This package contains files required to reproduce the SMoTherSpectre exploit proof-of-concept on Skylake processors. For more details please refer to the short description or the arXiv paper. This work is a collaboration between the EPFL HexHive and PARSA labs, and IBM Research Zurich and joint work between Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus.
The PoC will run
NEXPTS experiments, each of which aims to leak a bit randomly
generated by the victim.
For each bit, the attacker runs SMoTherSpectre for the same victim secret
NSAMPLES times to get that many timing samples. Finally, it uses the mean of
the samples to guess the secret bit.
attacker_guess.csv are generated on each
run. On each line, the victim writes its secret, and the attacker its
corresponding guess. We compare these files to calculate the attacker's
process.py (as described later) runs SMoTherSpectre for
NEXPTS=1000 and for
NSAMPLES in the range of one to nine. Finally, it
prints the attacker's accuracy in guessing the victim's secret (randomly
generated 0 or 1) for each value of
NSAMPLES. On the lower side, an accuracy
of around 0.5 (or lower) implies failure on the attacker's part, as any blind
attacker always guessing the same value will get correct ~50% of the time. On
the higher side, the attacker should be able to guess the victim's secret with
This has been tested on an i5-6200u (stepping 3) CPU running Ubuntu under the following combinations of distro, kernel and microcode.
To run this package, required packages include:
- octave (optional, only if you want to run plot_hist.m)
Apart from the above, we shall require the standard set of packages (for eg.
How to run
- Set constant CPU frequency by setting the scaling_governor to
performanceto the files
*represents a core number)
- Disable turbo boost (by writing
msrkernel module if using PMC (
- Set CORE0 and CORE1 in the Makefile to two logical cores on the same physical core For example, on a 4-core (hyperthreaded) CPU, cores 1 and 5 might use the same physical core
- ./process.py (as sudo)
- (optional) Open octave/matlab to run
Description of included files
- attacker.c : Core of SMoTherSpectre attack. Poisons BTB, times CRC32 instructions
- victim.c : Victim core. BTI gadget and SMoTher gadget.
- orchestrator.c : Setup and launch attacker, victim
- skeleton.c : Surrounding code for attacker/victim. Includes synchronization, PMC setup (if used) and dumping data to files
- process.py : Run the experiment for NSAMPLES varying between 1 and 10
- macros.h : Macros for assembly sequences used
- pmc.h : PMC (performance monitoring counters) header file
- pmc.c : Implementation of PMC access functions
- synch.h : Lightweight synchronization of processes based on shared memory
- util.h : Simple utilities
- Makefile : The usual
- musl-gcc.specs : Specs for musl-libc
- plot_hist.m : Plot histograms of attacker timings corresponding to different attacker secrets
- By default, the PoC enables the collection of PMC stats for the victim.
victim_pmcN.csvwill contain statistics corresponding to counters specified as
skeleton.c. As shipped,
victim_pmc0.csvwill contain cycles for
ARITH.DIVIDER_ACTIVE. On CPUs supporting
victim_pmc1.csvwill hold a non-zero value for every run where BTI succeeded.
- Loading the
msrkernel module is solely to collect additional victim stats not used for the attack.
- To disable PMC stats, change the
- The SMoTher gadget uses SMoTher-differentiable sequences of
orinstructions (specific for Skylake processors). For non-Skylake processors, you might have to select corresponding SMoTher-differentiable sequences in place of
For more details, refer to the paper.
- To use the base microcode, disable microcode updates at boot time by the