Update 2024.12.27: 很遗憾地宣布这篇blog的更新到此为止了:) However, all questions are always welcome.
“We’re trying to do things here that aren’t supposed to be done.”
微架构安全确实存在门槛,尤其是刚开始写代码的时候常常会无从下手。 但截至目前为止已经有不少researcher公开的工具了。 这篇主要介绍我所知的一些工具,减小信息差,避免重复造轮子(防止你的idea因为不得不重复造的轮子而被scoop)。
如何用assembly实现最基础的side channels,如何找到相关的threshold。cacheutils.h至今还是我最常用的。
Another toolkit for side-channel attacks.
A small library to modify all page-table levels of all processes from user space for x86_64 (Linux and Windows 10) and ARMv8 (Linux). It also allows to read and program memory types (i.e., PATs on x86 and MAIRs on ARM). Remap, 更改memory type, 更改page的权限等,很实用。
This small header allows executing functions in your application in ring 0. 一个interrupt-based的小工具,hook一个idt,可以让我们在userspace执行ring0的代码(e.g., wrmsr)。当要测的代码很小且不想写kernel module的时候很实用。
Fuzz Testing Meltdown-style attacks
PMC-PMI is a linux kernel module which uses performance monitoring interrupts(PMI) to record performance counter events each cpu cycle. 玩过一阵子,可惜当时太菜了。
其中的primetime可以用来找Effective prime access patterns.
SGX-Step consists of an adversarial Linux kernel driver and a small user-space operating system library that allows to configure untrusted page table entries and/or x86 APIC timer interrupts completely from user space.
也是Interrupt-based的一个框架,通过一个合适的APIC interval根据攻击场景实现zero-step或single-step。如果要做TEE安全的话,这个框架是绕不开的。Intel出了新的功能(AEX-Notify)来mitigate这种类型的攻击,但我还没仔细看:)
有点像PTEditor和sgx-step的整合,但同时还提供了在browser里的toolkit。总之我很推荐去看看这篇paper的presentation,也是引言的出处。
The framework is developed to find microarchitectural side channels in an automated manner. Currently the implementation supports only x86 processors.
nanoBench is a Linux-based tool for running small microbenchmarks on recent Intel and AMD x86 CPUs. The microbenchmarks are evaluated using hardware performance counters. The reading of the performance counters is implemented in a way that incurs only minimal overhead. 用这个得稍微小心点,容易freeze machine。 - -!! 请确保别一上来就往server上干。
一个结合nanoBench,自动化测试doc/undoc MSR bits对instructions执行有什么影响的框架。
Library for cache attacks with a focus on ARM.
A bunch of microarchitectural attacks are tested on both the Alwinner C906 and SiFive U74 processors (RISC-V).
An ultra-lightweight C library and binary for generating machine code of x86_64 assembly language and executing on the fly without invoking another compiler, assembler or linker.
ROB size testing utility. 测Reorder Buffer,用pointer chasing实现cache misses。 然后再中间插入各种machine code的,有点难读但是work。有相关的博客、论文。
https://blog.stuffedcow.net/2013/05/measuring-rob-capacity/ https://www.usenix.org/system/files/sec22summer_taram.pdf https://eprint.iacr.org/2024/149.pdf
可以直接提供event+umask来指定performance counter event。跟perf相比的话粒度更小,也能指定undocumented的events。类似的work有libpfc, 但只支持Intel CPUs。 pmu-utils不仅支持Intel还支持AMD和Arm CPUs。
AsmJit is a lightweight library for machine code generation written in C++ language.
A novel generic approach for automatically reverse-engineering a wide range of microarchitectural hash functions. lab里好哥们的另一个工作,但还没细看xD。
AMD-SEV上的sgx-step。
Release的时间不够凑巧,在CacheWarp里我自己也实现了一套类似的framework
Pin is a dynamic binary instrumentation framework for the the IA-32 and x86-64 instruction-set architectures that enables the creation of dynamic program analysis tools
This fuzzer crafts novel non-uniform Rowhammer access patterns based on the concepts of frequency, phase, and amplitude.
InSpectre Gadget is a tool for inspecting potential Spectre disclosure gadgets and performing exploitability analysis.
未完待续,欢迎补充.