vusec/bhi-spectre-bhb vusec/bhi-spectre-bhb

  • Stars
    star
    101
  • Rank 338,166 (Top 7 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
vusec/bhi-spectre-bhb
github

vusec

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This repository contains exploit and reverse-engineering source code regarding the Spectre-BHB/Branch History Injection vulnerability

Branch History Injection / Spectre-BHB

This repository contains reverse-engineering and exploits source code regarding the Spectre-BHB/Branch History Injection vulnerability.

For more information about our work:

Setup

Ensure that the required dependencies are installed depending on your system under test:

x86-64

sudo apt install gcc nasm msr-tools qemu-system-x86 debootstrap wget make

Arm-Android

  1. Download android-ndk-r23b-linux.zip from https://developer.android.com/ndk/downloads/index.html
  2. unzip android-ndk-r23b-linux.zip in the top directory
  3. Finally execute source env.sh to create the CC_ANDROID environment variable.

How to compile

For every experiment/poc a corresponding Makefile is provided. Depending on your target use:

make TARGET=INTEL_10_GEN      #e.g. for the Intel i7-10700K
make TARGET=INTEL_11_GEN      #e.g. for the Intel Xeon Silver 4310
make TARGET=PIXEL_6           #For the Pixel 6 Cortex-X1

In case the system under test is not supported, it is simply sufficient to edit common/targets.h to add the required micro-architectural parameters.

Repository organization

  • tools:

    • ibrs_checker: utility to test the presence of IBRS and eIBRS mitigations
    • fr_checker: tool to verify the the Flush+Reload timing threshold THR present in tune.h is correctly selected (needed for the reverse engineering experiments).

  • pocs: end-to-end exploits demonstrating how Spectre-BHB primitive can be used to mount an attack to leak data from the Linux kernel.

    • inter_mode: exploit based on Spectre-BHB/Branch History Injection demonstrates how the unprivileged history can be used to mount spectre-v2 attacks even in the presence of the ad-hoc hardware defense eIBRS.
    • intra_mode: exploit that shows how same privilege mode exploitation (kernel to kernel) is not only possible but practical.

  • re: reverse engineering experiments to test the presence of Branch History Injection and to extrapolate the main parameter of the indirect branch predictor.

    • x64

      • bhi_test: Experiment to verify the presence of the Spectre-BHB/Branch History Injection primitive
      • bhb_brute_force: Experiment to observe how often with a brute-force approach we obtain a BHB-collision
      • bhb_size: Experiment to retrieve the size of the Branch History Buffer (BHB)
      • bhb_control: Experiment to discover what is the minimum required control of the BHB to obtain reliable exploitation

    • arm

      • bhi_test: Experiment to verify the presence of the Spectre-BHB/Branch History Injection primitive
      • bhb_brute_force: Experiment to observe how often with a brute-force approach we obtain a BHB-collision

More Repositories

1

drammer

Native binary for testing Android phones for the Rowhammer bug
C++
478
star
2

vuzzer

C
379
star
3

revanc

Reverse Engineering Page Table Caches in Your Processor
C
362
star
4

ridl

RIDL test suite and exploits
C
345
star
5

vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
C++
175
star
6

parmesan

ParmeSan: Sanitizer-guided Greybox Fuzzing
C++
167
star
7

hammertime

C
141
star
8

trrespass

TRRespass
C
119
star
9

guardion

Android GuardION patches to mitigate DMA-based Rowhammer attacks on ARM
C++
75
star
10

collabfuzz

CollabFuzz: A Framework for Collaborative Fuzzing
C++
66
star
11

dangsan

C++
62
star
12

floatzone

C
61
star
13

pandacap

A framework for streamlining the capture of PANDA execution traces.
Shell
55
star
14

slam

Spectre based on Linear Address Masking
C
53
star
15

deltapointers

Delta Pointers: Buffer Overflow Checks Without the Checks (EuroSys'18)
C++
51
star
16

kasper

Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
C
51
star
17

smash

C
46
star
18

memsentry

Open-source release for MemSentry (EuroSys'17)
C
44
star
19

typearmor

Implementation of our S&P16 paper: A Tough Call: Mitigating Advanced Code-Reuse Attacks
C
43
star
20

uncontained

Uncovering Container Confusion in the Linux Kernel
C++
41
star
21

inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
Python
39
star
22

blindside

C
32
star
23

xlate

Code to evaluate XLATE attacks as well existing cache attacks.
C
30
star
24

typesan

TypeSan checks casts in C++ code - code released for CCS 2016
C++
30
star
25

minesweeper

Tools used for MineSweeper project
Python
30
star
26

safeinit

SafeInit protects software from uninitialized read vulnerabilities - code released for NDSS 2017
C++
24
star
27

kmvx

kMVX: Detecting Kernel Information Leaks with Multi-variant Execution
21
star
28

patharmor

C
21
star
29

instrumentation-infra

An extendable and flexible infrastructure for program instrumentation.
Python
20
star
30

mvarmor

Multi-variant execution (MVX) using hardware-assisted process virtualization (with Dune)
C
17
star
31

shalloc

Shared memory allocator
C
16
star
32

tlbdr

C
15
star
33

dangzero

C
15
star
34

tlbkit

some tlb experimentation code: calculate L1, L2 miss penalties and show cross-HT interference.
Python
13
star
35

fpvi-scsb

Rage Against The Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
C
13
star
36

triereme

Rust
11
star
37

midfat

C++
10
star
38

ramses

Memory address translation library.
C
9
star
39

LookUB

C++
9
star
40

snappy

C++
9
star
41

TIFF

C++
9
star
42

drammer-app

GUI for testing Android phones for the Rowhammer bug
Java
8
star
43

typeisolation

Type-based Data Isolation prototype
C++
8
star
44

vusion

8
star
45

probeguard

ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations [ ASPLOS'19 ]
C++
7
star
46

dune

Dune fork
C
7
star
47

poking-holes

Project for the Poking Holes in Information Hiding paper
OCaml
7
star
48

alis

C
7
star
49

LLVMUtils

This repository contains a number of generic LLVM utility functions, setters, and/or getters for use in different LLVM passes.
C++
7
star
50

libshrink

A user-space runtime library to shrink the address space to a specified number of bits.
C++
6
star
51

zebram

C
5
star
52

pibe

PIBE project source code
5
star
53

infra-sanitizers

Configurations for benchmarking sanitizers
Python
5
star
54

qemu-hypercall

QEMU offering the hypercall interface used by HSFI and OSIRIS
C
5
star
55

firestarter

C
4
star
56

aos-labs-2021

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
57

osiris

C
4
star
58

delorean

C
4
star
59

hammertime-fliptables

Rowhammer flip tables collected using Hammertime.
ReScript
4
star
60

instrumentation-skeleton

Skeleton repository for instrumentation-infra users.
Python
4
star
61

Copy-on-Flip

C
4
star
62

aos-labs-2020

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
63

absynthe

ABSynthe related code
Python
3
star
64

minix-llvm

MINIX with the changes from the llvm_squashed branch needed for OSIRIS and HSFI
C
3
star
65

libumem-mvx

libumem fork for MvArmor
C
3
star
66

SCC

The |S|uborbital |C||C|annon compiler fuzzing framework
C++
3
star
67

libdft64-ng

Fork of https://github.com/AngoraFuzzer/libdft64 with support for shadow memory-based tagmap, small set tags, pointer/offset labels, and taint all memory semantics.
C++
3
star
68

dsn-2016-hsfi

C
2
star
69

type-after-type

C++
2
star
70

kamino

OCaml
2
star
71

SpeculationAtFault-AE

Artifact of "Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions"
C
2
star
72

kdfsan-llvm-project

C++
2
star
73

kdfsan-syzkaller

Go
1
star
74

kdfsan-linux

C
1
star
75

coco-docs

Vrije Universiteit Amsterdam - Compiler Construction (aux docs)
HTML
1
star
76

pirop

PIROP Asterisk exploits
Python
1
star
77

vu-forms-and-templates

VU forms and templates
TeX
1
star
78

uncontained-llvm-project

1
star
79

lldb-dfsan

Debugging DFSan labels with LLDB
Python
1
star