*.dSYM/

.tmp_versions/

build/

build*/

bin/

[submodule "extern/PTEditor"]

path = extern/PTEditor

url = https://github.com/misc0110/PTEditor.git

set(HAS_PTEDITOR FALSE)

function(check_pteditor HAS_PTEDITOR)

if(EXISTS "${CMAKE_EXTERNAL_LIB_DIR}/PTEditor")

message(STATUS "External library PTEditor detected")

set(${HAS_PTEDITOR} TRUE PARENT_SCOPE)

add_definitions(-DPTEDITOR)

# link the header

set(src_header "${CMAKE_EXTERNAL_LIB_DIR}/PTEditor/ptedit_header.h")

set(sym_header "${CMAKE_CURRENT_SOURCE_DIR}/include/ptedit_header.h")

if(NOT EXISTS ${sym_header})

execute_process(COMMAND ln -s ${src_header} ${sym_header})

endif()

endif()

endfunction()

function(check_external)

check_pteditor(HAS_PTEDITOR)

endfunction()

function(detect_arch)

execute_process(COMMAND bash -c "gcc -march=native -Q --help=target | grep march | \

OUTPUT_VARIABLE ARCH OUTPUT_STRIP_TRAILING_WHITESPACE)

message(STATUS "Native arch=${ARCH}")

if(ARCH MATCHES "^haswell.*")

message(STATUS "Haswell detected")

add_definitions(-DHASWELL)

set(UARCH_FOUND TRUE)

endif()

if(ARCH MATCHES "^broadwell.*")

message(STATUS "Broadwell detected")

add_definitions(-DHASWELL)

set(UARCH_FOUND TRUE)

endif()

if(ARCH MATCHES "^skylake.*")

message(STATUS "Skylake detected")

add_definitions(-DSKYLAKE)

set(UARCH_FOUND TRUE)

endif()

if(ARCH MATCHES "^cascadelake.*")

message(STATUS "Cascade Lake detected")

add_definitions(-DCASCADE)

set(UARCH_FOUND TRUE)

endif()

if(ARCH MATCHES "^icelake.*")

message(STATUS "Icelake detected")

add_definitions(-DICELAKE)

set(UARCH_FOUND TRUE)

endif()

if(ARCH MATCHES "^alderlake.*")

message(STATUS "Alderlake detected")

add_definitions(-DALDERLAKE)

set(UARCH_FOUND TRUE)

endif()

if(NOT DEFINED UARCH_FOUND)

message(FATAL_ERROR "Unsupported micro-architecture: ${ARCH}")

endif()

endfunction()

function(detect_pti)

execute_process(COMMAND cat /sys/devices/system/cpu/vulnerabilities/meltdown

OUTPUT_VARIABLE PTI OUTPUT_STRIP_TRAILING_WHITESPACE)

message(STATUS "Meltdown mitigation: ${PTI}")

if(PTI MATCHES ".*PTI")

message(STATUS "KPTI detected")

else()

message(STATUS "KPTI not detected")

add_definitions(-DNOPTI)

endif()

endfunction()

cmake_minimum_required(VERSION 3.0)

project(uarch-toolkit VERSION 2.0)

include("CMakeHelper.cmake")

include("CMakeExtern.cmake")

if(NOT ${CMAKE_BUILD_TYPE} STREQUAL "Debug")

message(FATAL_ERROR "Unsupportted build type ${CMAKE_BUILD_TYPE}, "

"only \"Debug\" is allowed")

endif()

if(NOT ${CMAKE_SYSTEM_NAME} STREQUAL "Linux")

message(FATAL_ERROR "Unsupported platform ${CMAKE_SYSTEM_NAME}, "

"only \"Linux\" is supported")

endif()

set(CMAKE_EXPORT_COMPILE_COMMANDS true) # always export compile db

set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR})

set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR})

set(CMAKE_EXTERNAL_LIB_DIR "${CMAKE_CURRENT_SOURCE_DIR}/extern")

set(CMAKE_C_FLAGS "-std=gnu99 -g -Wall -O1 -Wno-unknown-pragmas -Wno-unused-function")

add_definitions(-D_GNU_SOURCE) # make our life easier with Linux

detect_arch()

check_external()

include_directories(include)

add_subdirectory(libs)

add_subdirectory(src)

add_subdirectory(tests)

This repo contains implementations of the paper: **Last-Level Cache Side-Channel Attacks Are Feasible in the Modern Public Cloud**.

In this paper, we demonstrated various techniques to perform an end-to-end, cross-tenant LLC Prime+Probe attack on Google Cloud Run.

These techniques include:

- Faster and noise-resilient eviction-set construction algorithms

- A high-resolution primitive that monitors victim's memory accesses

- Detecting the target cache set of interest in the frequency domain

You can clone the repo by running:

git clone --recursive https://github.com/zzrcxb/LLCFeasible.git

This repo requires `CMake`, `gcc`, and `GNU make` or `ninja-build`.

Your system likely has them already.

We tested our implementations mostly on Intel Skylake-SP and Ice Lake-SP microarchitectures.

Therefore, we recommend trying our implementations on these two microarchitectures.

Porting our implementation to other microarchitectures may require

changing the source code.

Some programs depend on [PTEditor](https://github.com/misc0110/PTEditor),

which is a kernel module that helps page-table manipulation in user space.

Therefore, a kernel module build environment is required.

Note that those programs only use PTEditor to output debug information,

you don't need to install PTEditor for their core functionalities.

Under the project's root directory,

execute:

mkdir build && cd build && cmake ..

After that, under the build directory, execute command:

`make` or `ninja` depending on your build system.

Please refer to this [README](src/README.md) for more details

on each program.

Under the `extern/PTEditor` directory, execute

to build the kernel module.

Then load the module by executing:

sudo insmod module/pteditor.ko

#pragma once

#define UNUSED __attribute__((unused))

#ifdef __clang__

#define OPTNONE __attribute__((optnone))

#define OPTNONE __attribute__((optimize("O0")))

#define ALWAYS_INLINE inline __attribute__((__always_inline__))

#ifdef __KERNEL__

#define ALWAYS_INLINE_HEADER static ALWAYS_INLINE

#define ALWAYS_INLINE_HEADER ALWAYS_INLINE

#pragma once

#include "attribs.h"

#include "num_types.h"

#define _SET_BIT(data, bit) ((data) | (1ull << (bit)))

#define _CLEAR_BIT(data, bit) ((data) & ~(1ull << (bit)))

#define _TOGGLE_BIT(data, bit) ((data) ^ (1ull << (bit)))

#define _WRITE_BIT(data, bit, val) \

(((data) & (~(1ull << (bit)))) | ((!!(val)) << (bit)))

#define _TEST_BIT(data, bit) (!!((data) & (1ull << (bit))))

#define _SEL_NOSPEC(MASK, T, F) \

(((MASK) & (typeof((MASK)))(T)) | (~(MASK) & (typeof((MASK)))(F)))

#define _SHIFT_MASK(shift) ((1ull << shift) - 1)

#define _ALIGNED(data, shift) (!((u64)(data) & _SHIFT_MASK(shift)))

#define __ALIGN_UP(data, shift) ((((u64)(data) >> (shift)) + 1) << (shift))

#define _ALIGN_UP(data, shift) \

((typeof(data))(_ALIGNED(data, shift) ? (u64)(data) \

: __ALIGN_UP(data, shift)))

#define _ALIGN_DOWN(data, shift) \

((typeof(data))((u64)(data) & (~_SHIFT_MASK(shift))))

static __always_inline uint64_t _write_bit_range(uint64_t data, uint16_t end,

uint16_t start,

uint64_t new_val) {

uint16_t width = end - start;

uint64_t mask = (1ull << width) - 1;

if (end <= start)

return data; // invalid range

new_val = (new_val & mask) << start;

mask = ~(mask << start);

data = (data & mask) | new_val;

return data;

}

static __always_inline uint64_t _read_bit_range(uint64_t data, uint16_t end,

uint16_t start) {

// end is excluded

uint16_t width = end - start;

uint64_t mask = (1ull << width) - 1;

if (end <= start)

return 0;

else

return (data >> start) & mask;

}