Skip to content

Latest commit

 

History

History
195 lines (145 loc) · 8.55 KB

README.md

File metadata and controls

195 lines (145 loc) · 8.55 KB

Transient Execution Attack Pot

TEApot(Transient Execution Attack pot) is a project used to evaluate whether your system is affected by Meltdown and Spectre. My goal is to build a easy-to-use(hard to implement) and configurable transient attack test suite.

This project is mainly based on project Transient Fail developed by IAIK. More information will be found on their paper A Systematic Evaluation of Transient Execution Attacks and Defenses.

Features

Supported Platform

Operating System

Linux with gcc and other dependent libraries.

Developed on 5.4.0-47-generic #51~18.04.1-Ubuntu.

CPU

x86 and arm64 are supported.

Supported Vulnerablities

Meltdown-like and Spectre-like vulnerabilities, more information will be also found on paper A Systematic Evaluation of Transient Execution Attacks and Defenses.

This vulnerablities are supported:

Systematic type name CVE Description
Meltdown_AC - -
Meltdown_BR - -
Meltdown_DE - -
Meltdown_GP CVE-2018-3640 Spectre V3a, rogue system register read
Meltdown_NM CVE-2018-3665 Lazy FP
Meltdown_P CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 Foreshadow, L1 terminal fault
Meltdown_PK - -
Meltdown_RW Spectre V1.2, write to page with read-only flag
Meltdown_SS - -
Meltdown_UD - -
Meltdown_US CVE-2017-5754 Meltdown, rogue data cache load
Spectre_BTB CVE-2017-5715 Spectre V2, branch target injection
Spectre_PHT CVE-2017-5753 Spectre V1, bounds check bypass
Spectre_RSB - -
Spectre_STL CVE-2018-3693/CVE-2018-3639 Spectre V1.1, NG and V4, speculative store bypass

Configurable features

Select vulnerbilities

This test suite allows you to select the vulnerabilities with option "-v".

Default option is "all" for testing all vulnerabilities.

Output valid PoCs

You can enable and specify a markdown file as output of valid PoCs with option "-o"

Show simple options

You can show simple supported vulnerablities options with option "-s"

Simple result output

You can use option "-m" in test mode, simple result output will be available.

0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.

Other details

You can use option "-h" to show all help messages or read the last part of this document.

Repository Structure

  • lib: Global libraries;
  • libcache: Cache operation libraries;
  • libpte: PTEditor developed by Michael Schwarz that allows manipulation of paging structures via a Linux kernel module;
  • meltdown: PoC of Meltdown-like vulnerabilities;
  • spectre: PoC of Spectre-like vulnerabilities;
  • Makefile: Makefile of this test suite;
  • run.sh: Main entry of this test suite;
  • README.md: The file you are reading!

Usage

  1. Some preparation
sudo apt-get install libelf-dev build-essential pkg-config bison flex libssl-dev libelf-dev bc
sudo apt-get purge libc6-dev
sudo apt-get install libc6-dev
sudo apt-get install libc6-dev-i386
sudo apt-get install build-essential
sudo apt-get install seccomp
sudo apt-get install libseccomp-dev
sudo apt-get install zsh
  1. Clone this repository
git clone https://github.com/Mashiro1995/TEApot.git
  1. Make
make
  1. Grant execution permissions and run!
chmod +x run.sh
./run.sh
# notice that you need input your password for kernel operation during this test
  1. Run options
Usage
Test mode                    :  run.sh [-options]
Generation mode              :  run.sh [-options] -g [output-path]
Test all vulnerablities      :  run.sh [-o filename] [-m]
Test specific vulnerablities :  run.sh [-v "list of vulnerablities"] [-o filename] [-m]
Show usage :                    run.sh -h
Show supported vulnerablities:  run.sh -l [-m]
Modes
Auto mode will test all vulnerablities covered in this test suite.
In manual mode, you can specify vulnerablities to be tested with options -v and followed by a list of vulnerablities.
Options
-g              generation mode, specific path to save specific PoCs
-o              enable and specify a markdown file as output of valid PoCs
-v              list of vulnerablities to be tested. If not specified, all vuls will be test
-h              show usage
-l              show supported vulnerablities
-s              show simple supported vulnerablities options
-t              specific timeout time, default 120s
-m              used in test mode, simple result output will be available. 
                0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
Valid args of -v option

You can select combination of vulnerabilities with following inputs:

Options Vulnerabilities to be tested
all All vulnerabilities
meltdown All Meltdown vulnerabilities
spectre All Spectre vulnerabilities
spectre_btb All Spectre_BTB vulnerabilities
spectre_pht All Spectre_PHT vulnerabilities
spectre_rsb All Spectre_RSB vulnerabilities

You can also use multi_parameters to select specific vulnerabilities and separate them with spaces:

Options Vulnerabilities to be tested Options Vulnerabilities to be tested
ac Meltdown_AC btb_sa_ip Spectre_BTB_sa_ip
br Meltdown_BR btb_sa_oop Spectre_BTB_sa_oop
de Meltdown_DE btb_ca_ip Spectre_BTB_ca_ip
gp Meltdown_GP btb_ca_oop Spectre_BTB_ca_oop
nm Meltdown_NM pht_sa_ip Spectre_PHT_sa_ip
p Meltdown_P pht_sa_oop Spectre_PHT_sa_oop
pk Meltdown_PK pht_ca_ip Spectre_PHT_ca_ip
rw Meltdown_RW pht_ca_oop Spectre_PHT_ca_oop
ss Meltdown_SS rsb_sa_ip Spectre_RSB_sa_ip
ud Meltdown_UD rsb_sa_oop Spectre_RSB_sa_oop
us Meltdown_US rsb_ca_ip Spectre_RSB_ca_ip
rsb_ca_oop Spectre_RSB_ca_oop
stl Spectre_STL

Examples:

# Examples:
run.sh
    # Test all vulnerabilities.
run.sh -m
    # Test all vulnerabilities and save simple result to result.txt.
run.sh -v "meltdown spectre_btb" -o codes
    # Test all Meltdown and all Spectre_BTB type vulnerabilities, and save successful PoCs to path "codes".
run.sh -v "meltdown spectre_btb" -o codes -m
    # Test all Meltdown and all Spectre_BTB type vulnerabilities, save simple result to result.txt, and successful PoCs to path "codes".
run.sh -v "meltdown spectre_btb" -g codes
    # PoCs of Meltdown and all Spectre_BTB type vulnerabilities will be saved to path "codes" with out test.