Skip to content

The demo of the speculative execution attack Spectre (CVE-2017-5753, CVE-2017-5715).

License

Notifications You must be signed in to change notification settings

ixtal23/spectreScope

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

spectreScope

The demo of the speculative execution attack Spectre (CVE-2017-5753, CVE-2017-5715).

Tested On

  • macOS

      Intel
          - Apple MacBook Pro Retina, 15-inch, Late 2013
          - macOS High Sierra 10.13.2
          - 1 Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz
          - git 2.14.3
          - cmake 3.10.1
          - Xcode 9.2
    
  • Linux

      Intel
          - HP ProLiant BL660C GEN8
          - VHS server on VMware ESXi
          - Red Hat Enterprise Linux Server 7.4 / GNU/Linux 3.10.0-693.1.1.e17.x86_64
          - 2 Intel(R) Xeon(R) CPU E5-4620 @ 2.20GHz
          - git 1.9.4
          - cmake 2.8.12.2
          - GCC 5.3.1
    
          - HP ProLiant DL380 G7
          - Red Hat Enterprise Linux Server 7.4 / GNU/Linux 3.10.0-693.1.1.e17.x86_64
          - 2 Intel(R) Xeon(R) CPU X5680 @ 3.33GHz
          - git 1.9.4
          - cmake 2.8.12.2
          - GCC 5.3.1
    
          - DigitalOcean 5$ Droplet
          - CentOS Linux 7.4.1708 / GNU/Linux 3.10.0-693.11.6.el7.x86_64
          - 1 Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz
          - git 1.8.3.1
          - cmake 2.8.12.2
          - GCC 4.8.5
    
  • Oracle Solaris

      Intel
          - HP ProLiant DL380 G7
          - Oracle Solaris 10
          - 2 Intel(R) Xeon(R) CPU X5680 @ 3.33GHz
          - git 1.9.4
          - cmake 2.8.12.2
          - Oracle Solaris Studio 12.3
    
      AMD
          - Sun Fire X4600 M2
          - Oracle Solaris 10
          - 4 AMD Opteron(tm) CPU 8220 @ 2.8GHz
          - git 1.9.4
          - cmake 2.8.12.2
          - Oracle Solaris Studio 12.3
    
      SPARC (NOT REPRODUCED!)
          - Sun SPARC Enterprise M5000 Server
          - Oracle Solaris 10
          - 4 SPARC v9 CPU @ 2.15GHz
          - git 1.9.4
          - cmake 2.8.12.2
          - Oracle Solaris Studio 12.3
    
  • Windows

    The support of this platform was implemented but is not tested yet.

Preconditions

The following applications must be installed:

  • Git;
  • CMake;
  • C++ compiler: GCC, Clang, Xcode, Oracle Solaris Studio, Microsoft Visual Studio.

Build & Run

git clone git@github.com:ixtal23/spectreScope.git
cd spectreScope
./build.sh
./run.sh

Results

Apple MacBook Pro Retina, 15-inch, Late 2013, macOS High Sierra 10.13.2, Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz

dev$ git --version
git version 2.14.3 (Apple Git-98)
dev$ cmake --version
cmake version 3.10.1
CMake suite maintained and supported by Kitware (kitware.com/cmake).
dev$ xcodebuild -version
Xcode 9.2
Build version 9C40b
dev$ git clone git@github.com:ixtal23/spectreScope.git
Cloning into 'spectreScope'...
remote: Counting objects: 39, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 16), reused 32 (delta 12), pack-reused 0
Receiving objects: 100% (39/39), 13.66 KiB | 1.71 MiB/s, done.
Resolving deltas: 100% (16/16), done.
dev$ cd spectreScope
spectreScope$ ./build.sh
-- The CXX compiler identification is AppleClang 9.0.0.9000039
-- Check for working CXX compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++
-- Check for working CXX compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Generating done
-- Configuring done
-- Build files have been written to: /Users/user/Documents/dev/spectreScope/cmake.build
/opt/local/bin/cmake -H/Users/user/Documents/dev/spectreScope -B/Users/user/Documents/dev/spectreScope/cmake.build --check-build-system CMakeFiles/Makefile.cmake 0
/opt/local/bin/cmake -E cmake_progress_start /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles/progress.marks
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/Makefile2 all
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/depend
cd /Users/user/Documents/dev/spectreScope/cmake.build && /opt/local/bin/cmake -E cmake_depends "Unix Makefiles" /Users/user/Documents/dev/spectreScope /Users/user/Documents/dev/spectreScope /Users/user/Documents/dev/spectreScope/cmake.build /Users/user/Documents/dev/spectreScope/cmake.build /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles/spectreScope.dir/DependInfo.cmake --color=
Scanning dependencies of target spectreScope
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/build
[ 50%] Building CXX object CMakeFiles/spectreScope.dir/src/main.cpp.o
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++    -O3 -DNDEBUG   -o CMakeFiles/spectreScope.dir/src/main.cpp.o -c /Users/user/Documents/dev/spectreScope/src/main.cpp
[100%] Linking CXX executable spectreScope
/opt/local/bin/cmake -E cmake_link_script CMakeFiles/spectreScope.dir/link.txt --verbose=1
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++  -O3 -DNDEBUG -Wl,-search_paths_first -Wl,-headerpad_max_install_names  CMakeFiles/spectreScope.dir/src/main.cpp.o  -o spectreScope
[100%] Built target spectreScope
/opt/local/bin/cmake -E cmake_progress_start /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles 0
/opt/local/bin/cmake -H/Users/user/Documents/dev/spectreScope -B/Users/user/Documents/dev/spectreScope/cmake.build --check-build-system CMakeFiles/Makefile.cmake 0
/opt/local/bin/cmake -E cmake_progress_start /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles/progress.marks
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/Makefile2 all
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/depend
cd /Users/user/Documents/dev/spectreScope/cmake.build && /opt/local/bin/cmake -E cmake_depends "Unix Makefiles" /Users/user/Documents/dev/spectreScope /Users/user/Documents/dev/spectreScope /Users/user/Documents/dev/spectreScope/cmake.build /Users/user/Documents/dev/spectreScope/cmake.build /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles/spectreScope.dir/DependInfo.cmake --color=
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/build
make[2]: Nothing to be done for `CMakeFiles/spectreScope.dir/build'.
[100%] Built target spectreScope
/opt/local/bin/cmake -E cmake_progress_start /Users/user/Documents/dev/spectreScope/cmake.build/CMakeFiles 0
/Applications/Xcode.app/Contents/Developer/usr/bin/make -f CMakeFiles/Makefile2 preinstall
make[1]: Nothing to be done for `preinstall'.
Install the project...
/opt/local/bin/cmake -P cmake_install.cmake
-- Install configuration: "Release"
-- Installing: /Users/user/Documents/dev/spectreScope/bin/spectreScope
spectreScope$ ./run.sh
Spectre Attack
Reading 44 bytes
 1 reading at malicious_x=0xfffffffffffffe6a: success value=0x59 [ Y ] score=  2
 2 reading at malicious_x=0xfffffffffffffe6b: success value=0x6f [ o ] score=  9, second best value=0x01 [ ? ] score=  2
 3 reading at malicious_x=0xfffffffffffffe6c: success value=0x75 [ u ] score=  9, second best value=0x01 [ ? ] score=  2
 4 reading at malicious_x=0xfffffffffffffe6d: success value=0x72 [ r ] score=  2
 5 reading at malicious_x=0xfffffffffffffe6e: success value=0x20 [   ] score=  2
 6 reading at malicious_x=0xfffffffffffffe6f: success value=0x43 [ C ] score=  2
 7 reading at malicious_x=0xfffffffffffffe70: success value=0x50 [ P ] score=  2
 8 reading at malicious_x=0xfffffffffffffe71: success value=0x55 [ U ] score=  2
 9 reading at malicious_x=0xfffffffffffffe72: success value=0x20 [   ] score=  2
10 reading at malicious_x=0xfffffffffffffe73: success value=0x69 [ i ] score=  2
11 reading at malicious_x=0xfffffffffffffe74: success value=0x73 [ s ] score=  2
12 reading at malicious_x=0xfffffffffffffe75: success value=0x20 [   ] score=  2
13 reading at malicious_x=0xfffffffffffffe76: success value=0x63 [ c ] score=  2
14 reading at malicious_x=0xfffffffffffffe77: success value=0x72 [ r ] score=  2
15 reading at malicious_x=0xfffffffffffffe78: success value=0x61 [ a ] score=  2
16 reading at malicious_x=0xfffffffffffffe79: success value=0x70 [ p ] score=  2
17 reading at malicious_x=0xfffffffffffffe7a: success value=0x2e [ . ] score=  2
18 reading at malicious_x=0xfffffffffffffe7b: success value=0x20 [   ] score=  2
19 reading at malicious_x=0xfffffffffffffe7c: success value=0x54 [ T ] score=  2
20 reading at malicious_x=0xfffffffffffffe7d: success value=0x68 [ h ] score=  2
21 reading at malicious_x=0xfffffffffffffe7e: success value=0x61 [ a ] score=  2
22 reading at malicious_x=0xfffffffffffffe7f: success value=0x6e [ n ] score=  2
23 reading at malicious_x=0xfffffffffffffe80: success value=0x6b [ k ] score=  2
24 reading at malicious_x=0xfffffffffffffe81: success value=0x20 [   ] score=  2
25 reading at malicious_x=0xfffffffffffffe82: success value=0x79 [ y ] score=  2
26 reading at malicious_x=0xfffffffffffffe83: success value=0x6f [ o ] score=  2
27 reading at malicious_x=0xfffffffffffffe84: success value=0x75 [ u ] score=  2
28 reading at malicious_x=0xfffffffffffffe85: success value=0x20 [   ] score=  2
29 reading at malicious_x=0xfffffffffffffe86: success value=0x76 [ v ] score=  2
30 reading at malicious_x=0xfffffffffffffe87: success value=0x65 [ e ] score=  2
31 reading at malicious_x=0xfffffffffffffe88: success value=0x72 [ r ] score=  2
32 reading at malicious_x=0xfffffffffffffe89: success value=0x79 [ y ] score=  2
33 reading at malicious_x=0xfffffffffffffe8a: success value=0x20 [   ] score=  2
34 reading at malicious_x=0xfffffffffffffe8b: success value=0x6d [ m ] score=  2
35 reading at malicious_x=0xfffffffffffffe8c: success value=0x75 [ u ] score=  2
36 reading at malicious_x=0xfffffffffffffe8d: success value=0x63 [ c ] score=  2
37 reading at malicious_x=0xfffffffffffffe8e: success value=0x68 [ h ] score=  2
38 reading at malicious_x=0xfffffffffffffe8f: success value=0x20 [   ] score=  2
39 reading at malicious_x=0xfffffffffffffe90: success value=0x49 [ I ] score=  2
40 reading at malicious_x=0xfffffffffffffe91: success value=0x6e [ n ] score=  2
41 reading at malicious_x=0xfffffffffffffe92: success value=0x74 [ t ] score=  2
42 reading at malicious_x=0xfffffffffffffe93: success value=0x65 [ e ] score=  2
43 reading at malicious_x=0xfffffffffffffe94: success value=0x6c [ l ] score=  2
44 reading at malicious_x=0xfffffffffffffe95: success value=0x21 [ ! ] score=  2
spectreScope$

DigitalOcean 5$ Droplet, CentOS Linux 7.4.1708, Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

spectreScope$ git --version
git version 1.8.3.1
spectreScope$ cmake --version
cmake version 2.8.12.2
spectreScope$ gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-16)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
spectreScope$ ./build.sh
-- The CXX compiler identification is GNU 4.8.5
-- Check for working CXX compiler: g++
-- Check for working CXX compiler: g++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Configuring done
-- Generating done
-- Build files have been written to: /home/user/spectreScope/cmake.build
/usr/bin/cmake -H/home/user/spectreScope -B/home/user/spectreScope/cmake.build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/bin/cmake -E cmake_progress_start /home/user/spectreScope/cmake.build/CMakeFiles /home/user/spectreScope/cmake.build/CMakeFiles/progress.marks
make -f CMakeFiles/Makefile2 all
make[1]: Entering directory `/home/user/spectreScope/cmake.build'
make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/depend
make[2]: Entering directory `/home/user/spectreScope/cmake.build'
cd /home/user/spectreScope/cmake.build && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /home/user/spectreScope /home/user/spectreScope /home/user/spectreScope/cmake.build /home/user/spectreScope/cmake.build /home/user/spectreScope/cmake.build/CMakeFiles/spectreScope.dir/DependInfo.cmake --color=
Scanning dependencies of target spectreScope
make[2]: Leaving directory `/home/user/spectreScope/cmake.build'
make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/build
make[2]: Entering directory `/home/user/spectreScope/cmake.build'
/usr/bin/cmake -E cmake_progress_report /home/user/spectreScope/cmake.build/CMakeFiles 1
[100%] Building CXX object CMakeFiles/spectreScope.dir/src/main.cpp.o
/usr/bin/g++    -march=native -m64 -std=c++11 -Werror -O3 -g0   -o CMakeFiles/spectreScope.dir/src/main.cpp.o -c /home/user/spectreScope/src/main.cpp
Linking CXX executable spectreScope
/usr/bin/cmake -E cmake_link_script CMakeFiles/spectreScope.dir/link.txt --verbose=1
/usr/bin/g++    -march=native -m64 -std=c++11 -Werror -O3 -g0    CMakeFiles/spectreScope.dir/src/main.cpp.o  -o spectreScope -rdynamic 
make[2]: Leaving directory `/home/user/spectreScope/cmake.build'
/usr/bin/cmake -E cmake_progress_report /home/user/spectreScope/cmake.build/CMakeFiles  1
[100%] Built target spectreScope
make[1]: Leaving directory `/home/user/spectreScope/cmake.build'
/usr/bin/cmake -E cmake_progress_start /home/user/spectreScope/cmake.build/CMakeFiles 0
/usr/bin/cmake -H/home/user/spectreScope -B/home/user/spectreScope/cmake.build --check-build-system CMakeFiles/Makefile.cmake 0
/usr/bin/cmake -E cmake_progress_start /home/user/spectreScope/cmake.build/CMakeFiles /home/user/spectreScope/cmake.build/CMakeFiles/progress.marks
make -f CMakeFiles/Makefile2 all
make[1]: Entering directory `/home/user/spectreScope/cmake.build'
make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/depend
make[2]: Entering directory `/home/user/spectreScope/cmake.build'
cd /home/user/spectreScope/cmake.build && /usr/bin/cmake -E cmake_depends "Unix Makefiles" /home/user/spectreScope /home/user/spectreScope /home/user/spectreScope/cmake.build /home/user/spectreScope/cmake.build /home/user/spectreScope/cmake.build/CMakeFiles/spectreScope.dir/DependInfo.cmake --color=
make[2]: Leaving directory `/home/user/spectreScope/cmake.build'
make -f CMakeFiles/spectreScope.dir/build.make CMakeFiles/spectreScope.dir/build
make[2]: Entering directory `/home/user/spectreScope/cmake.build'
make[2]: Nothing to be done for `CMakeFiles/spectreScope.dir/build'.
make[2]: Leaving directory `/home/user/spectreScope/cmake.build'
/usr/bin/cmake -E cmake_progress_report /home/user/spectreScope/cmake.build/CMakeFiles  1
[100%] Built target spectreScope
make[1]: Leaving directory `/home/user/spectreScope/cmake.build'
/usr/bin/cmake -E cmake_progress_start /home/user/spectreScope/cmake.build/CMakeFiles 0
make -f CMakeFiles/Makefile2 preinstall
make[1]: Entering directory `/home/user/spectreScope/cmake.build'
make[1]: Nothing to be done for `preinstall'.
make[1]: Leaving directory `/home/user/spectreScope/cmake.build'
Install the project...
/usr/bin/cmake -P cmake_install.cmake
-- Install configuration: "Release"
-- Installing: /home/user/spectreScope/bin/spectreScope
spectreScope$ ./run.sh
Spectre Attack
Reading 44 bytes
 1 reading at malicious_x=0xffffffffffdff840: success value=0x59 [ Y ] score= 11, second best value=0x01 [ ? ] score=  3
 2 reading at malicious_x=0xffffffffffdff841: success value=0x6f [ o ] score=  2
 3 reading at malicious_x=0xffffffffffdff842: success value=0x75 [ u ] score=  2
 4 reading at malicious_x=0xffffffffffdff843: success value=0x72 [ r ] score=  2
 5 reading at malicious_x=0xffffffffffdff844: success value=0x20 [   ] score=  2
 6 reading at malicious_x=0xffffffffffdff845: success value=0x43 [ C ] score= 15, second best value=0x01 [ ? ] score=  5
 7 reading at malicious_x=0xffffffffffdff846: success value=0x50 [ P ] score=  2
 8 reading at malicious_x=0xffffffffffdff847: success value=0x55 [ U ] score= 95, second best value=0x02 [ ? ] score= 45
 9 reading at malicious_x=0xffffffffffdff848: success value=0x20 [   ] score=  2
10 reading at malicious_x=0xffffffffffdff849: success value=0x69 [ i ] score=  7, second best value=0x02 [ ? ] score=  1
11 reading at malicious_x=0xffffffffffdff84a: success value=0x73 [ s ] score=  2
12 reading at malicious_x=0xffffffffffdff84b: success value=0x20 [   ] score= 11, second best value=0x02 [ ? ] score=  3
13 reading at malicious_x=0xffffffffffdff84c: success value=0x63 [ c ] score=  2
14 reading at malicious_x=0xffffffffffdff84d: success value=0x72 [ r ] score= 73, second best value=0x02 [ ? ] score= 34
15 reading at malicious_x=0xffffffffffdff84e: success value=0x61 [ a ] score=  2
16 reading at malicious_x=0xffffffffffdff84f: success value=0x70 [ p ] score=  7, second best value=0x02 [ ? ] score=  1
17 reading at malicious_x=0xffffffffffdff850: success value=0x2e [ . ] score=  2
18 reading at malicious_x=0xffffffffffdff851: success value=0x20 [   ] score= 43, second best value=0x02 [ ? ] score= 19
19 reading at malicious_x=0xffffffffffdff852: success value=0x54 [ T ] score=  2
20 reading at malicious_x=0xffffffffffdff853: success value=0x68 [ h ] score= 57, second best value=0x02 [ ? ] score= 26
21 reading at malicious_x=0xffffffffffdff854: success value=0x61 [ a ] score=  7, second best value=0x02 [ ? ] score=  1
22 reading at malicious_x=0xffffffffffdff855: success value=0x6e [ n ] score=  2
23 reading at malicious_x=0xffffffffffdff856: success value=0x6b [ k ] score=  2
24 reading at malicious_x=0xffffffffffdff857: success value=0x20 [   ] score= 17, second best value=0x02 [ ? ] score=  6
25 reading at malicious_x=0xffffffffffdff858: success value=0x79 [ y ] score=  2
26 reading at malicious_x=0xffffffffffdff859: success value=0x6f [ o ] score= 27, second best value=0x02 [ ? ] score= 11
27 reading at malicious_x=0xffffffffffdff85a: success value=0x75 [ u ] score=  2
28 reading at malicious_x=0xffffffffffdff85b: success value=0x20 [   ] score=  9, second best value=0x02 [ ? ] score=  2
29 reading at malicious_x=0xffffffffffdff85c: success value=0x76 [ v ] score=  2
30 reading at malicious_x=0xffffffffffdff85d: success value=0x65 [ e ] score= 41, second best value=0x02 [ ? ] score= 18
31 reading at malicious_x=0xffffffffffdff85e: success value=0x72 [ r ] score=  2
32 reading at malicious_x=0xffffffffffdff85f: success value=0x79 [ y ] score= 33, second best value=0x02 [ ? ] score= 14
33 reading at malicious_x=0xffffffffffdff860: success value=0x20 [   ] score=  2
34 reading at malicious_x=0xffffffffffdff861: success value=0x6d [ m ] score=  2
35 reading at malicious_x=0xffffffffffdff862: success value=0x75 [ u ] score= 33, second best value=0x02 [ ? ] score= 14
36 reading at malicious_x=0xffffffffffdff863: success value=0x63 [ c ] score=  2
37 reading at malicious_x=0xffffffffffdff864: success value=0x68 [ h ] score=  7, second best value=0x02 [ ? ] score=  1
38 reading at malicious_x=0xffffffffffdff865: success value=0x20 [   ] score=  2
39 reading at malicious_x=0xffffffffffdff866: success value=0x49 [ I ] score= 47, second best value=0x02 [ ? ] score= 21
40 reading at malicious_x=0xffffffffffdff867: success value=0x6e [ n ] score=  2
41 reading at malicious_x=0xffffffffffdff868: success value=0x74 [ t ] score= 15, second best value=0x02 [ ? ] score=  5
42 reading at malicious_x=0xffffffffffdff869: success value=0x65 [ e ] score=  2
43 reading at malicious_x=0xffffffffffdff86a: success value=0x6c [ l ] score= 27, second best value=0x02 [ ? ] score= 11
44 reading at malicious_x=0xffffffffffdff86b: success value=0x21 [ ! ] score=  2
spectreScope$