Skip to content
forked from gem5/gem5

Implementation of SpecCheck (presented at PACT 2023). Forked from the official gem5 repository.

License

BSD-3-Clause, Unknown licenses found

Licenses found

BSD-3-Clause
LICENSE
Unknown
COPYING
Notifications You must be signed in to change notification settings

zmckevitt/SpecCheck

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

SpecCheck

DOI

This repository contains a fork of gem5 with SpecCheck implementation. SpecCheck is a debugging module for O3CPUs to determine the presence of potential transient execution vulnerabilities.

Building

To build SpecCheck gem5, first clone the repository and checkout the SpecCheckPACT branch:

git clone https://github.com/zmckevitt/SpecCheck.git
cd SpecCheck/

Next, ensure that your system has scons:

sudo apt install scons

And lastly build the x86 gem5 model:

scons build/X86/gem5.opt -j$(nproc)

Running

The pocs/ directory contains proof of concepts for Spectre variant 1 (Pattern History Table) and variant 2 (Branch Target Buffer). Each proof of concept was also precompiled on x86 Ubuntu 20.04 and statically linked, and these binaries can be found precompiled in pocs/.

While in the SpecCheck directory, save the current working directory to an environment variable to be used in runner scripts:

export GEM5_PATH=$(pwd)

To run gem5 with SpecCheck enabled, use the sc.sh script:

bash sc.sh <stats file> <path to binary>

So, to run SpecCheck on the precompiled POC for Spectre variants 1 and 2:

bash sc.sh v1.txt pocs/spectre_v1_x86
bash sc.sh v2.txt pocs/spectre_v2_x86

If the attack is successful, the output for both programs should look similar to this:

Reading 6 bytes starting at 0x4b7008:
reading 0x4b7008...success: 0x53='S'
reading 0x4b7009...success: 0x45='E'
reading 0x4b700a...success: 0x43='C'
reading 0x4b700b...success: 0x52='R'
reading 0x4b700c...success: 0x45='E'
reading 0x4b700d...success: 0x54='T'

To run standard gem5 without SpecCheck, use run.sh:

bash run.sh <stats file> <path to binary>

gem5 Configuration

Each experiment is configured to run using an x86 O3CPU in gem5's systemcall emulation mode. Each experiment uses the configuration available in configs/examples/se.py, with 8GB of memory. More details about each experiments configuration can be found in sc.sh.

Statistics

The stats file given to the runner script will be located in m5out/ and contains standard gem5 statistics with additional SpecCheck specific commit statistics (prefixed with speccheck). SpecCheck saves all program counters flagged as potentially malicious during the experiments duration to m5out/<specified file>.scout.

To view SpecCheck stats, simply check for speccheck prefixed stats in the specified stats file:

grep speccheck m5out/v*.txt

To view flagged gadgets, examine the .scout file generated by SpecCheck:

vim m5out/v*.txt.scout
OR
grep <pc> m5out/v*.txt.scout

About

Implementation of SpecCheck (presented at PACT 2023). Forked from the official gem5 repository.

Resources

License

BSD-3-Clause, Unknown licenses found

Licenses found

BSD-3-Clause
LICENSE
Unknown
COPYING

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C++ 77.2%
  • Python 14.4%
  • C 7.0%
  • HTML 0.3%
  • Assembly 0.3%
  • CMake 0.2%
  • Other 0.6%