{"id":13830466,"url":"https://github.com/vusec/revanc","last_synced_at":"2026-03-01T11:35:14.347Z","repository":{"id":94401915,"uuid":"81726186","full_name":"vusec/revanc","owner":"vusec","description":"Reverse Engineering Page Table Caches in Your Processor","archived":false,"fork":false,"pushed_at":"2021-05-05T10:43:00.000Z","size":65,"stargazers_count":362,"open_issues_count":0,"forks_count":65,"subscribers_count":47,"default_branch":"master","last_synced_at":"2024-08-04T10:03:11.698Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vusec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-12T13:02:13.000Z","updated_at":"2024-03-22T11:53:48.000Z","dependencies_parsed_at":"2023-03-13T16:59:50.752Z","dependency_job_id":null,"html_url":"https://github.com/vusec/revanc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vusec%2Frevanc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vusec%2Frevanc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vusec%2Frevanc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vusec%2Frevanc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vusec","download_url":"https://codeload.github.com/vusec/revanc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225539409,"owners_count":17485321,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T10:01:00.489Z","updated_at":"2026-03-01T11:35:14.299Z","avatar_url":"https://github.com/vusec.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"Introduction\n============\n\nThis directory contains the source code for both `anc` and `revanc`. `anc` is an implementation\nof the ASLR^Cache (AnC) attack which is an `EVICT+TIME` side-channel attack on the MMU. AnC\nrelies on the fact that page table lookups by the MMU are stored in the last level cache (LLC) in\norder to speed up the next required translation. By flushing parts of the LLC and timing the page\ntable lookup, AnC can identify which parts of the LLC store page tables. On top of flushing the\nLLC, AnC also needs to flush the TLB as well as page table caches. Since the information on the\nsize of the TLB and the LCC is available, the AnC attack can be used to reverse engineer the\nproperties of the page table caches that are of interest to attackers, like their internal\narchitecure and size. `revanc` is an implemention that retrofits AnC to acquire this information.\n\nWith `anc`, we have demonstrated that numerous x86-64, ARMv7-A and ARMv8-A microarchitectures are\naffected by the AnC attack. Furthermore, with `revanc` we have been able to detect the existence\nof page table caches and the amount of entries that they contain on these microarchitectures. As\nthe code is written with portability in mind, it should be easy to add support for other\npotentially affected platforms that share a similar MMU design.\n\nWe invite you to visit our [project page](https://www.vusec.net/projects/anc/) for more information.\n\nUsage\n=====\n\nTo build the code, simply type:\n\n\tmake\n\nAfter the code has been built, the `anc` and `revanc` programs should be available in the `obj`\ndirectory.\n\nThe results generated by the `anc` program by plotted as MMU-grams using the Python 3 script\nprovided. As this script depends on `numpy` and `matplotlib`, these dependencies should be\ninstalled first:\n\n\tsudo apt-get install python3-numpy python3-matplotlib\n\nThen after running the `anc` program, the script can be run as follows:\n\n\tscripts/plot.py\n\nThe script will then generate a file named `mmugram.pdf`.\n\nExamples\n========\n\nOn x86-64, the `cpuid` instruction is used to automatically detect the sizes of the caches and the\nTLBs. As such, it is often sufficient ro `anc` without any arguments:\n\n\t./obj/anc\n\nHowever, since the TLB sizes are also used as a guideline to evict the page table or translation\ncaches, it is sometimes necessary to specify the sizes of these caches. While Intel Ivy Bridge and\nolder microarchitectures do implement a translation cache for PDPTEs, there either is no TLB to\ncache 1G huge pages, or `cpuid` does not report its existence. As such we have to specify that this\ncache consists of four entries manually:\n\n\t./obj/anc --pl3-entries=4\n\nSimilarly, several AMD microarchitectures implement a page table cache with 24 entries:\n\n\t./obj/anc --pl2-entries=24\n\nWith the `revanc` program, these page table and translation caches can be reverse engineered.\nHowever, to optimise the results it is currently advised to specify the virtual address:\n\n\t./obj/revanc --target=0x222e2599000 --runs=10\n\nFor ARMv7-A and ARMv8-A, the sizes of the caches and TLBs cannot be determined automatically yet.\nAs such, it is important to specify these manually. Further, while the ARMv7-A and ARMv8-A\nplatforms do offer Performance Monitoring Units with a register similar to the Timestamp Counter on\nx86-64, this is not used as it is not accessible from user mode by default. On these platforms a\nthread that increments a volatile global variable simulating a cycle counter is used instead. Hence\nit is important to take more timing samples (e.g. 100 rather than the default of 10). For instance,\nfor the Nvidia Tegra K1 the following can be used:\n\n\t./obj/revanc --target=0x10040000 --evict-target=0x80000000 --runs=10 --cache-size=4M --pl1-entries1=544 --rounds=100\n\nSome ARMv7-A platforms have Large Physical Address Extensions enabled. If this is the case, then\nthe `arm-lpae` page format has to be specified as well:\n\n\t./obj/revanc --target=0x10040000 --evict-target=0x80000000 --runs=10 --cache-size=4M --pl1-entries1=544 --page-format=arm-lpae --rounds=100\n\nOn ARMv8-A another target address is recommended. For instance, for the Allwinner A64, the\nfollowing can be used:\n\n\t./obj/revanc --target=0x116565000 --runs=10 --cache-size=2M --pl1-entries=522 --rounds=100\n\nFrequently Asked Questions (FAQ)\n================================\n\nQ. What processor architectures are currently supported/affected?\n\nThe `anc` and `revanc` can currently be built for and run on the x86-64, ARMv7-A and ARMv8-A\narchitectures and show that these architectures are affected.\n\nQ. What operating systems are currently supported?\n\nThe code can currently be built for BSD, Linux, Mac OS X and Microsoft Windows (using MSYS 2).\n\nQ. Does this attack work on hardened systems with ASLR enabled?\n\nYes, the native implementation of the attack has been reported to work on an Intel Xeon E3-1505M v5\nrunning HardenedBSD/amd64 (thanks to Shawn Webb).\n\nQ. Does this attack work in virtualised environments?\n\nYes, we have run this attack within KVM guests running Linux on an Intel Atom C2750 and an Intel\nXeon E5-2658 v2. In fact, because the hypervisor makes use of the MMU as well, the page table\nand/or translation cache(c) used by the MMU may end up being (partially) evicted already,\namplifyingthe AnC attack. However, because the MMU is used by the hypervisor as well, the `revanc`\nprogram cannot reliably determine the sizes of these caches.\n\nFor other questions, please refer to the [project page](https://www.vusec.net/projects/anc/) first.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvusec%2Frevanc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvusec%2Frevanc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvusec%2Frevanc/lists"}