nukemod
is a kernel module that can be used to perform controlled-channel attacks and to halt / resume user-space threads from the operating system. It is used in the paper:
- "Game of Threads: Enabling Asynchronous Poisoning Attacks" (ASPLOS 2020)
In particular, this repository contains the kernel code used in the evaluation of the attack against our SGX proof-of-concept (cf. Section 6 in the paper). The full code artifact of the paper is available at:
We tested this code on a bare-metal machine with an Intel i7-6700K CPU @ 4.00GHz. We cannot guarantee that it works on other CPUs or in virtualized environments.
- Ubuntu 16.04 LTS
To monitor page-faults, nukemod
hooks the page fault handler of the Linux kernel.
However, this is not allowed by default in the Linux kernel.
To circumvent this limitation, we minimally modified kernel 4.4.0-101.124 so that it allows to hook the page fault handler.
Here are the instructions to patch and install this kernel.
- Install the required packages by running
sudo apt install -y build-essential ocaml automake autoconf libtool wget python libssl-dev bc
. - Download Ubuntu kernel 4.4.0-101.124 from here:
- Extract the downloaded kernel into a directory
linux-4.4
. - Patch the extracted kernel using our provided kernel patch
4.4.0-101.124.patch
. To do this,cd
into the directorylinux-4.4
and runpatch -p1 < ../4.4.0-101.124.patch
. - Compile and install the patched kernel. Instructions for this step are available in the README of the kernel itself. In short, you can run:
cp /boot/config-`uname -r` .config
make -j `nproc` && sudo make modules_install && sudo make install
- After installing the custom kernel, make sure to add the kernel boot parameters
nosmap
andtransparent_hugepage=never
to grub. This can be done by modifying a line in the file/etc/default/grub
:
GRUB_CMDLINE_LINUX_DEFAULT="nosmap transparent_hugepage=never"
- Run
sudo update-grub
to apply the edits to the configuration. - Reboot your machine into the custom kernel with the custom configuration.
- Compile
nukemod
module by runningmake
. - (optional) Clear the message buffer of the kernel using
sudo dmesg --clear
. - Create a device file for
nukemod
usingsudo mknod /dev/nuke_channel c 1315 0
. - Load
nukemod
usingsudo insmod nuke.ko
. You can check if it loaded correctly by runningdmesg
. - Now you can launch the user-space APA attack from this repo: https://github.com/jose-sv/sgx_scheduling. The user-space attack code will invoke the functions that are in this module.
- (optional) You can see what the kernel module was doing during the attack using
dmesg
. - When you are done with the attack, unload the kernel module using
sudo rmmod nuke
.
Some of this code is inspired from other repositories: