build : multiple cache lines access, success 7/8 or 5/8 (v_addr cover 16 lines), total 16 lines

80a0417c · Yuxiao Mao · 580a86bc · 80a0417c · 80a0417c · 80a0417c
Commit 80a0417c authored 5 years ago by Yuxiao Mao
--- a/src/attack.c
+++ b/src/attack.c
@@ -7,6 +7,10 @@ void attack_prepare(void * monitor_addr) {
  fr_monitor(attack_fr, monitor_addr);
 }

+void attack_add_monitor(void * monitor_addr) {
+  fr_monitor(attack_fr, monitor_addr);
+}
+
 //res=2 if cache hit, res=20 if cache miss
 void attack_1(uint16_t *res) {
  fr_probe(attack_fr, res);

--- a/src/attack.h
+++ b/src/attack.h
@@ -5,6 +5,10 @@
 #include "fr.h"

 void attack_prepare(void * monitor_addr);
+
+// As we remove the realloc, fr monitor max 16 addr
+void attack_add_monitor(void * monitor_addr);
+
 void attack_1(uint16_t *res);

 #endif //#ifndef __ATTACK_H__

--- a/src/lib/myorca_uart.c
+++ b/src/lib/myorca_uart.c
@@ -28,7 +28,7 @@ static void i2a (int num, char * bf)
 }

 void uart_printi(int i) {
-  char str[7]; //2**16=65536, +2 digit for sign and null ending
+  char str[12]; //2**32, +2 digit for sign and null ending
  i2a(i, str);
  uart_printf(str);
 }

--- a/src/main.c
+++ b/src/main.c
-#include <stdint.h>
+#include <stddef.h>
 #include "orca_malloc.h"
 #include "myorca_uart.h"

@@ -19,15 +19,30 @@
 // Function declarations
 // ----------------------------------------------------------------------------
 int handle_exception();
-void victim_1(int* val_addr);
+int a2d(char ch);
+void victim_1(int32_t* val_addr);


 // ----------------------------------------------------------------------------
 // Global variable
+// Place order seems to be the same :
+// static before non static, used array before unused
+// heap at the end if non static, preserve order if all static
 // ----------------------------------------------------------------------------
 #define HEAP_SIZE_BYTE 1024
-char myorca_heap[HEAP_SIZE_BYTE];
-int victim_data_address[16];
+unsigned char myorca_heap[HEAP_SIZE_BYTE];
+
+// Cache orca : tag (23b), num_line (4b = 16line), pos (5b = 32byte)
+// To cover all cache lines = 16lines * 4byte/int * 8int
+// But if we monitor all cache lines, attack_fr structure and heap likely occupy
+// all address and thought can't detect any eviction.
+// In this configuration of 8 lines, we can detect 5-7 access.
+
+// MONITOR_CACHE_LINE must < 16, else need change VLIST_DEF_SIZE, victim
+// address selection, attack line detect print logic.
+#define MONITOR_CACHE_LINE 8
+#define INT_PER_CACHE_LINE 8
+static int32_t victim_data_address[16*INT_PER_CACHE_LINE];


 // ----------------------------------------------------------------------------
@@ -37,10 +52,14 @@ int main(void)
 {
  // Prepare heap
  orca_init_malloc(myorca_heap, HEAP_SIZE_BYTE, 4);
+  uart_printf("\r\n\r\nHEAP_INIT");

 #if __OPTION_ATTACK_ENABLE__ == 1
-  uint16_t res[1];
+  uint16_t res[MONITOR_CACHE_LINE];
  attack_prepare(victim_data_address);
+  for (int i = 1; i < MONITOR_CACHE_LINE; i++) {
+    attack_add_monitor(&victim_data_address[i*INT_PER_CACHE_LINE]);
+  }
  uart_printf("\r\nATTACK_ENABLE");
 #endif
 #if __OPTION_VICTIM_ENABLE__ == 1
@@ -60,12 +79,20 @@ int main(void)
      uart_printf(").");

 #if __OPTION_ATTACK_ENABLE__ == 1
-      victim_1(victim_data_address);
+      int read_number = a2d(read_value);
+      if (read_number >= 0 && read_number < MONITOR_CACHE_LINE) {
+        victim_1(&victim_data_address[read_number*INT_PER_CACHE_LINE]);
+      } else {
+        victim_1(victim_data_address);
+      }
      uart_printf("--");
    }
    attack_1(res);
-    if (res[0] < 3) {
-      uart_printc('A');
+    for (int i = 0; i < MONITOR_CACHE_LINE; i++) {
+      if (res[i] < 3) {
+        uart_printc('a');
+        uart_printc(i+(i<10 ? '0' : 'A'-10));
+      }
    }
 #else
    }
@@ -86,14 +113,28 @@ int handle_exception() {
  return 0;
 }

+// ----------------------------------------------------------------------------
+// Others functions
+// ----------------------------------------------------------------------------
+int a2d(char ch)
+{
+	if (ch>='0' && ch<='9')
+		return ch-'0';
+	else if (ch>='a' && ch<='f')
+		return ch-'a'+10;
+	else if (ch>='A' && ch<='F')
+		return ch-'A'+10;
+	else return -1;
+}
+

 // ----------------------------------------------------------------------------
 // Victim code
 // victim_1 provide simple memory access
 // ----------------------------------------------------------------------------
-void victim_1(int* val_addr) {
+void victim_1(int32_t* val_addr) {
  uart_printc('V');
-  uart_printi(val_addr[0]);
-  val_addr[0] = val_addr[0] + 1;
+  uart_printi(*val_addr); //take int
+  *val_addr = *val_addr + 1;
 }

--- a/src/victim.c
+++ b/src/victim.c
@@ -4,18 +4,22 @@

 #include "victim.h"

-const uint8_t c_key[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
-const uint8_t c_out[] = { 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
-                  0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
-                  0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
-                  0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7 };
-const uint8_t c_iv[]  = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
-const uint8_t c_in[]  = { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
-                  0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
-                  0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
-                  0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 };
+static const uint8_t c_key[] =
+  { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
+static const uint8_t c_out[] =
+  { 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
+    0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
+    0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
+    0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7 };
+static const uint8_t c_iv[]  =
+  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
+static const uint8_t c_in[]  =
+  { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 };

-void victim_prepare(struct AES_ctx* ctx, const uint8_t* key, const uint8_t* iv, uint8_t* in) {
+static void victim_prepare(struct AES_ctx* ctx, const uint8_t* key, const uint8_t* iv, uint8_t* in) {
  AES_init_ctx_iv(ctx, key, iv);
  AES_CBC_encrypt_buffer(ctx, in, 64);
 }