SpecCheck

This repository contains a fork of gem5 with SpecCheck implementation. SpecCheck is a debugging module for O3CPUs to determine the presence of potential transient execution vulnerabilities.

Building

To build SpecCheck gem5, first clone the repository and checkout the SpecCheckPACT branch:

git clone https://github.com/zmckevitt/SpecCheck.git
cd SpecCheck/

Next, ensure that your system has scons:

sudo apt install scons

And lastly build the x86 gem5 model:

scons build/X86/gem5.opt -j$(nproc)

Running

The pocs/ directory contains proof of concepts for Spectre variant 1 (Pattern History Table) and variant 2 (Branch Target Buffer). Each proof of concept was also precompiled on x86 Ubuntu 20.04 and statically linked, and these binaries can be found precompiled in pocs/.

While in the SpecCheck directory, save the current working directory to an environment variable to be used in runner scripts:

export GEM5_PATH=$(pwd)

To run gem5 with SpecCheck enabled, use the sc.sh script:

bash sc.sh <stats file> <path to binary>

So, to run SpecCheck on the precompiled POC for Spectre variants 1 and 2:

bash sc.sh v1.txt pocs/spectre_v1_x86
bash sc.sh v2.txt pocs/spectre_v2_x86

If the attack is successful, the output for both programs should look similar to this:

Reading 6 bytes starting at 0x4b7008:
reading 0x4b7008...success: 0x53='S'
reading 0x4b7009...success: 0x45='E'
reading 0x4b700a...success: 0x43='C'
reading 0x4b700b...success: 0x52='R'
reading 0x4b700c...success: 0x45='E'
reading 0x4b700d...success: 0x54='T'

To run standard gem5 without SpecCheck, use run.sh:

bash run.sh <stats file> <path to binary>

gem5 Configuration

Each experiment is configured to run using an x86 O3CPU in gem5's systemcall emulation mode. Each experiment uses the configuration available in configs/examples/se.py, with 8GB of memory. More details about each experiments configuration can be found in sc.sh.

Statistics

The stats file given to the runner script will be located in m5out/ and contains standard gem5 statistics with additional SpecCheck specific commit statistics (prefixed with speccheck). SpecCheck saves all program counters flagged as potentially malicious during the experiments duration to m5out/<specified file>.scout.

To view SpecCheck stats, simply check for speccheck prefixed stats in the specified stats file:

grep speccheck m5out/v*.txt

To view flagged gadgets, examine the .scout file generated by SpecCheck:

vim m5out/v*.txt.scout
OR
grep <pc> m5out/v*.txt.scout

Name		Name	Last commit message	Last commit date
Latest commit History 19,656 Commits
build_opts		build_opts
build_tools		build_tools
configs		configs
ext		ext
include/gem5		include/gem5
pocs		pocs
site_scons		site_scons
src		src
system/arm		system/arm
tests		tests
util		util
.git-blame-ignore-revs		.git-blame-ignore-revs
.gitignore		.gitignore
.mailmap		.mailmap
.pre-commit-config.yaml		.pre-commit-config.yaml
CODE-OF-CONDUCT.md		CODE-OF-CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
COPYING		COPYING
KCONFIG.md		KCONFIG.md
LICENSE		LICENSE
MAINTAINERS.yaml		MAINTAINERS.yaml
README		README
README.md		README.md
RELEASE-NOTES.md		RELEASE-NOTES.md
SConsopts		SConsopts
SConstruct		SConstruct
TESTING.md		TESTING.md
pyproject.toml		pyproject.toml
requirements.txt		requirements.txt
run.sh		run.sh
sc.sh		sc.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Licenses found

Repository files navigation

SpecCheck

Building

Running

gem5 Configuration

Statistics

About

Licenses found

Releases 3

Packages

Languages

License

Licenses found

zmckevitt/SpecCheck

Folders and files

Latest commit

History

Repository files navigation

SpecCheck

Building

Running

gem5 Configuration

Statistics

About

Resources

License

Licenses found

Code of conduct

Stars

Watchers

Forks

Releases 3

Packages 0

Languages

Packages