riscv-boom / boom-attacks Goto Github PK

View Code? Open in Web Editor NEW

59.0 6.0 16.0 66 KB

Proof of concepts for speculative attacks using the BOOM core (https://github.com/riscv-boom/riscv-boom)

License: Other

C 92.35% Makefile 1.95% Assembly 5.69%

boom-attacks's Introduction

BOOM Speculative Attacks

This repository holds all the work-in-progress code used to check if BOOM is susceptible to Spectre attacks.

Project Members

Name	Github Handle
Abraham Gonzalez	abejgonzalez
Ed Younis	riyt
Ben Korpan	bkorpan
Jerry Zhao	jerry123

Further Details

BOOM Configuration

This is working with the version of BOOM located at https://github.com/riscv-boom/riscv-boom/commit/8bb0e34feedf6d7b2465b10e0e166fec988b0396.

Processor Details:

Extra Addition: Default FTQ Size

Fetch Width        : 2
Decode Width       : 2
Issue Width        : 4
ROB Size           : 100

==Dense BTB==
Sets          : 512
Banks         : 2
Ways          : 4
Branch Levels : 2
Tag Size      : 13
Offset Size   : 13

==BIM==
(4 Kbits = 0 kB) Bimodal Table (1024 entries across 2 banks)

==GShare==
(2 kB) GShare Predictor, with 23 bits of history for (2-wide fetch) and 4096 entries.

Implemented Attacks

The following attacks are implemented within the repo.

Spectre-v1 or Bounds Check Bypass [1]
- condBranchMispred.c
Spectre-v2 or Branch Target Injection [1]
- indirBranchMispred.c

Not Completed Attacks

The following attacks are in-progress and are not working yet.

Return Stack Buffer Attack [2]
- returnStackBuffer.c
- Main reason why this doesn't work is because the RSB was disconnected in the BPU (commented out).

Building the tests

To build you need to run make

Running the Tests

This builds "baremetal" binaries that can directly run on the BOOM configuration that was specified above.

References

[1] P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks: Exploiting speculative execution,” ArXiv e-prints, Jan. 2018

[2] E. M. Koruyeh, K. N. Khasawneh, C. Song, N. Abu-Ghazaleh, “Spectre Returns! Speculation Attacks using the Return Stack Buffer,” 12th USENIX Workshop on Offensive Technologies, 2018

boom-attacks's People

Contributors

Stargazers

Watchers

Forkers

mytbk jerryz123 abejgonzalez number0000009 ckj119940887 sabbaghm m4j0rt0m h-y-b eddiebrissow fangjiangff ibndias nlujano qshan johnal18 23-cpu

boom-attacks's Issues

Help..I can't reproduce conditonal branch attack on boom-core in chipyard

my chipyard version is f387c4b99424e869235f927aebcb7dabc643a6f5
and I use CONFIG=LargeBoomConfig or CONFIG=MediumBoomConfig to make verilator and vcs simulator , but using the both two to simulate is not work:

./simulator-chipyard-MediumBoomConfig ~/proj/boom-attacks/bin/condBranchMispred.riscv
This emulator compiled with JTAG Remote Bitbang client. To enable, use +jtag_rbb_enable=1.
Listening on port 44557
[UART] UART0 is here (stdin/stdout).
m[0x0x80002750] = want(!) =?= guess(hits,dec,char) 1.(9, 33, !) 2.(1, 1, �)
m[0x0x80002751] = want(") =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002752] = want(#) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002753] = want(T) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002754] = want(h) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002755] = want(i) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002756] = want(s) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002757] = want(I) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)
m[0x0x80002758] = want(s) =?= guess(hits,dec,char) 1.(1, 1, �) 2.(1, 2, �)

Errors Implementing Hybrid Branch Predictors on RISCV BOOM core

I am working on implementing hybrid branch predictors listed below

Gshare + TAGE
TAGE + Alpha
Perceptron + TAGE
Gshare + Alpha
Perceptron + Gshare
Perceptron + Alpha
Perceptron + TAGE + Alpha
I created a class definition of the hybrid predictor in the config-mixins.scala file and create a class instance in the BOOMConfigs.scala file.
When I try doing that, the results I get are the same as if I run the benchmark programs (multiplication.riscv, qsort.riscv, and dhrystone.riscv) without any branch predictor.

These are screenshots of what I did for the Gshare + TAGE hybrid combination.

The idea is to replace tagless base predictor (PC indexed 2-bit counter bimodal table) of TAGE with Gshare

Class Definition of Hybrid combination of Gshare and Tage in config-mixins.scala file

Class instance of Hybrid combination of Gshare and Tage in BOOMConfigs.scala file

The CPI I get for all three benchmark programs (multiplication.riscv, qsort.riscv, and dhrystone.riscv) with this hybrid combination is the same as the CPI for when I run the same benchmark programs with no branch predictor.

Status of attacks on chipyard-based boom

I was able to successfully run the conditional branch mispredict and the indirect branch mispredict attacks with this chipyard version and the MediumBoomConfig:
ef404ef0ba6c471430120f13818cc5027225d877

However the return stack buffer attack did not recover the correct secret.