downfall's Issues
illegal instruction on avx2
Hi-I was attempting to test the vulnerability of a Xeon e3v5 chip using your POC (as intel doesn't feel like listing whether or not its vulnerable for some reason) and I'm running into an illegal instruction error that i don't believe is a mitigation-disassembly below:
Dump of assembler code for function s_load_encode:
0x0000000000407000 <+0>: vmovups (%rdi),%ymm3
=> 0x0000000000407004 <+4>: vpxord %ymm1,%ymm1,%ymm1
0x000000000040700a <+10>: vpcmpeqb %ymm2,%ymm2,%ymm2
0x000000000040700e <+14>: lea 0x260c000,%rdi
0x0000000000407016 <+22>: clflush (%rdi)
0x0000000000407019 <+25>: mov (%rdi),%rax
0x000000000040701c <+28>: clflush 0x40(%rdi)
0x0000000000407020 <+32>: mov 0x40(%rdi),%rax
0x0000000000407024 <+36>: clflush 0x80(%rdi)
0x000000000040702b <+43>: mov 0x80(%rdi),%rax
0x0000000000407032 <+50>: clflush 0xc0(%rdi)
0x0000000000407039 <+57>: mov 0xc0(%rdi),%rax
0x0000000000407040 <+64>: clflush 0x100(%rdi)
0x0000000000407047 <+71>: mov 0x100(%rdi),%rax
0x000000000040704e <+78>: clflush 0x140(%rdi)
0x0000000000407055 <+85>: mov 0x140(%rdi),%rax
0x000000000040705c <+92>: clflush 0x180(%rdi)
0x0000000000407063 <+99>: mov 0x180(%rdi),%rax
0x000000000040706a <+106>: clflush 0x1c0(%rdi)
0x0000000000407071 <+113>: mov 0x1c0(%rdi),%rax
0x0000000000407078 <+120>: mov 0x0,%rdi
0x0000000000407080 <+128>: lea 0x260d000,%r13
0x0000000000407088 <+136>: vpgatherdd %ymm2,0x0(%r13,%ymm1,1),%ymm5
0x000000000040708f <+143>: vpermd %ymm5,%ymm3,%ymm5
0x0000000000407094 <+148>: movq %xmm5,%rax
0x0000000000407099 <+153>: mov %rax,%rbx
0x000000000040709c <+156>: mov %rax,%rcx
0x000000000040709f <+159>: mov %rax,%rdx
---Type <return> to continue, or q <return> to quit---
A typo in the description of Listing 1
Hi, thank you for great research.
The description to Listing 1 says the following:
Examples of gather in x86: Line 1 calculates add-
resses of 4 dwords at (%rsi+%xmm2[i]*2) and merges their
values into the 128-bit %xmm3 register, depending on the cor-
responding mask bits (per dword) in %xmm3
Whereas there should be:
... mask bits (per dword) in %xmm1
gds_aes_ni: Intuitively wipe out noisy data
Hi, we are currently doing a Bachelor project about Downfall. Thank you for doing a great paper on it and sharing this POC code, it has been very useful for us.
We have a question about some code in "POC/gds_aes_ni/asm.S", where you have a comment "Intutively Wipe out noisy values", and we simply can't figure out how it wipes out noisy values. Was hoping you could elaborate?
s_load_encode:
mfence
# Intutively Wipe out noisy values.
.rept 128
inc %rax
vmovups (%rdi), %ymm3
.endr
using gds_aes_ni cannot reproduce the attack on v5
Hi, I am attempting to test the vulnerability on Xeon v5 using your PoC (gds_aes_ni),
However, I cannot reproduce the results you showd in README.md of downfall/POC/gds_aes_ni.
My environment is Intel(R) Xeon(R) Gold 6151 CPU @ 3.00GHz
My kernel is 4.18.0-147.5.2.7.h838_356.x86_64
The result of my running gds_aes_ni is:
# ./openssl_encrypt_128.sh
Key: 0CA1E581446E64F5:CDE0BD3B9E36425C
./attack_encrypt_128bit.sh
1st QWORD Candidates: 0
2nd QWORD Candidates: 0
Total candidates: 0 x 0 = 0
Do you have any ideas about what might be causing this?
Thanks!
watch out for DS_Store
Hi,
watch out for that apple Garbage.......
.DS_Store
it can leak system information into public git repositories...
how to get secret from sgx enclave ?
at https://github.com/flowyroll/downfall/tree/main/POC/gds_memcpy_prefetch
Does the memory data obtained here contain sgx key data ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.