2

I understand the vulnerability (Spectre) and, in theory, what the PoC does. But I do not understand the part of the PoC, when it reads or identifys the data from the cache, between the lines 86 - 108. I know that the PoC is reading the data from the cache by measuring the time of reading from *addr (at l. 90), but what exercise has results[] and why mix_i hits the cache when it represents the byte at the address of the cache hit?

user104787
  • 179
  • 1
  • 4
  • 12

1 Answers1

1

what exercise has results[]

It is not an exact art. The cache may be hit for an index which is not the one hit by victim_function. The threshold might lead to borderline results.

So the code runs the attack 999 times and increments results[mix_i] when it thinks there is a cache hit. It then selects the result with the highest result value (most expected cache hits) and assumes that is the correct value for the victim byte.

why mix_i hits the cache when it represents the byte at the address of the cache hit?

mix_i is just a way of shuffling i. 

for (i = 0; i < 256; i++) {
    mix_i = ((i * 167) + 13) & 255;
    ...
}

The above results in mix_i being initialised as each value between 0-255 once only but not in the order 0,1,2,3 (as i is). This is done for the reason stated in the comments - to prevent stride prediction;

Hector
  • 10,893
  • 3
  • 41
  • 44
  • So the offset of one byte in the cache is equivalent to the value of the byte in the cache, right? – user104787 Jan 11 '18 at 18:03
  • @user104787 - Yes - because the privileged byte was used to index into the array in the speculatively executed instructions. – Hector Jan 11 '18 at 19:30