dendrobates-t-azureus/prefetcher_reverse/Readme.md
Guillaume DIDIER bc684eca89 Add analysis scripts, format and fix spelling of prefetcher_reverse/Readme.md
Squash of 4 cherry-picked commits:
569f3aaf26469c6f37ecf338f32fd8d6222575fb
1b93a2a951a9a6eea123806b1d557634e9333665
6e5b5c5807a83758ba321e405901377a532734c1
25ccd3248fa0a87e454363698d2ad2bba0588e37
2022-09-23 11:32:01 +02:00

3.3 KiB

CacheObserver - monitor what happens in the cache when doing memory accesses

This framework, derived from https://github.com/MIAOUS-group/calibration-done-right, is built to help reverse engineer prefetchers on Intel CPUs.

The main entry point of the framework is the prefetcher_reverse crate.

The code presented runs under Fedora 30, and can also be made to run on Ubuntu 18.04 LTS with minor tweaks

(Notably, lib cpupower may also be called lib cpufreq)

Usage

Requires rust nightly features. Install rust nightly using rustup, known working versions are listed at the end of the document.

This tool needs access to MSR and thus requires sudo access. The setup.sh script disables turbo boost and makes sure the frequency is set to the max non-boosted frequency.

One can run all the experiments with the following instructions :

cd prefetcher_reverse
mkdir results-xxx
cd results-xxx
sudo ../setup.sh
../run-msr-all.sh 15
../run-msr-all.sh 14
../run-msr-all.sh 13
../run-msr-all.sh 12
../run-msr-all.sh 0
# Do not forget to re-enable turbo-boost and set the cpupower frequency governor back

This results in a set of log files that can then be analyzed.

Note for default settings, this results in several GB worth of logs

General Architecture

prefetcher_reverse is where the experiments used to reverse engineer prefetcher lives. It contains the Prober structure, along with binaries generating patterns for the experiments to run and feeding them to the Prober struct.

The analysis folder contains the scripts we used to turn the logs into figures. To be documented. We used Julia with the Plots and PGFPlotsX backend to generate figures.

The flow is to first use extract_analysis_csv.sh to extract the CSV for each experiment from the logs.

Then one can use the makeplots Julia scripts (those are unfortunately not optimized and may run for several hours, as the LaTeX backend is not thread-safe and generates many figures).

Those scripts expect to find the CSVs at a specific path and require their output folder by MSR 420 (0x1A4) values to exist beforehand (so 15,14,13,12,0 must exist beforehand). They are still quite rough and undocumented, rough edges are to be expected. (A better version could be released if the paper is accepted)

The resulting figures can then be sorted into subfolders for easier browsing, and the change colormap script can be used to tweak the tikz file colormaps for use in papers

Crates originally from the Calibration done right framework, slightly modified :

  • basic_timing_cache_channel contains generic implementations of Naive and Optimised cache side channels, that just require providing the actual operation used
  • cache_side_channel defines the interface cache side channels have to implement
  • cache_utils contains utilities related to cache attacks
  • cpuid is a small crate that handles CPU microarchitecture identification and provides info about what is known about it
  • flush_flush and flush_reload are tiny crates that use basic_timing_cache_channel to export Flush+Flush and Flush+Reload primitives
  • turn_lock is the synchronization primitive used by cache_utils

Rust versions

Known good nightly :

  • rustc 1.54.0-nightly (eab201df7 2021-06-09)
  • rustc 1.55.0-nightly (885399992 2021-07-06)