mjyan0720 / invisispec-1.0 Goto Github PK
View Code? Open in Web Editor NEWGem5 implementation of "InvisiSpec", a defense mechanism of speculative execution attacks on cache hierarchy.
License: BSD 3-Clause "New" or "Revised" License
Gem5 implementation of "InvisiSpec", a defense mechanism of speculative execution attacks on cache hierarchy.
License: BSD 3-Clause "New" or "Revised" License
Is there a file that I need to change for changing ruby cache latency?
Running with --scheme=UnsafeBaseline
successfully completes but SpectreSafeInvisibleSpec
aborts with core dump. I tried with low number of instructions as well as different cache configurations so find the source of memory leakage. But had no success.
build/X86/gem5.opt -d myout/gcc configs/example/se.py --cmd=../workspace/benchmarks/cpu2006/spec-SE/binaries/x86/linux/gcc -I 100000 --cpu-type=DerivO3CPU --caches --scheme=SpectreSafeInvisibleSpec --needsTSO=1
I'm currently doing some research on defending against Spectre. I'd like to reproduce the results of InvisiSpec. I'm new to gem5. Sorry for asking you about using the experiment environment.
I saw in the example script run_spec_from_ckpt.sh that you use --checkpoint-restore=10000000000
. Does this mean the skip the first 10 billion instructions; then, we simulate 1 billion instructions
in the paper? And if I use --take-checkpoints=10000000000
to take a checkpoint running the unsafe baseline processor, can I use this checkpoint to run on other processors like IS-Sp?
Exception: MI_example-dir.sm:448: Error: Unrecognized function name: 'queueMemoryRead_MachineID_Addr_Cycles':
File "/home/sam/InvisiSpec-1.0/SConstruct", line 1250:
For L2 cache latency, the file "src/mem/protocol/MESI_Two_Level-L2cache.sm" does not show 8 cycle latency.
How did you simulate 8 cycles as RT for L2 cache, did you use different gem5 files?
Or you simulated with cycles specified in "src/mem/protocol/MESI_Two_Level-L2cache.sm" which do not sum to 8 cycles?
Hello,
We wanted to share a couple of vulnerabilities we discovered in InvisiSpec's current code base. It would be great if you could take a look and respond if these look correct:
https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities
Speculative Invalidation of Caches:
We found a bug in the InvisiSpec’s Gem5 implementation where speculative loads can still perform evictions, and thus affect the final state of the cache. An attacker could exploit this through a Prime+Probe-style attack to determine information about addresses which are only accessed speculatively.
Speculative-Interference Attack Observable from the Same-Core:
There is an additional issue with InvisiSpec’s vulnerability to Speculative interference attacks. Previously, such attacks required a reference load to be from another thread, and the attacker to be a multi-threaded attacker. We observe that this attack works even in a 1-core setting. Below, we provide a simple example with two asms, one for a secret=0 (test_case_input1.asm), and another for a secret=1 ((test_case_input2.asm). Only the inputs in registers are different in the two asms, the program itself is the same.
We have a reference load in the same program at the very end, which is a non-speculative cache hit. We observe that the reference load has a long latency if there is MSHR interference or short latency if there is no MSHR interference, based on if there is a speculative miss OR not.
Full details of our attack are contained here:
https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities/blob/main/InvisiSpec%20Disclosure.pdf
Code containing demonstration of our attacks:
https://github.com/XsPFTdot7Hy3/InvisiSpec-vulnerabilities
Thanks a lot for making the code public. This definitely makes it easier for other researchers (including me) to start working on extending your work.
The code used by me for spectre attack:
https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6
Spectre works when I use the original unmodified gem5 code:
Spectre does not work when I use the modified gem5 code provided by you:
Also, since most of the config options are added to se.py, I tried running the following command:
build/X86_MESI_Two_Level/gem5.opt configs/example/se.py --cpu-type=DerivO3CPU --needsTSO=0 --scheme=UnsafeBaseline --l1d_size=64kB --l1i_size=16kB --l2_size=256kB --caches --mem-type=DDR3_1600_8x8 --sys-clock=1GHz -c spectre.
I ran it this way because even two_level.py used 2 level caches with DDR3_1600_8x8 as mem type, sys clock as 1 GHz and DerivO3CPU as cpu type. The main purpose of two_level.py was to create 2 level cache
That is, I tried running spectre using UnsafeBaseline mode, but it is not working in unsafe baseline mode as well as in SpectreSafeInvisibleSpec mode. Ideally, spectre attack should have worked in unsafebaseline mode and successfully defended by SpectreSafeInvisibleSpec mode.
Could you please let me know how did you carry out the spectre attack and which code did you use to perform it. Please help me reproduce the spectre attack on your modified gem5 code.
Exception: MI_example-cache.sm:401: Error: Invalid method call: Type 'Sequencer' does not have a method evictionCallback, 'evictionCallback_Addr' nor '':
Hi, firstly, thank you very much for sharing your work. I really enjoyed reading your paper so I am trying to run your implementation.
However, when I just run your script (run_parsec_from_ckpt.sh), the simulation just finished with following message. The last line looks something wrong.
Exiting @ tick 18446744073709551615 because simulate() limit reached
Can you give me advice for solving this issue?
Thank you in advance.
warn: You are trying to use Ruby on ARM, which is not working properly yet.
gem5 Simulator System. http://gem5.org
gem5 is copyrighted software; use the --copyright option for details.
gem5 compiled Apr 10 2019 12:33:30
gem5 started Apr 10 2019 23:32:48
gem5 executing on hpcserver.cse.tamu.edu, pid 5394
command line: ./build/ARM_MESI_Two_Level/gem5.opt configs/example/fs.py --kernel=/home/sungkeun/gem5-kernel/arm_parsec/binaries/vmlinux.aarch64.20140821 --dtb-file=/home/sungkeun/gem5-kernel/arm_parsec/binaries/vexpress.aarch64.20140821.dtb --disk-image=/home/sungkeun/gem5-kernel/arm_parsec/disks/aarch64-ubuntu-trusty-headless.img --machine-type=VExpress_EMM64 --num-cpus=8 --mem-size=2GB --num-l2caches=8 --num-dirs=8 --network=simple --topology=Mesh_XY --mesh-rows=4 --l1d_assoc=8 --l2_assoc=16 --l1i_assoc=4 --ruby --cpu-type=DerivO3CPU --needsTSO=0 --scheme=FuturisticSafeInvisibleSpec
Global frequency set at 1000000000000 ticks per second
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
warn: DRAM device capacity (8192 Mbytes) does not match the address range assigned (256 Mbytes)
info: kernel located at: /home/sungkeun/gem5-kernel/arm_parsec/binaries/vmlinux.aarch64.20140821
warn: Highest ARM exception-level set to AArch32 but bootloader is for AArch64. Assuming you wanted these to match.
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
Info: simulation uses scheme: UnsafeBaseline; needsTSO=0; allowSpecBuffHit=1
warn: Sockets disabled, not accepting vnc client connections
warn: Sockets disabled, not accepting terminal connections
warn: Sockets disabled, not accepting gdb connections
info: Using bootloader at address 0x10
info: Using kernel entry physical address at 0x80080000
info: Loading DTB file: /home/sungkeun/gem5-kernel/arm_parsec/binaries/vexpress.aarch64.20140821.dtb at address 0x88000000
**** REAL SIMULATION ****
warn: Existing EnergyCtrl, but no enabled DVFSHandler found.
info: Entering event queue @ 0. Starting simulation...
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
warn: Address 0 is outside of physical memory, stopping fetch
Exiting @ tick 18446744073709551615 because simulate() limit reached
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.