This repository contains a fork of gem5 with SpecCheck implementation. SpecCheck is a debugging module for O3CPUs to determine the presence of potential transient execution vulnerabilities.
To build SpecCheck gem5, first clone the repository and checkout the SpecCheckPACT
branch:
git clone https://github.com/zmckevitt/SpecCheck.git
cd SpecCheck/
Next, ensure that your system has scons:
sudo apt install scons
And lastly build the x86 gem5 model:
scons build/X86/gem5.opt -j$(nproc)
The pocs/
directory contains proof of concepts for Spectre variant 1 (Pattern History Table) and variant 2 (Branch Target Buffer). Each proof of concept was also precompiled on x86 Ubuntu 20.04 and statically linked, and these binaries can be found precompiled in pocs/
.
While in the SpecCheck directory, save the current working directory to an environment variable to be used in runner scripts:
export GEM5_PATH=$(pwd)
To run gem5 with SpecCheck enabled, use the sc.sh
script:
bash sc.sh <stats file> <path to binary>
So, to run SpecCheck on the precompiled POC for Spectre variants 1 and 2:
bash sc.sh v1.txt pocs/spectre_v1_x86
bash sc.sh v2.txt pocs/spectre_v2_x86
If the attack is successful, the output for both programs should look similar to this:
Reading 6 bytes starting at 0x4b7008:
reading 0x4b7008...success: 0x53='S'
reading 0x4b7009...success: 0x45='E'
reading 0x4b700a...success: 0x43='C'
reading 0x4b700b...success: 0x52='R'
reading 0x4b700c...success: 0x45='E'
reading 0x4b700d...success: 0x54='T'
To run standard gem5 without SpecCheck, use run.sh
:
bash run.sh <stats file> <path to binary>
Each experiment is configured to run using an x86 O3CPU in gem5's systemcall emulation mode. Each experiment uses the configuration available in configs/examples/se.py
, with 8GB of memory. More details about each experiments configuration can be found in sc.sh
.
The stats file given to the runner script will be located in m5out/
and contains standard gem5 statistics with additional SpecCheck specific commit statistics (prefixed with speccheck
). SpecCheck saves all program counters flagged as potentially malicious during the experiments duration to m5out/<specified file>.scout
.
To view SpecCheck stats, simply check for speccheck
prefixed stats in the specified stats file:
grep speccheck m5out/v*.txt
To view flagged gadgets, examine the .scout
file generated by SpecCheck:
vim m5out/v*.txt.scout
OR
grep <pc> m5out/v*.txt.scout