flip的地址后两两组合继续hammer,再取消两两组合后继续hammer;
(2)新问题来了:作者一开始盲选地址hammer,成功flip后为啥要narrow to pair down后再hammer了?——为了更准确地确认物理地址和反转flip的关系,看看到底是哪个地址导致了哪些cell flip,借此更精确的地逆向address mapping;下面会打印hammer的地址和被flip的地址,然后根据这些信息逆向address mapping;
if (check(&bit_flip_info)) {
found = true;
printf("RESULT PAIR,0x%" PRIx64 ",0x%" PRIx64 ",0x%" PRIx64 ",%i,%i\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2),
get_physical_addr((uintptr_t) bit_flip_info.victim_virtual_addr),
bit_flip_info.bit_number,
bit_flip_info.flips_to);
}
作者耗费6小时,反转了22个地址,分别如下:
RESULT PAIR,0x6ccc1000,0x6cd59000,0x6cd1f680,,
RESULT PAIR,0x708f1000,0x70969000,0x7092ef08,,
RESULT PAIR,0x1a1d57000,0x1a1ddc000,0x1a1d9b718,,
RESULT PAIR,0x1a14de000,0x72367000,0x72321c20,,
RESULT PAIR,0x194d63000,0x194cf8000,0x194d27b30,,
RESULT PAIR,0x7b664000,0x7b6ed000,0x7b622d30,,
RESULT PAIR,0x72366000,0x61503000,0x72321c20,,
RESULT PAIR,0x72366000,0x5e9cf000,0x72321c20,,
RESULT PAIR,0x193606000,0x193825000,0x193643c10,,
RESULT PAIR,0x171417000,0x171236000,0x171272980,,
RESULT PAIR,0x17a644000,0x17a865000,0x17a822f00,,
RESULT PAIR,0x80af9000,0x17ebaf000,0x80a34310,,
RESULT PAIR,0x1961ec000,0x196165000,0x1961abd10,,
RESULT PAIR,0x7248f000,0x72515000,0x724c8d88,,
RESULT PAIR,0x1716b7000,0x7eb69000,0x1716f1ea0,,
RESULT PAIR,0x16f3d6000,0x16f1f6000,0x16f3930b0,,
RESULT PAIR,0x72901000,0x177232000,0x1772775a0,,
RESULT PAIR,0x772fc000,0x77277000,0x77231830,,
RESULT PAIR,0x7bcf3000,0x7bd69000,0x7bd2ef10,,
RESULT PAIR,0x7e275000,0x7e456000,0x7e412a30,,
RESULT PAIR,0x1730d7000,0x17305d000,0x1730910a8,,
RESULT PAIR,0x80afb000,0x78671000,0x80a34310,,
怎么根据这些flip的位反推物理地址和row、colume、bank了?作者cpu是sandy brige,ubuntu系统,4GB内存,先用decode-dimms初步查看了内存信息,如下:
Size MB
Banks x Rows x Columns x Bits x x x
Ranks
这里有2个rank,8个bank;每个bank包含了2^15 = 32768 rows;每个row的容量 2^10*64=8KB;总容量 = 8 kbytes per row * 32768 rows * 2 ranks * 8 banks = 4GB;通过该命令,初步确认了row、colume和bank的位数;结合上述被filp的地址,连带着各种猜测和不停的尝试,作者把地址做出了以下分解:
result:
diff=-
addr=0x06cd1f680 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x06cd59000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x06ccc1000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-3a0f8
addr=0x07092ef08 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x070969000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x0708f1000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-408e8
addr=0x1a1d9b718 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1a1ddc000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1a1d57000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-453e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072367000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1a14de000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=2fb30
addr=0x194d27b30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x194cf8000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x194d63000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
unusual?
result:
diff=-412d0
addr=0x07b622d30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07b664000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07b6ed000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-443e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072366000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x061503000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-443e0
addr=0x072321c20 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x072366000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x05e9cf000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3dc10
addr=0x193643c10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x193606000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x193825000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3c980
addr=0x171272980 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x171236000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x171417000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-
addr=0x17a822f00 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x17a865000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x17a644000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-c4cf0
addr=0x080a34310 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x080af9000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x17ebaf000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=False
unusual?
result:
diff=-402f0
addr=0x1961abd10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1961ec000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x196165000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=39d88
addr=0x0724c8d88 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07248f000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x072515000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=3aea0
addr=0x1716f1ea0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x1716b7000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07eb69000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-42f50
addr=0x16f3930b0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x16f3d6000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x16f1f6000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=455a0
addr=0x1772775a0 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x177232000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x072901000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-457d0
addr=0x077231830 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x077277000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x0772fc000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-3a0f0
addr=0x07bd2ef10 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07bd69000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07bcf3000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=-435d0
addr=0x07e412a30 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x07e456000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x07e275000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
result:
diff=340a8
addr=0x1730910a8 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x17305d000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x1730d7000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=True
unusual?
result:
diff=-c6cf0
addr=0x080a34310 -> row= rank= bank= col_hi= channel= col_lo= (victim)
addr=0x080afb000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor1)
addr=0x078671000 -> row= rank= bank= col_hi= channel= col_lo= (aggressor2)
fits=False
unusual?
仔细观察:(1)aggressor1距离victim更近(22个样本中,20个样本的位数只差1,两个样本差3),大概率是影响victim 的地址 (2)victims和两个aggressor都在同一个bank
进而得出了以下address mapping的结论:
- Bits 0-5: These are the lower 6 bits of the byte index within a row (i.e. the 6-bit index into a 64-byte cache line).
- Bit 6: This is a 1-bit channel number, which selects between the 2 DIMMs.
- Bits 7-13: These are the upper 7 bits of the index within a row (i.e. the upper bits of the column number).
- Bits 14-16: These are XOR'd with the bottom 3 bits of the row number to give the 3-bit bank number.
- Bit 17: This is a 1-bit rank number, which selects between the 2 ranks of a DIMM (which are typically the two sides of the DIMM's circuit board).
- Bits 18-32: These are the 15-bit row number.
- Bits 33+: These may be set because physical memory starts at physical addresses greater than 0.
内存管理器这么映射物理地址,有啥好处了?
- 0~5bit一共有6位,刚好是2^6=64byte 一个cache line的大小,这么做可以让两个channel同时并行访问不同的cache line,提升速度;
- bank 并行:8个bank可以同时并行读写,提升速度
- bank function: bank bit之间的XOR,可以在大范围读取数据时让地址映射到不同的bank,减少thrashing碰撞的概率
(3)最核心的hammer代码如下: 对特定地址读54万次;每次读后cflush清空cache line,强迫cpu每次都去DRAM读取,使得对应地址的row反复充放电,达到hammer的效果;
//inner的每个地址分别读数据,再清除缓存,如此重复54万次;
static void row_hammer_inner(struct InnerSet inner) {
if (TEST_MODE &&
inner.addrs[] == g_inject_addr1 &&
inner.addrs[] == g_inject_addr2) {
printf("Test mode: Injecting bit flip...\n");
g_mem[] ^= ;
} uint32_t sum = ;
for (int i = ; i < toggles; i++) {//重复54万次
for (int a = ; a < ADDR_COUNT; a++)
sum += *inner.addrs[a] + ;//分别从4个内层地址读数据,可以把这4个地址存储的数据放进rowbuffer,原地址的cell读一次会充放电一次,影响其周边的cell;
if (!TEST_MODE) {
for (int a = ; a < ADDR_COUNT; a++)
//上面4个地址的内容从cache line清除,确保下次cpu还是从内存去读,才能保证row hammer的效果
asm volatile("clflush (%0)" : : "r" (inner.addrs[a]) : "memory");
}
} // Sanity check. We don't expect this to fail, because reading
// these rows refreshes them.
if (sum != ) {
printf("error: sum=%x\n", sum);
exit();
}
}
完整代码如下:精华都在注释(英文是原作者,中文是我加的)
// Copyright 2015, Google, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License. // This is required on Mac OS X for getting PRI* macros #defined.
#define __STDC_FORMAT_MACROS #include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h> #if !defined(TEST_MODE)
# define TEST_MODE
#endif const size_t mem_size = << ;//1GB
const int toggles = ; char *g_mem;
void *g_inject_addr1;
void *g_inject_addr2; uint64_t g_address_sets_tried;
int g_errors_found; /*从g_mem开始随机选个物理地址,偏移是页的整数倍,大小不超过1GB
http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html 原作者自己的硬件环境:
Bits 0-5: These are the lower 6 bits of the byte index within a row (i.e. the 6-bit index into a 64-byte cache line).
Bit 6: This is a 1-bit channel number, which selects between the 2 DIMMs.
Bits 7-13: These are the upper 7 bits of the index within a row (i.e. the upper bits of the column number).
物理地址依次增加0x1000,也就是不同的物理地址低12位是相同的,那么这些物理地址的:1、channel是一样的 2、colume是一样的 3、bank和row可能不同
*/
char *pick_addr() {
//offset是页(1<<12=4096)的整数倍
size_t offset = (rand() << ) % mem_size;
return g_mem + offset;
}
//虚拟地址转成物理地址,http://0x4c43.cn/2018/0508/linux-dynamic-link/ 有详细说明
uint64_t get_physical_addr(uintptr_t virtual_addr) {
int fd = open("/proc/self/pagemap", O_RDONLY);
assert(fd >= ); int kPageSize = 0x1000;
off_t pos = lseek(fd, (virtual_addr / kPageSize) * , SEEK_SET);
assert(pos >= );
uint64_t value;
int got = read(fd, &value, );
assert(got == );
int rc = close(fd);
assert(rc == ); uint64_t frame_num = value & ((1ULL << ) - );
return (frame_num * kPageSize) | (virtual_addr & (kPageSize - ));
} class Timer {
struct timeval start_time_; public:
Timer() {
// Note that we use gettimeofday() (with microsecond resolution)
// rather than clock_gettime() (with nanosecond resolution) so
// that this works on Mac OS X, because OS X doesn't provide
// clock_gettime() and we don't really need nanosecond resolution.
int rc = gettimeofday(&start_time_, NULL);
assert(rc == );
} double get_diff() {
struct timeval end_time;
int rc = gettimeofday(&end_time, NULL);
assert(rc == );
return (end_time.tv_sec - start_time_.tv_sec
+ (double) (end_time.tv_usec - start_time_.tv_usec) / 1e6);
}
}; #define ADDR_COUNT 4
#define ITERATIONS 10 struct InnerSet {
uint32_t *addrs[ADDR_COUNT];//4个32位的地址
};
struct OuterSet {
struct InnerSet inner[ITERATIONS];//10个内层结构,每个内层结构4个32位地址
}; /*g_mem每bit都置1,后续按照一定频率反复读写某些地址的数据。如果发生flip,
会导致其内容不再是1,后续会在check函数检查是否发生了bit flip*/
static void reset_mem() {
memset(g_mem, 0xff, mem_size);
} //从g_mem开始随机选择40个物理地址保存在set;物理地址的偏移是页的整数倍,大小超过1GB;
static void pick_addrs(struct OuterSet *set) {
for (int j = ; j < ITERATIONS; j++) {
for (int a = ; a < ADDR_COUNT; a++) {
set->inner[j].addrs[a] = (uint32_t *) pick_addr();
}
}
} //inner的每个地址分别读数据,再清除缓存,如此重复54万次;
static void row_hammer_inner(struct InnerSet inner) {
if (TEST_MODE &&
inner.addrs[] == g_inject_addr1 &&
inner.addrs[] == g_inject_addr2) {
printf("Test mode: Injecting bit flip...\n");
g_mem[] ^= ;
} uint32_t sum = ;
for (int i = ; i < toggles; i++) {//重复54万次
for (int a = ; a < ADDR_COUNT; a++)
sum += *inner.addrs[a] + ;//分别从4个内层地址读数据,可以把这4个地址存储的数据放进rowbuffer,原地址的cell读一次会充放电一次,影响其周边的cell;
if (!TEST_MODE) {
for (int a = ; a < ADDR_COUNT; a++)
//上面4个地址的内容从cache line清除,确保下次cpu还是从内存去读,才能保证row hammer的效果
asm volatile("clflush (%0)" : : "r" (inner.addrs[a]) : "memory");
}
} // Sanity check. We don't expect this to fail, because reading
// these rows refreshes them.
if (sum != ) {
printf("error: sum=%x\n", sum);
exit();
}
} static void row_hammer(struct OuterSet *set) {
Timer timer;
for (int j = ; j < ITERATIONS; j++) {
//读取inner的地址、清空缓存,重复54万次;
row_hammer_inner(set->inner[j]);
g_address_sets_tried++;
} // Print statistics derived from the time and number of accesses.
double time_taken = timer.get_diff();
printf(" Took %.1f ms per address set\n",//1个set = 1个1inner(一共4个地址),耗时58~59ms,平局每个地址的读取耗时14.5~15ms(每个地址重复了54万次,并且上次读取后清空了缓存);
time_taken / ITERATIONS * 1e3);
printf(" Took %g sec in total for %i address sets\n",
time_taken, ITERATIONS);
int memory_accesses = ITERATIONS * ADDR_COUNT * toggles;
printf(" Took %.3f nanosec per memory access (for %i memory accesses)\n",
time_taken / memory_accesses * 1e9,//每个地址的读取时间在27~29ns之间
memory_accesses);
int refresh_period_ms = ;//内存控制器每64ms刷新一次;每个刷新周期内,每个地址访问53~58万次;
printf(" This gives %i accesses per address per %i ms refresh period\n",
(int) (refresh_period_ms * 1e- * ITERATIONS * toggles / time_taken),
refresh_period_ms);
} struct BitFlipInfo {
uintptr_t victim_virtual_addr;
int bit_number;
uint8_t flips_to; // 1 if this is a 0 -> 1 bit flip, 0 otherwise.
}; static bool check(struct BitFlipInfo *result) {
uint64_t *end = (uint64_t *) (g_mem + mem_size);
uint64_t *ptr;
bool found_error = false;
for (ptr = (uint64_t *) g_mem; ptr < end; ptr++) {
uint64_t got = *ptr;
uint64_t expected = ~(uint64_t) ;//g_mem每个bit初始都置1
if (got != expected) {
printf("error at %p (phys 0x%" PRIx64 "): got 0x%" PRIx64 "\n",
ptr, get_physical_addr((uintptr_t) ptr), got);
found_error = true;
g_errors_found++; if (result) {
result->victim_virtual_addr = (uintptr_t) ptr;//保存flip的地址
result->bit_number = -;//0xff,初始值;
for (int bit = ; bit < ; bit++) {//上面每次比对取64bit,这里继续看看到底是哪个bit被flip了
if (((got >> bit) & ) != ((expected >> bit) && )) {
result->bit_number = bit;//找到了flip的位,最终flip的位=victim_virtual_addr+bit_number;
result->flips_to = (got >> bit) & ;
}
}
assert(result->bit_number != -);
}
}
}
return found_error;
}
/*
用发生flip的地址两两组合形成新inner地址,缩小范围后继续hammer
*/
bool narrow_to_pair(struct InnerSet *inner) {
bool found = false;
for (int idx1 = ; idx1 < ADDR_COUNT; idx1++) {
for (int idx2 = idx1 + ; idx2 < ADDR_COUNT; idx2++) {
//0+1、1+2、2+3组合发生反转的地址
uint32_t *addr1 = inner->addrs[idx1];
uint32_t *addr2 = inner->addrs[idx2];
struct InnerSet new_set;
// This is slightly hacky: We reuse row_hammer_inner(), which
// always expects to hammer ADDR_COUNT addresses. Rather than
// making another version that takes a pair of addresses, we
// just pass our 2 addresses to row_hammer_inner() multiple
// times. 新的inner分别放这两个发生过flip的地址组合
for (int a = ; a < ADDR_COUNT; a++) {
new_set.addrs[a] = a % == ? addr1 : addr2;
}
printf("Trying pair: 0x%" PRIx64 ", 0x%" PRIx64 "\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2));
reset_mem();
row_hammer_inner(new_set);
struct BitFlipInfo bit_flip_info;
if (check(&bit_flip_info)) {
found = true;
printf("RESULT PAIR,0x%" PRIx64 ",0x%" PRIx64 ",0x%" PRIx64 ",%i,%i\n",
get_physical_addr((uintptr_t) addr1),
get_physical_addr((uintptr_t) addr2),
get_physical_addr((uintptr_t) bit_flip_info.victim_virtual_addr),
bit_flip_info.bit_number,
bit_flip_info.flips_to);
}
}
}
return found;
}
//继续hammer,把发生flip的inner地址保存后
bool narrow_down(struct OuterSet *outer) {
bool found = false;
for (int j = ; j < ITERATIONS; j++) {
reset_mem();
row_hammer_inner(outer->inner[j]);
if (check(NULL)) {
printf("hammered addresses:\n");
struct InnerSet *inner = &outer->inner[j];//把发生flip的地址保存在inner结构
for (int a = ; a < ADDR_COUNT; a++) {
printf(" logical=%p, physical=0x%" PRIx64 "\n",
inner->addrs[a],
get_physical_addr((uintptr_t) inner->addrs[a]));
}
found = true; printf("Narrowing down to a specific pair...\n");
int tries = ;
while (!narrow_to_pair(inner)) {
if (++tries >= ) {
printf("Narrowing to pair: Giving up after %i tries\n", tries);
break;
}
}
}
}
return found;
} void main_prog() {
printf("RESULT START_TIME,%" PRId64 "\n", time(NULL)); g_mem = (char *) mmap(NULL, mem_size, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -, );
assert(g_mem != MAP_FAILED); printf("Clearing memory...\n");
reset_mem();//分配的1G内存全部值0xFF Timer t;
int iter = ;
for (;;) {
printf("Iteration %i (after %.2fs)\n", iter++, t.get_diff());
struct OuterSet addr_set;
pick_addrs(&addr_set);
if (TEST_MODE && iter == ) {
printf("Test mode: Will inject a bit flip...\n");
g_inject_addr1 = addr_set.inner[].addrs[];
g_inject_addr2 = addr_set.inner[].addrs[];
}
row_hammer(&addr_set); Timer check_timer;
bool found_error = check(NULL);
printf(" Checking for bit flips took %f sec\n", check_timer.get_diff()); if (iter % == || found_error) {
// Report general progress stats:
// - Time since start, in seconds
// - Current Unix time (seconds since epoch)
// - Number of address sets tried
// - Number of bit flips found (not necessarily unique ones)
printf("RESULT STAT,%.2f,%" PRId64 ",%" PRId64 ",%i\n",
t.get_diff(),
(uint64_t) time(NULL),
g_address_sets_tried,
g_errors_found);
} if (found_error) {
printf("\nNarrowing down to set of %i addresses...\n", ADDR_COUNT);
int tries = ;
while (!narrow_down(&addr_set)) {
if (++tries >= ) {
printf("Narrowing to address set: Giving up after %i tries\n", tries);
break;
}
} printf("\nRunning retries...\n");
for (int i = ; i < ; i++) {
printf("Retry %i\n", i);
reset_mem();
row_hammer(&addr_set);
check(NULL);
}
if (TEST_MODE)
exit();
}
}
} int main() {
// Turn off unwanted buffering for when stdout is a pipe.
setvbuf(stdout, NULL, _IONBF, ); // Start with an empty line in case previous output was truncated
// mid-line.
printf("\n"); if (TEST_MODE) {
printf("Running in safe test mode...\n");
} // Fork a subprocess so that we can print the test process's exit
// status, and to prevent reboots or kernel panics if we are running
// as PID 1.
int pid = fork();
if (pid == ) {
main_prog();
_exit();
} int status;
if (waitpid(pid, &status, ) == pid) {
printf("** exited with status %i (0x%x)\n", status, status);
} if (getpid() == ) {
// We're the "init" process. Avoid exiting because that would
// cause a kernel panic, which can cause a reboot or just obscure
// log output and prevent console scrollback from working.
for (;;) {
sleep();
}
}
return ;
}
参考:
1、 http://lackingrhoticity.blogspot.com/2015/05/how-physical-addresses-map-to-rows-and-banks.html How physical addresses map to rows and banks in DRAM
2、 https://cloud.tencent.com/developer/article/1620354 逆向DRAM地址映射
3、 DRAMDig: A Knowledge-assisted Tool to Uncover DRAM Address Mapping
intel:spectre&Meltdown侧信道攻击(五)—— DRAM address mapping的更多相关文章
- intel:spectre&Meltdown侧信道攻击(一)
只要平时对安全领域感兴趣的读者肯定都听过spectre&Meltdown侧信道攻击,今天简单介绍一下这种攻击的原理( https://www.bilibili.com/video/av1814 ...
- intel:spectre&Meltdown侧信道攻击(三)—— raw hammer
今天介绍raw hammer攻击的原理:这次有点“标题党”了.事实上,raw hammer是基于DRAM内存的攻击:所以理论上,只要是用了DRAM内存的设备,不论是什么cpu(intel.amd,或则 ...
- intel:spectre&Meltdown侧信道攻击(二)
上面一篇介绍了spectre&meltdown基本原理和简单的demo方案,今天继续学习一下该漏洞发现团队原始的POC:https://spectreattack.com/spectre.pd ...
- intel:spectre&Meltdown侧信道攻击(四)—— cache mapping
前面简单介绍了row hammer攻击的原理和方法,为了更好理解这种底层硬件类攻击,今天介绍一下cpu的cache mapping: 众所周知,cpu从内存读数据,最开始用的是虚拟地址,需要通过分页机 ...
- 第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法
第四十五个知识点:描述一些对抗RSA侧信道攻击的基础防御方法 原文地址:http://bristolcrypto.blogspot.com/2015/08/52-things-number-45-de ...
- 第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御
第四十三个知识点:为AES描述一些基础的(可能无效)的对抗侧信道攻击的防御 原文地址:http://bristolcrypto.blogspot.com/2015/07/52-things-numbe ...
- 侧信道攻击,从喊666到入门之——Unicorn的环境构建
作者:backahasten 发表于小米安全中心微信公众号 0x00 前言 Unicorn可以模拟多种指令集的代码,在很多安全研究领域有很强大的作用,但是由于需要从头自己布置栈空间,代码段等虚拟执行环 ...
- 嵌入式 -- WINKHUB 边信道攻击 (NAND Glitch)
0x00 前言 随着物联网IOT的飞速发展,各类嵌入式设备, 路由器安全研究也越来越火. 但因为跟以往纯软件安全研究的要求不同, 这类研究往往需要结合相应的硬件知识. 很多朋友困惑如何开始, 甚至卡在 ...
- ORW-测信道攻击
做SCTF时碰到一个没看过的题型,比赛结束之后才知道是orw的一个玩法,测信道攻击.主要特点就是只给使用open,read,但是不给write,即无法把flag输出到终端.这里可以通过把flag读到栈 ...
随机推荐
- 线性动归之Wooden Sticks
题面:现在有n(n<5000)个木头,每个木头都有长度l和重量w(l<10000,w<10000),现在你要对木头进行加工: 1.第一根木头需要先花费1min: 2.加工完第i跟木头 ...
- [Noip2016]蚯蚓 (单调队列)
题干 本题中,我们将用符号[c]表示对c向下取整,例如:[3.0」= [3.1」=[3.9」=3.蛐蛐国最近蚯蚓成灾了!隔壁跳蚤国的跳蚤也拿蚯蚓们没办法,蛐蛐国王只好去请神刀手来帮他们消灭蚯蚓.蛐蛐国 ...
- 小师妹学JVM之:JVM中的Safepoints
目录 简介 GC的垃圾回收器 分代回收器中的问题 safepoints safepoint一般用在什么地方 总结 简介 java程序员都听说过GC,大家也都知道GC的目的是扫描堆空间,然后将那些标记为 ...
- tensorflow.python.framework.errors_impl.InvalidArgumentError: You must feed a value for placeholder tensor 'x_1' with dtype float and shape [?,227,227,3]
记一次超级蠢超级折磨我的bug. 报错内容: tensorflow.python.framework.errors_impl.InvalidArgumentError: You must feed a ...
- 数据载入、存储及文件格式知识图谱-《利用Python进行数据分析》
所有内容整理自<利用Python进行数据分析>,使用MindMaster Pro 7.3制作,emmx格式,源文件已经上传Github,需要的同学转左上角自行下载或者右击保存图片.
- Shader-内轮廓自发光效果
需求 1 基于涅菲尔反射的变形 原理 (近处的反射少,远处反射多) 1)公式(近似):F = Fscale + (1-Fscale)(1-v·n)^5 利用fresnel做边缘发光,代码 fixed ...
- bzoj3621我想那还真是令人高兴啊
bzoj3621我想那还真是令人高兴啊 题意: T组数据,每组给出两个三角形各点坐标,要求求出一个点使第一个三角形可以绕这个点放缩和旋转得到另一个三角形.T≤10,坐标为≤10000的实数,数据保证三 ...
- mybatis的<if>标签,<foreach>标签,<collection>标签,<association>标签以及useGeneratedKeys用法
<if>标签 1.判断非空或不等于 <if test="assessTypes!= null and assessTypes!='' "> AND FIND ...
- 不藏了,摊牌了,一张知识图谱整理完整Java并发体系,就问全不全
推荐阅读: 2020年马士兵Java多线程高并发讲解——百万年薪架构师告诉你Java多线程与高并发 目录 这是我关于整个Java并发体系的整理,结合的主要是现在市面上对于Java并发在面试的过程中经常 ...
- Redis 6.0 新特性 ACL 介绍
Redis 6.0 新特性 ACL 介绍 Intro 在 Redis 6.0 中引入了 ACL(Access Control List) 的支持,在此前的版本中 Redis 中是没有用户的概念的,其实 ...