https://github.com/0xade1a1de/bunnyhop
PoC for Paper: BunnyHop Exploiting the Instruction Prefetcher (USENIX Security 2023)
https://github.com/0xade1a1de/bunnyhop
Last synced: 7 months ago
JSON representation
PoC for Paper: BunnyHop Exploiting the Instruction Prefetcher (USENIX Security 2023)
- Host: GitHub
- URL: https://github.com/0xade1a1de/bunnyhop
- Owner: 0xADE1A1DE
- License: apache-2.0
- Created: 2023-02-24T08:47:11.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-08-17T04:54:53.000Z (almost 2 years ago)
- Last Synced: 2023-12-14T03:23:48.003Z (over 1 year ago)
- Language: C
- Homepage:
- Size: 2.9 MB
- Stars: 7
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# BunnyHop: Exploiting the Instruction Prefetcher
*Authors:* **Zhiyuan Zhang**, **Mingtian Tao**, **Sioli O'Connell**,
**Chitchanok Chuengsatiansup**, **Daniel Genkin**, **Yuval Yarom**
*The paper is accepted in USENIX Security 2023 Fall Round*
## What is BunnyHop ?
Bunnyhop is a technique that translates the BPU prediction (BTB specifically) into cache status.
Based on this observation, we introduce three cache attack techniques, flush+reload, prime+probe and evict+time to observe BTB contents.
## Artifact Evaluation
We provide several experiments for evaluating the power of BunnyHop.
### Essential Libraries
To start the evaluation, you will need to install two libraries: Mastik and Assemblyline.
Both of them are available under 0XADE1A1DE repo.
Mastik is a lightweight library that provides cache based side-channel APIs.
In BunnyHop, we use Mastik to flush memories and measure memory accesses.
AssemblyLine is a powerful tool that translates assembly code into binary
and write them to the memory at a given location.
We use AssemblyLine to generate functions to test the BTB content.
### General system configuration
Replace the original line of *GRUB_CMDLINE_LINUX_DEFAULT* with `GRUB_CMDLINE_LINUX_DEFAULT="quiet splash isolcpus=1,7 spectre_v2=on"`. The isolated processors should be two sibling cores.
Set the processor governor to *performance*.
### Reverse Engineer the Instruction Prefetcher
The evaluation starts with experiments on reverse engineering the Instruction Prefetcher.
The code is under folder *IP_RE*.
#### Prefetching Depth
Under folder *test_depth* is the code that evaluates
how many cache blocks ahead the current prefetched block is prefetched.
You can find more information and the expected result under the folder.
#### BTB affects on the Instruction Prefetcher
Under folder *test_branch* is the code that evaluates how BTB affects the Instruction Prefetcher.
The code we present reveals that the IP follows the content of BTB
and it keeps prefetching multiple branch targets until the end of *speculation*.
You can find more information and the expected result under the folder.
#### Temporal restrictions on the Instruction Prefetcher
Under folder *test_ip_operation* we investigate when the prefetching can be find to be incorrect.
We evaluate the scenarios that the hyper-thread is either idle or busy.
You can find more information and the expected result under the folder.
### Reverse Engineer the BTB
Under folder *BTB_RE* is the code that finds the target bits for long branch and short branches.
In the paper, we show that a long branch stores 32 LSBs of the target address
while a short branch stores 10 LSBs of the target address.
The experiment we provide is to reproduce the Figure 3.
You can find more information and the expected result under the folder.
### Break KASLR
Under folder *bunnyhop_fr* is the code that break KASLR with BunnyHop-Reload technique.
### Prime+Probe on BTB
Undre folder *bunnyhop_pp* is the code that performs BunnyHop-Probe.
We provide the code that evaulates the accuracy of the BunnyHop-Probe.
You can find more information and the expected result under the folder.