Add LLC shared kernel data channel

Signed-off-by: Nils Wistoff <[email protected]>
SEL4PROJ · Apr 14, 2023 · 3dbfba8 · 3dbfba8
1 parent 09963ee
commit 3dbfba8
Show file tree

Hide file tree

Showing 6 changed files with 162 additions and 2 deletions.
diff --git a/apps/side-bench/CMakeLists.txt b/apps/side-bench/CMakeLists.txt
@@ -136,6 +136,7 @@ config_choice(
 	"timer;BenchCovertTimer;BENCH_COVERT_TIMER;BenchCovert"
 	"llc kernel;BenchCovertLLCKernel;BENCH_COVERT_LLC_KERNEL;BenchCovert"
 	"cs;BenchCovertCS;BENCH_COVERT_CS;BenchCovert"
+	"llc shared kernel data;BenchCovertLLCSKD;BENCH_COVERT_LLC_SKD;BenchCovert"
 )
 
 config_string(

diff --git a/apps/side-bench/src/bench.c b/apps/side-bench/src/bench.c
@@ -41,6 +41,7 @@ static int (*covert_bench_fun[BENCH_COVERT_FUNS])(bench_env_t *) = {NULL,
     l3_trojan, l3_spy,
     timer_high, timer_low,
     cs_trojan, cs_spy,
+    llc_skd_trojan, llc_skd_spy,
 };
 
 static int (*flush_bench_fun[BENCH_CACHE_FLUSH_FUNS])(bench_env_t *) = 

diff --git a/apps/side-bench/src/bench.h b/apps/side-bench/src/bench.h
@@ -58,6 +58,8 @@ int timer_high(bench_env_t *env);
 int timer_low(bench_env_t *env); 
 int cs_trojan(bench_env_t *env);
 int cs_spy(bench_env_t *env);
+int llc_skd_trojan(bench_env_t *env);
+int llc_skd_spy(bench_env_t *env);
 
 int l1_cache_nothing(bench_env_t *env);
 int l1_cache_flush(bench_env_t *env);

diff --git a/apps/side-bench/src/mastik_common/low.h b/apps/side-bench/src/mastik_common/low.h
@@ -242,8 +242,9 @@
 
 #define L3_THRESHOLD       100
 #define L3_ASSOCIATIVITY   8
-#define L3_SIZE            (512 * 1024) /* 512KiB */
+#define L3_SETS            1024
 #define L3_CACHELINE       64
+#define L3_SIZE            (L3_CACHELINE * L3_SETS * L3_ASSOCIATIVITY) /* 512KiB */
 // The number of cache sets in each slice.
 #define L3_SETS_PER_SLICE  64
 

diff --git a/apps/side-bench/src/mastik_riscv/llc_skd_spy.c b/apps/side-bench/src/mastik_riscv/llc_skd_spy.c
@@ -0,0 +1,148 @@
+#include <autoconf.h>
+#include <manager/gen_config.h>
+#include <side-bench/gen_config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sel4/sel4.h>
+
+#include "../mastik_common/low.h"
+#include "../mastik_common/l1.h"
+#include <channel-bench/bench_common.h>
+#include <channel-bench/bench_types.h>
+#include <channel-bench/bench_helper.h>
+
+/* LLC Shared Kernel Data Channel */
+
+int llc_skd_trojan(bench_env_t *env) {
+
+
+    seL4_MessageInfo_t info;
+
+    int secret = 0;
+
+    bench_args_t *args = env->args;
+
+    /*buffer size 512K LLC size */
+    char *data = malloc(L3_SIZE);
+    assert(data);
+    data = (char*)ALIGN_PAGE_SIZE(data);
+
+    uint32_t *share_vaddr = (uint32_t*)args->shared_vaddr;
+
+    /*manager: trojan is ready*/
+    info = seL4_MessageInfo_new(seL4_Fault_NullFault, 0, 0, 1);
+    seL4_SetMR(0, 0);
+    seL4_Send(args->r_ep, info);
+
+    /*syn with spy*/
+    seL4_Send(args->ep, info);
+
+
+    for (int i = 0; i < CONFIG_BENCH_DATA_POINTS; i++) {
+        if (i % 1000 == 0 || (i - 1) % 1000 == 0 || i == (CONFIG_BENCH_DATA_POINTS - 1)) printf("TROJAN: Data point %d\n", i);
+
+        /*waiting for a system tick*/
+        newTimeSlice();
+
+        /*evict llc*/
+        for (unsigned int s = 0; s < L3_SETS; s++) {
+            for (unsigned int i = 0; i < 8; i++) {
+                void *v = data + s * 64 + i * 64 * 1024;
+                volatile unsigned int rv;
+                asm volatile("lw %0, 0(%1)": "=r" (rv): "r" (v):);
+            }
+        }
+
+        secret = random() % (L3_SETS + 1);
+
+        /*encode secret by accessing secret number of LLC lines in shared kernel gadget*/
+        riscv_sys_access_shared_gadget(secret);
+
+        /*update the secret read by low*/
+        *share_vaddr = secret;
+
+    }
+    while (1);
+
+    return 0;
+}
+
+int llc_skd_spy(bench_env_t *env) {
+    seL4_Word badge;
+    seL4_MessageInfo_t info;
+
+    uint64_t monitored_mask[MONITOR_MASK];
+
+    for (int m = 0; m < MONITOR_MASK; m++)
+        monitored_mask[m] = ~0LLU;
+
+
+    ccnt_t UNUSED pmu_start[BENCH_PMU_COUNTERS];
+    ccnt_t UNUSED pmu_end[BENCH_PMU_COUNTERS];
+
+    bench_args_t *args = env->args;
+
+    char *data = malloc(L3_SIZE);
+
+    l1info_t l1_1 = l1_prepare(monitored_mask);
+    uint16_t *results = malloc(l1_nsets(l1_1)*sizeof(uint16_t));
+
+    printf("SPY: Probe buffer base: 0x%lx\n", l1_1->memory);
+    printf("SPY: l1_nsets: %d\n", l1_1->nsets);
+
+    /*the record address*/
+    struct bench_l1 *r_addr = (struct bench_l1 *)args->record_vaddr;
+    /*the shared address*/
+    uint32_t volatile *secret = (uint32_t *)args->shared_vaddr;
+
+    /*syn with trojan*/
+    info = seL4_Recv(args->ep, &badge);
+    assert(seL4_MessageInfo_get_label(info) == seL4_Fault_NullFault);
+
+
+    for (int i = 0; i < CONFIG_BENCH_DATA_POINTS; i++) {
+        if (i % 1000 == 0 || (i - 1) % 1000 == 0 || i == (CONFIG_BENCH_DATA_POINTS - 1)) printf("SPY: Data point %d\n", i);
+
+        /*wait for new time slice*/
+        newTimeSlice();
+
+#ifdef CONFIG_MANAGER_PMU_COUNTER
+        sel4bench_get_counters(BENCH_PMU_BITS, pmu_start);
+#endif
+        /*probe by accessing entire shared kernel gadget*/
+        uint32_t before = rdtime();
+        riscv_sys_access_shared_gadget(L3_SETS);
+        r_addr->result[i] = rdtime() - before;
+
+#ifdef CONFIG_MANAGER_PMU_COUNTER
+        sel4bench_get_counters(BENCH_PMU_BITS, pmu_end);
+        /*loading the pmu counter value */
+        for (int counter = 0; counter < BENCH_PMU_COUNTERS; counter++ )
+            r_addr->pmu[i][counter] = pmu_end[counter] - pmu_start[counter];
+
+#endif
+        /*secret is updated by trojan in the previous system tick*/
+        r_addr->sec[i] = *secret;
+
+        /*evict LLC*/
+        for (unsigned int s = 0; s < L3_SETS; s++) {
+            for (unsigned int i = 0; i < 8; i++) {
+                void *v = data + s * 64 + i * 64 * 1024;
+                volatile unsigned int rv;
+                asm volatile("lw %0, 0(%1)": "=r" (rv): "r" (v):);
+            }
+        }
+    }
+
+    /*send result to manager, spy is done*/
+    info = seL4_MessageInfo_new(seL4_Fault_NullFault, 0, 0, 1);
+    seL4_SetMR(0, 0);
+    seL4_Send(args->r_ep, info);
+
+    while (1);
+
+    return 0;
+}
+
+
diff --git a/include/channel-bench/bench_common.h b/include/channel-bench/bench_common.h
@@ -226,8 +226,10 @@ enum ipc_funs{
 #define BENCH_COVERT_TIMER_LOW           24
 #define BENCH_COVERT_CS_TROJAN    25 
 #define BENCH_COVERT_CS_SPY       26
+#define BENCH_COVERT_LLC_SKD_TROJAN    27
+#define BENCH_COVERT_LLC_SKD_SPY       28
 
-#define BENCH_COVERT_FUNS                27
+#define BENCH_COVERT_FUNS                29
 
 
 
@@ -369,6 +371,11 @@ enum ipc_funs{
 #define BENCH_COVERT_SPY       BENCH_COVERT_CS_SPY 
 #endif 
 
+#ifdef CONFIG_BENCH_COVERT_LLC_SKD
+#define BENCH_COVERT_TROJAN    BENCH_COVERT_LLC_SKD_TROJAN
+#define BENCH_COVERT_SPY       BENCH_COVERT_LLC_SKD_SPY
+#endif
+
 
 /*used by kernel determinsitic scheduling benchmark*/
 #ifdef CONFIG_LIB_SEL4_CACHECOLOURING