This repository contains two proof-of-concept of cache side-channel attack (i.e., Flush+Reload). As all PoCs are only successfully mounted on Intel CPUs with Ubuntu, please checks your environment. We demonstrated the demos in Ubuntu 16.04 LTS and Intel core i5-7400 3.00 GHz.
$ git clone https://github.com/koreauniv-lsm/CSCA.git
$ cd CSCA
If you are not a student of Korea University's system security practice course, you need to (click toggle) and install conda and matplotlib as follows.
$ wget https://repo.anaconda.com/archive/Anaconda3-2019.10-Linux-x86_64.sh
$ bash Anaconda3-2019.10-Linux-x86_64.sh
$ source ~/.bashrc
$ conda create --name name-of-virtual-env
$ conda activate name-of-virtual-env
$ conda install matplotlib
The PoC1 shows the overall concept for Flush+Reload to operate in one process. (to be extended to Meltdown later)
In the demo, we declare probe_array, which is a set of cache lines, and access only one specific cache line among them, and visually show the difference in latency between accessed and non-accessed cache lines.
In addition, after saving the visually expressed graph, it is sent by e-mail to the user's account. (Using mutt program)
- The target cache line to be input must be entered from 0 to 256. (because probe_array is of size 256 pages)
$ cd poc1
$ ./run.sh {Target_cache_line}
- You can check the target cache line, and result of cache line is same (241)
- Also you can get an intuitive Flush+Reload image with threshold.
- Finally, the picture is sent to the e-mail address set by the user.
- You can check the picture in your mail box (or spam box)
The PoC2 probes that the victim accesses the specific target file (i.e., target.txt), repeatedly. In this demo. the spy and victim achieve a memory sharing on a target file.
You can test this PoC2 codes in two ways.
$ cd poc2
$ make
// spy
$ ./spy target.txt
// victim
$ cat target.txt
$ make
// spy
$ ./spy target.txt
// victim
$ ./victim target.txt
- Installing conda is based on Installing Anaconda in Linux os
- cacheutils.h is based on IAIK/flush_flush
- PoC2 is based on taehunk/simpleFR