• Stars
    star
    362
  • Rank 117,671 (Top 3 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Reverse Engineering Page Table Caches in Your Processor

Introduction

This directory contains the source code for both anc and revanc. anc is an implementation of the ASLR^Cache (AnC) attack which is an EVICT+TIME side-channel attack on the MMU. AnC relies on the fact that page table lookups by the MMU are stored in the last level cache (LLC) in order to speed up the next required translation. By flushing parts of the LLC and timing the page table lookup, AnC can identify which parts of the LLC store page tables. On top of flushing the LLC, AnC also needs to flush the TLB as well as page table caches. Since the information on the size of the TLB and the LCC is available, the AnC attack can be used to reverse engineer the properties of the page table caches that are of interest to attackers, like their internal architecure and size. revanc is an implemention that retrofits AnC to acquire this information.

With anc, we have demonstrated that numerous x86-64, ARMv7-A and ARMv8-A microarchitectures are affected by the AnC attack. Furthermore, with revanc we have been able to detect the existence of page table caches and the amount of entries that they contain on these microarchitectures. As the code is written with portability in mind, it should be easy to add support for other potentially affected platforms that share a similar MMU design.

We invite you to visit our project page for more information.

Usage

To build the code, simply type:

make

After the code has been built, the anc and revanc programs should be available in the obj directory.

The results generated by the anc program by plotted as MMU-grams using the Python 3 script provided. As this script depends on numpy and matplotlib, these dependencies should be installed first:

sudo apt-get install python3-numpy python3-matplotlib

Then after running the anc program, the script can be run as follows:

scripts/plot.py

The script will then generate a file named mmugram.pdf.

Examples

On x86-64, the cpuid instruction is used to automatically detect the sizes of the caches and the TLBs. As such, it is often sufficient ro anc without any arguments:

./obj/anc

However, since the TLB sizes are also used as a guideline to evict the page table or translation caches, it is sometimes necessary to specify the sizes of these caches. While Intel Ivy Bridge and older microarchitectures do implement a translation cache for PDPTEs, there either is no TLB to cache 1G huge pages, or cpuid does not report its existence. As such we have to specify that this cache consists of four entries manually:

./obj/anc --pl3-entries=4

Similarly, several AMD microarchitectures implement a page table cache with 24 entries:

./obj/anc --pl2-entries=24

With the revanc program, these page table and translation caches can be reverse engineered. However, to optimise the results it is currently advised to specify the virtual address:

./obj/revanc --target=0x222e2599000 --runs=10

For ARMv7-A and ARMv8-A, the sizes of the caches and TLBs cannot be determined automatically yet. As such, it is important to specify these manually. Further, while the ARMv7-A and ARMv8-A platforms do offer Performance Monitoring Units with a register similar to the Timestamp Counter on x86-64, this is not used as it is not accessible from user mode by default. On these platforms a thread that increments a volatile global variable simulating a cycle counter is used instead. Hence it is important to take more timing samples (e.g. 100 rather than the default of 10). For instance, for the Nvidia Tegra K1 the following can be used:

./obj/revanc --target=0x10040000 --evict-target=0x80000000 --runs=10 --cache-size=4M --pl1-entries1=544 --rounds=100

Some ARMv7-A platforms have Large Physical Address Extensions enabled. If this is the case, then the arm-lpae page format has to be specified as well:

./obj/revanc --target=0x10040000 --evict-target=0x80000000 --runs=10 --cache-size=4M --pl1-entries1=544 --page-format=arm-lpae --rounds=100

On ARMv8-A another target address is recommended. For instance, for the Allwinner A64, the following can be used:

./obj/revanc --target=0x116565000 --runs=10 --cache-size=2M --pl1-entries=522 --rounds=100

Frequently Asked Questions (FAQ)

Q. What processor architectures are currently supported/affected?

The anc and revanc can currently be built for and run on the x86-64, ARMv7-A and ARMv8-A architectures and show that these architectures are affected.

Q. What operating systems are currently supported?

The code can currently be built for BSD, Linux, Mac OS X and Microsoft Windows (using MSYS 2).

Q. Does this attack work on hardened systems with ASLR enabled?

Yes, the native implementation of the attack has been reported to work on an Intel Xeon E3-1505M v5 running HardenedBSD/amd64 (thanks to Shawn Webb).

Q. Does this attack work in virtualised environments?

Yes, we have run this attack within KVM guests running Linux on an Intel Atom C2750 and an Intel Xeon E5-2658 v2. In fact, because the hypervisor makes use of the MMU as well, the page table and/or translation cache(c) used by the MMU may end up being (partially) evicted already, amplifyingthe AnC attack. However, because the MMU is used by the hypervisor as well, the revanc program cannot reliably determine the sizes of these caches.

For other questions, please refer to the project page first.

More Repositories

1

drammer

Native binary for testing Android phones for the Rowhammer bug
C++
478
star
2

vuzzer

C
379
star
3

ridl

RIDL test suite and exploits
C
345
star
4

vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
C++
175
star
5

parmesan

ParmeSan: Sanitizer-guided Greybox Fuzzing
C++
167
star
6

hammertime

C
141
star
7

trrespass

TRRespass
C
119
star
8

bhi-spectre-bhb

This repository contains exploit and reverse-engineering source code regarding the Spectre-BHB/Branch History Injection vulnerability
C
101
star
9

guardion

Android GuardION patches to mitigate DMA-based Rowhammer attacks on ARM
C++
75
star
10

collabfuzz

CollabFuzz: A Framework for Collaborative Fuzzing
C++
66
star
11

dangsan

C++
62
star
12

floatzone

C
61
star
13

pandacap

A framework for streamlining the capture of PANDA execution traces.
Shell
55
star
14

slam

Spectre based on Linear Address Masking
C
53
star
15

deltapointers

Delta Pointers: Buffer Overflow Checks Without the Checks (EuroSys'18)
C++
51
star
16

kasper

Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
C
51
star
17

smash

C
46
star
18

memsentry

Open-source release for MemSentry (EuroSys'17)
C
44
star
19

typearmor

Implementation of our S&P16 paper: A Tough Call: Mitigating Advanced Code-Reuse Attacks
C
43
star
20

uncontained

Uncovering Container Confusion in the Linux Kernel
C++
41
star
21

inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
Python
39
star
22

blindside

C
32
star
23

xlate

Code to evaluate XLATE attacks as well existing cache attacks.
C
30
star
24

typesan

TypeSan checks casts in C++ code - code released for CCS 2016
C++
30
star
25

minesweeper

Tools used for MineSweeper project
Python
30
star
26

safeinit

SafeInit protects software from uninitialized read vulnerabilities - code released for NDSS 2017
C++
24
star
27

kmvx

kMVX: Detecting Kernel Information Leaks with Multi-variant Execution
21
star
28

patharmor

C
21
star
29

instrumentation-infra

An extendable and flexible infrastructure for program instrumentation.
Python
20
star
30

mvarmor

Multi-variant execution (MVX) using hardware-assisted process virtualization (with Dune)
C
17
star
31

shalloc

Shared memory allocator
C
16
star
32

tlbdr

C
15
star
33

dangzero

C
15
star
34

tlbkit

some tlb experimentation code: calculate L1, L2 miss penalties and show cross-HT interference.
Python
13
star
35

fpvi-scsb

Rage Against The Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
C
13
star
36

triereme

Rust
11
star
37

midfat

C++
10
star
38

ramses

Memory address translation library.
C
9
star
39

LookUB

C++
9
star
40

snappy

C++
9
star
41

TIFF

C++
9
star
42

drammer-app

GUI for testing Android phones for the Rowhammer bug
Java
8
star
43

typeisolation

Type-based Data Isolation prototype
C++
8
star
44

vusion

8
star
45

probeguard

ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations [ ASPLOS'19 ]
C++
7
star
46

dune

Dune fork
C
7
star
47

poking-holes

Project for the Poking Holes in Information Hiding paper
OCaml
7
star
48

alis

C
7
star
49

LLVMUtils

This repository contains a number of generic LLVM utility functions, setters, and/or getters for use in different LLVM passes.
C++
7
star
50

libshrink

A user-space runtime library to shrink the address space to a specified number of bits.
C++
6
star
51

zebram

C
5
star
52

pibe

PIBE project source code
5
star
53

infra-sanitizers

Configurations for benchmarking sanitizers
Python
5
star
54

qemu-hypercall

QEMU offering the hypercall interface used by HSFI and OSIRIS
C
5
star
55

firestarter

C
4
star
56

aos-labs-2021

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
57

osiris

C
4
star
58

delorean

C
4
star
59

hammertime-fliptables

Rowhammer flip tables collected using Hammertime.
ReScript
4
star
60

instrumentation-skeleton

Skeleton repository for instrumentation-infra users.
Python
4
star
61

Copy-on-Flip

C
4
star
62

aos-labs-2020

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
63

absynthe

ABSynthe related code
Python
3
star
64

minix-llvm

MINIX with the changes from the llvm_squashed branch needed for OSIRIS and HSFI
C
3
star
65

libumem-mvx

libumem fork for MvArmor
C
3
star
66

SCC

The |S|uborbital |C||C|annon compiler fuzzing framework
C++
3
star
67

libdft64-ng

Fork of https://github.com/AngoraFuzzer/libdft64 with support for shadow memory-based tagmap, small set tags, pointer/offset labels, and taint all memory semantics.
C++
3
star
68

dsn-2016-hsfi

C
2
star
69

type-after-type

C++
2
star
70

kamino

OCaml
2
star
71

SpeculationAtFault-AE

Artifact of "Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions"
C
2
star
72

kdfsan-llvm-project

C++
2
star
73

kdfsan-syzkaller

Go
1
star
74

kdfsan-linux

C
1
star
75

coco-docs

Vrije Universiteit Amsterdam - Compiler Construction (aux docs)
HTML
1
star
76

pirop

PIROP Asterisk exploits
Python
1
star
77

vu-forms-and-templates

VU forms and templates
TeX
1
star
78

uncontained-llvm-project

1
star
79

lldb-dfsan

Debugging DFSan labels with LLDB
Python
1
star