microsoft
/
sca-fuzzer
зеркало из https://github.com/microsoft/sca-fuzzer.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

tests: more stable and faster detection of Spectres

This commit is contained in:
Oleksii Oleksenko 2021-02-22 17:08:16 +01:00
Родитель 18cf62d335
Коммит 06431336c3
5 изменённых файлов: 19 добавлений и 14 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
src/tests/ct-cond-bpas-ssbp-patch-off.yaml
Просмотреть файл

@ -2,4 +2,5 @@ attacker_capability: ct
contracts:
- cond
- bpas
enable_ssbp_patch: false
enable_ssbp_patch: false
no_priming: true

3
src/tests/ct-cond-ssbp-patch-off.yaml
Просмотреть файл

@ -1,4 +1,5 @@
attacker_capability: ct
contracts:
- cond
enable_ssbp_patch: false
enable_ssbp_patch: false
no_priming: true

3
src/tests/ct-seq-ssbp-patch-off.yaml
Просмотреть файл

@ -1,4 +1,5 @@
attacker_capability: ct
contracts:
- seq
enable_ssbp_patch: false
enable_ssbp_patch: false
no_priming: true

18
src/tests/run.bats
Просмотреть файл

@ -107,49 +107,49 @@ FAST_TEST=1
}
@test "Detection: Spectre V1 - BCB load - P" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.asm -i 11"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.asm -i 20"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" = *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V1 - BCB load - N" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.asm -c tests/ct-cond.yaml -i 11"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.asm -c tests/ct-cond.yaml -i 20"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" != *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V1.1 - BCB store" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.1.asm -i 11"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v1.1.asm -i 20"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" = *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V2 - BTI - P" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v2.asm -i 10"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v2.asm -i 20"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" = *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V4 - SSBP - P" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -c tests/ct-seq-ssbp-patch-off.yaml -i 20"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -c tests/ct-seq-ssbp-patch-off.yaml -i 100"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" = *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V4 - SSBP - N (patch off)" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -c tests/ct-bpas-ssbp-patch-off.yaml -i 20"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -c tests/ct-bpas-ssbp-patch-off.yaml -i 100"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" != *"=== Violations detected ==="* ]]
}
@test "Detection: Spectre V4 - SSBP - N (patch on)" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -i 20"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4.asm -i 100"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" != *"=== Violations detected ==="* ]]
@ -163,12 +163,12 @@ FAST_TEST=1
}
@test "Detection: Nested misprediction" {
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4_n2.asm -i 20 -c tests/ct-bpas-ssbp-patch-off.yaml"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4_n2.asm -i 100 -c tests/ct-bpas-ssbp-patch-off.yaml"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" = *"=== Violations detected ==="* ]]
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4_n2.asm -i 20 -c tests/ct-bpas-n2-ssbp-patch-off.yaml"
run bash -c "./cli.py fuzz -s $INSTRUCTION_SET -t tests/spectre_v4_n2.asm -i 100 -c tests/ct-bpas-n2-ssbp-patch-off.yaml"
echo "$output"
[ "$status" -eq 0 ]
[[ "$output" != *"=== Violations detected ==="* ]]

6
src/tests/spectre_v1.1.asm
Просмотреть файл

@ -20,8 +20,10 @@ LEA rbx, [rbx + rax + 1]
AND rbx, 0b1
CMP rbx, 0
JBE .l1 # misprediction
JE .l1 # misprediction
# rbx != 0
MOV qword ptr [r14 + rax], 42
MOV qword ptr [r14], rax
MOV rbx, [r14]
MOV rbx, [r14 + rbx]
.l1:
MFENCE