GitXplorerGitXplorer
c

Spectre-PoC

public
7 stars
4 forks
2 issues

Commits

List of commits on branch master.
Verified
73f196c36df0a0160cfe127e590cb22425939f5a

Update README.md

cchaitanyarahalkar committed 5 years ago
Unverified
c8961913b0bdf96ea715e8a77dab1801a5ded3a3

Set theme jekyll-theme-cayman

cchaitanyarahalkar committed 5 years ago
Unverified
a9a05583ba33067f98e635b7bc7326302cfddd2c

Set theme jekyll-theme-cayman

cchaitanyarahalkar committed 5 years ago
Verified
7f1d54942e89e0dfb2b05c2e8efc60948a6a8a4a

Update README.md

cchaitanyarahalkar committed 5 years ago
Verified
647973238d6bb24f55e06a2df2b35681230c9788

Update README.md

cchaitanyarahalkar committed 5 years ago
Verified
7ab7578abe046e3078b99d23649c31b14a78e3f1

Update README.md

cchaitanyarahalkar committed 5 years ago

README

The README file for this repository.

Spectre - Proof of Concept

What is Spectre and Meltdown?

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

This code gives a brief explanation of the Spectre flaw. More information about Meltdown and Spectre can be found out here. CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. (Find out more about what CVEs are here. This code is the proof of concept of this paper. What makes the flaw more dangerous is that it was found in computer hardware. Releasing patches and software fixes is really difficult for hardware based CVEs.

Etymology of Spectre

Spectre is based on problems in speculative execution. That's how the exploit got its name.

Explanation of Code

In the exploit, if the compiled instructions in victim function() were executed in strict program order, the function would only read from array1[0..15] since array1 size = 16.

However, when executed speculatively, out-of-bounds reads are possible. The read memory byte() function makes several training calls to victim function() to make the branch predictor expect valid values for x, then calls with an out-of-bounds x.

The conditional branch mispredicts,and the ensuing speculative execution reads a secret byte using the out-of-bounds x. The speculative code then reads from array2[array1[x] * 256],leaking the value of array1[x] into the cache state as shown in the code block below.

To complete the attack, a simple flush+probe is used to identify which cache line in array2 was loaded, reveaing the memory contents. The attack is repeated several times, so even if the target byte was initially uncached,the first iteration will bring it into the cache

Running the PoC

root@spectre$ gcc -o spectre -std=c99 spectre.c
root@spectre$ ./spectre

Author

Chaitanya Rahalkar

Contributing

Contributions, issues and feature requests are welcome!
Feel free to check issues page.

Show your support

Give a ⭐️ if this project helped you!

License

Copyright © 2019 Chaitanya Rahalkar.
This project is MIT licensed.