Comments (12)
Hmm, looks like most probably your CPU has microcode patches that mitigate Foreshadow (or you have a very recent CPU that has Foreshadow-resistant silicon). The easiest way to make sure you're running unpatched microcode, is to reboot with the dis_ucode_ldr
Linux kernel option (as documented in the README). You can check the output of "dmesg | grep microcode" and "cat /proc/cpuinfo"
from sgx-step.
i tried rebooting after adding the 'dis_ucode_ldr' option but the results remain the same.
-
the "dmesg | grep microcode" command doesn't provide any output now (it did before adding the option..)
-
the output of 'cat /proc/cpuinfo' can be seen in the screenshot (it gave about the same information about each core)
from sgx-step.
i just checked the CPU package I own and it seems to have an in-silicon mitigation for FORESHADOW.
does that mean that it's not possible to implement the attack on this hardware?
from sgx-step.
yes, this CPU is Foreshadow-resistant in silicon :-) See also here for an overview table:
from sgx-step.
If you want to reproduce Foreshadow-SGX, you'll need access to a Skylake or Kaby Lake processor. Since you have a FS-resistant CPU, I'll close this issue.
from sgx-step.
I understand.
if i wish to run this attack on a computer which doesn't support TSX, is there a code for this option?
from sgx-step.
okay, the PoC code does currently only support TSX. But it should be straightforward to modify the code to register an exception handler instead (using for instance the signal function: https://github.com/jovanbulck/sgx-step/blob/master/app/aep-redirect/main.c#L77)
from sgx-step.
thank you very much for your help,
I will try that.
Bar.
from sgx-step.
i tried removing the following line
https://github.com/jovanbulck/sgx-step/blob/master/libsgxstep/foreshadow.c#L78
and add the line you suggested, but i see that it already exists in
https://github.com/jovanbulck/sgx-step/blob/master/app/foreshadow/main.c#L92
but the program gets a signal SIGKILL when reaching 'transient_access' (in foreshadow.c), and therefore doesn't reach the exception handler.
from sgx-step.
Yes, you will have to manually circumvent PTE inversion mitigations applied in recent Linux kernels. The problem now is that the kernel panics and kills the application since it detects that you manually modified the PTE before. The solution is to first call mprotect
(resulting in an inverted PTE) and then manually modify the PTE back, and the other way around when handling the fault.
I just pushed a mwe to illustrate the concept (make sure to set USE_TSX=0 in main.c and foreshadow.c):
Be aware: this is a highly unoptimized proof-of-concept, only showcasing the general concept and suffering from a relatively low success rate. However, after running the PoC a few times, you should see leakage.
from sgx-step.
i replaced the new files and used USE_TSX=0, but the only values i get are 0xFF and 0x00 (i tried to run it many times and increased the number of retries but the results are the same)
from sgx-step.
from sgx-step.
Related Issues (20)
- Hyperlink of the approach to bypass devmem_is_allowed checks is unavailable HOT 3
- ./app: undefined symbol: sgx_get_aep HOT 8
- undefined symbol : sgx_get_aep HOT 10
- kernel panics when single-stepping [SOLVED: KPTI #PF for kernel IRQ] HOT 12
- error when running bench: [file.c] assertion '(f = fopen(path, "w"))' failed: No such file or directory HOT 6
- Work-in-progress Gramine port HOT 17
- Could add some explanation for each test application under app/ to README? HOT 1
- /dev/sgx-step would be uninstalled after os reboot HOT 2
- foreshadow/lvi building error , memcmp running error HOT 2
- os would always hang after running cpl/idt/memcmp HOT 8
- Refactor: page-fault abstraction in libsgxstep HOT 2
- Could sgx-step support SGX in-kernel/dcap driver? HOT 2
- victim.base && "no enclave found in /proc/self/maps HOT 4
- Support multithreaded enclaves
- ./install_SGX_SDK.sh can't find python2 HOT 3
- Trying to run app/memcmp but gives assertion error HOT 5
- Questions regarding the use of unmap_alias and sim_reload HOT 3
- Questions regarding fs_reload_threshold in foreshadow HOT 1
- Refactor build system
- More questions regarding unmap_alias() and leaking data HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sgx-step.