Exercise 1: Software Security
For questions not answered here, try one of the support channels.
The tools and code are generally made for Linux, though porting cacheutils to Windows is possible. We do not provide a windows library for task 4, you will need to develop this on linux. However, all tasks, including task 4, should work in WSL (with the exception of code that relies on virtual to physical memory translation, such as the
Prime+Probe calibration tool). The cache template attack reference is also only provided as a linux binary.
Some things *can* be done in VMs, but in general we recommend solving the tasks on native Linux, to avoid any issues.
It is very helpful to use cpupower or cpufreq-utils to set the system to performance mode (”sudo cpupower -c all set -b 0”). It will make your results more reliable and reproducible.
Do not rely on the threshold the calibration tool suggests. We provided you with the knowledge to choose a good threshold for a reason. Use your knowledge and choose a good threshold on your own.
We recommend compiling with -Os or -O3 for best performance with cache attacks.
Cache Template Attacks
You can find the tools shown in the lecture in your task3 subfolder.
If you want to reproduce the example shown in the lecture:
There are different gedit versions. Some use a ”libgedit-private.so”. Check whether your gedit does using ”cat /proc/$(pidof gedit)/maps | grep libgedit”.
If so, you should attack this file instead of ”/usr/bin/gedit” as this is more likely to be successful.
The .text section of the binary does not start at 0x0. Setting the offset (”./spy ”) to the start of the .text section will lower your search time.
As soon as you found 1-2 significant peaks you can stop the search, it’s already enough for the exploitation.
For Task 3, you have to implement both parts of this yourself.
-> Implement one program that lets you find addresses that react to events (i.e., keystrokes), and another one that checks your list of addresses regularly and outputs corresponding info.
Distinguishing different keys is very advanced. We don’t expect anyone to do that, though it would earn you bonus points.
|Group||Target Application||Target Events||False Positive Rate||False Negative Rate|
|Group 00||top secret!||keystrokes, mouse clicks, window active/inactive||0%,||0%|
Cache Covert Channel
Spawn two different processes that communicate with each other via a cache covert channel. If you use
Flush+Reload, this will include establishing some type of shared memory.
There are no restrictions on how you start the transmission initially (you may even write to shared memory), but once it has started, no more direct communication is allowed.
You may use any schemes to keep the processes synchronized, though we recommend the KISS principle.
|Group||Technique||Raw Capacity||Bit Error Ratio||True Capacity|
|Group 00||Flush+Reload (2 threads, 1 bit)||999kB/s||0.00%||999kB/s|