Fixed various typos and missing text in READMEs. Added expected resul…

…ts for bhb_brute_force READMEs
vusec · Apr 12, 2022 · 4f64580 · 4f64580
1 parent 7d23e97
commit 4f64580
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 7 deletions.
diff --git a/pocs/README.md b/pocs/README.md
@@ -145,3 +145,10 @@ Very likely this means that the transient window is too small and thus that the
 
 This step may take a bit of time, especially on the 11th gen. Intel processors. We suggest to wait until ~300'000 tries are made.
 
+#### Assertion `setrlimit(RLIMIT_MEMLOCK, &rlim)==0' failed.
+
+Due to the raw Evict+Reload implementation, this PoC requires 24MB of eBPF maps. On some system this is beyond the allowed limit. To solve this issue ensure your user has the capability `CAP_SYS_RESOURCE`.
+
+
+
+
diff --git a/re/arm/bhb_brute_force/README.md b/re/arm/bhb_brute_force/README.md
@@ -9,6 +9,11 @@ This experiment will perform BHB brute forcing to achieve a twofold objective:
 
 ## How to run
 
+Before compiling, set the the MACRO `IN_PLACE` to `1` or `0` to respectively run the experiment in-place or out-of-place.
+The `IN_PLACE` macro is present in the [src/main.c](src/main.c) file.
+After this, the experiment can be compiled and run as follow:
+
+
 ```
 make TARGET=PIXEL_6
 adb push main.o /data/local/tmp                                                                                                                                                                                                                               
@@ -31,7 +36,7 @@ rwx mem: 0x732c633000
 [Round 663] hits: 66
 [Round 734] hits: 96
 ```
-This means that, on average, after ~100 rounds the brute force managed to find in-place collisions.
+This means that, on average, after ~400 rounds the brute force managed to find in-place collisions.
 
 With `IN_PLACE == 0` (out-of-place) instead we cannot find any collision
 

diff --git a/re/arm/bhi_test/README.md b/re/arm/bhi_test/README.md
@@ -15,7 +15,7 @@ This experiment is meant to be run on a Pixel 6. For this reason ensure to have
 
 ```
 sudo adb reboot bootloader
-sudo adb fastboot boot boot.img
+sudo fastboot boot boot.img
 ```
 
 ## How to run
@@ -44,7 +44,8 @@ Threshold: 100
 hits 906/1000
 ```
 
-This means that by just controlling the user-space history we managed to redirect speculatively a kernel indirect branch 87% of times to an attack-controlled target.
+This means that by just controlling the user-space history we managed to redirect speculatively a kernel indirect branch
+90% of times to an attack-controlled target.
 
 ## Troubleshooting
 
@@ -78,5 +79,5 @@ Use [Magisk](https://github.com/topjohnwu/Magisk) to root the compiled kernel `o
 
 ```
 sudo adb reboot bootloader
-sudo adb fastboot boot boot.img
+sudo fastboot boot boot.img
 ```
diff --git a/re/x64/bhb_brute_force/README.md b/re/x64/bhb_brute_force/README.md
@@ -9,14 +9,18 @@ This experiment will perform BHB brute forcing to achieve a twofold objective:
 
 ## How to run
 
+Before compiling, set the the MACRO `IN_PLACE` to `1` or `0` to respectively run the experiment in-place or out-of-place.
+The `IN_PLACE` macro is present in the [src/main.c](src/main.c) file.
+After this, the experiment can be compiled and run as follow:
+
 ```
 make TARGET=INTEL_10_GEN #or INTEL_11_GEN
 ./run.sh
 ```
 
 ## Expected output
 
-With `IN_PLACE == 1`:
+With `IN_PLACE == 1` (in-place):
 
 ```
 [Round        21955]hits:      100/100  round:    21955 ind_branches={0x7f472e1f391c,0x7f472e1f391c}
@@ -25,7 +29,7 @@ With `IN_PLACE == 1`:
 [Round         1589]hits:      100/100  round:     1589 ind_branches={0x7f472e1f391c,0x7f472e1f391c}
 [Round         4921]hits:       99/100  round:     4921 ind_branches={0x7f472e1f391c,0x7f472e1f391c}
 ```
-This means that, on average, after ~10k rounds the brute force managed to find in-place collisions.
+This means that, on average, after ~16k rounds the brute force managed to find in-place collisions.
 
 With `IN_PLACE == 0` (out-of-place): 
 
@@ -36,7 +40,12 @@ With `IN_PLACE == 0` (out-of-place):
 [Round         4892]hits:      100/100  round:     4892 ind_branches={0x7fbb1378d96d,0x7fbb22fc9c2d}
 [Round        10733]hits:      100/100  round:    10733 ind_branches={0x7fbb1378d96d,0x7fbac888e5c1}
 ```
-This means that, on average, after ~10k rounds the brute force managed to find out-of-place collisions.
+This means that, on average, after ~16k rounds the brute force managed to find out-of-place collisions.
+
+For both in-place and out-of-place experiments, the expected average iterations before a collision are:
+
+* 16384 (2^14) for Intel 10th gen
+* 131072 (2^17) for Intel 11th gen
 
 ## Troubleshooting