Added scripts to test DDP

brianfu · Aug 6, 2024 · 1ebc90b · 1ebc90b
1 parent ae98891
commit 1ebc90b
Show file tree

Hide file tree

Showing 9 changed files with 205 additions and 114 deletions.
diff --git a/debug/config/ddp_check.asm b/debug/config/ddp_check.asm
@@ -0,0 +1,28 @@
+.intel_syntax noprefix
+.test_case_enter:
+.section .data.main
+.function_main_0:
+
+mov rcx, 0x00000048
+rdmsr
+mov dword ptr [r14], eax
+mov dword ptr [r14 + 4], edx
+
+mov edx, 0
+mov eax, 1
+shl eax, 16
+wrmsr
+
+# Procs 16th cache line
+mov rax, qword ptr [r14 + 0x400]
+
+.macro.fault_handler:
+mov eax, dword ptr [r14]
+mov edx, dword ptr [r14 + 4]
+mov rcx, 0x00000048
+wrmsr
+
+# Procs 8th cache line
+mov rax, qword ptr [r14 + 0x200]
+
+.test_case_exit:
diff --git a/debug/config/ddp_check.yaml b/debug/config/ddp_check.yaml
@@ -0,0 +1,17 @@
+executor_mode: P+P
+
+color: true
+logging_modes:
+  - info
+  # - stat
+  # - dbg_generator
+  # - dbg_timestamp
+  # - dbg_violation
+  # - dbg_dump_htraces
+  # - dbg_dump_ctraces
+  # - dbg_dump_traces_unlimited
+  # - dbg_model  # uncomment to debug execution on the model
+  # - dbg_coverage
+  # - dbg_isa_loader
+  # - dbg_priming
+  - dbg_executor_raw
diff --git a/debug/config/nontemplate.yaml b/debug/config/nontemplate.yaml
@@ -7,17 +7,6 @@ contract_execution_clause:
   - seq  # uncomment for non-interference contract
   # - noninterference
 
-# Actor configuration: A host and a user process
-# Observer actor is the attacker for noninterference
-actors:
-  - main:
-    - mode: "host"
-    - privilege_level: "kernel"
-    # - observer: true  # uncomment for non-interference contract
-  - actor2:
-    - mode: "host"
-    - privilege_level: "kernel"
-
 # Detect violations via Chi2-test with a threshold of 0.05
 # At the cost of false negatives; Closer to 1, less tolerance to noise
 analyser: chi2
@@ -62,7 +51,7 @@ instruction_categories:
   - LONGMODE-SEMAPHORE
 
 # Output
-color: true
+# color: true
 logging_modes:
   - info
   - stat

diff --git a/debug/config/template.yaml b/debug/config/template.yaml
@@ -4,24 +4,17 @@ contract_observation_clause: ct
 contract_execution_clause:
   - seq
 
-# Actor configuration: A host and a user process
-# Isolate actors when possible
-actors:
-  - main:
-    - mode: "host"
-    - privilege_level: "kernel"
-  - actor2:
-    - mode: "host"
-    - privilege_level: "kernel"
+# No actors
 
 # Detect violations via Chi2-test with a threshold of 0.05
 # At the cost of false negatives; Closer to 1, less tolerance to noise
 analyser: chi2
-analyser_stat_threshold: 0.2
+analyser_stat_threshold: 0.2 # Default: 0.2
 
 # Executor
-executor_mode: PP+P
-x86_executor_enable_ssbp_patch: true
+executor_mode: P+P
+x86_executor_enable_ssbp_patch: false
+x86_executor_disable_ddp_prefetcher: false
 x86_executor_enable_prefetcher: true
 
 # Misc. configuration
@@ -30,13 +23,17 @@ executor_sample_sizes: # Run every test N times and compare distributions, each
   - 15 # Used for early priming
   - 40
   - 160
-  - 320
+  - 320 # Could be not large enough to deal with uarch noise
 
 # Fuzzer
-enable_observation_filter: true
+# fuzzer: architectural
+enable_speculation_filter: false # PFs vios do not necessarily require execution of transient insts.
+enable_observation_filter: false # PFs vios do not necessarily cause speculative cache evictions
 enable_fast_path_model: true
 coverage_type: model_instructions
 
+executor_taskset: 1 # Use isolated core
+
 instruction_categories:
   - BASE-BINARY
   - BASE-BITBYTE
@@ -58,17 +55,19 @@ instruction_categories:
   - LONGMODE-SEMAPHORE
 
 # Output
-color: true
+# color: true
 logging_modes:
   - info
   - stat
   - dbg_coverage
   - dbg_violation
   - dbg_timestamp
-  - dbg_generator
+  # - dbg_generator
   # - dbg_priming
   # - dbg_model
   # - dbg_executor_raw
   # - dbg_dump_htraces
   # - dbg_dump_ctraces
   # - dbg_dump_traces_unlimited
+
+# program_generator_seed: 12345
diff --git a/debug/config/template_AV.asm b/debug/config/template_AV.asm
@@ -11,8 +11,8 @@
 
 # Prefetching phase
 .function_main_1:
-    # 64 random instructions, 32 mem. accesses
-    .macro.random_instructions.64.32: 
+    # X random instructions, Y mem. accesses
+    .macro.random_instructions.48.24:
 
     # Handoff back to end measurement in attacker
     .macro.switch.actor2.function_actor2_1:
@@ -44,8 +44,7 @@
     lfence          # noremove
 
     # Attacker trains PFs
-    # 64 random instructions, 32 mem. accesses
-    .macro.random_instructions.64.32:
+    .macro.random_instructions.40.20:
     
     # Handoff to victim, see if it can learn from training (would break noninterference)
     .macro.switch.main.function_main_1:

diff --git a/debug/config/template_noactors.asm b/debug/config/template_noactors.asm
@@ -0,0 +1,64 @@
+# Macros are at src/x86/x86_model.py::interpret()
+.intel_syntax noprefix
+.test_case_enter:
+
+.section .data.main
+.function_main_0:
+    # Disable PFs; edx:eax; store edx:eax, id ecx
+    mov ecx, 0x1a4  # noremove
+    mov edx, 0      # noremove
+    mov eax, 0b101111 # noremove
+    wrmsr           # noremove
+    # # Disable DDP
+    # mov ecx, 0x48  # noremove
+    # rdmsr          # noremove
+    # and eax, 0xFFFFFFFB # noremove; Disable SSBD
+    # or eax, 0x100       # noremove; Disable DDP
+    # wrmsr           # noremove
+    # mfence          # noremove
+    # lfence          # noremove
+    .macro.measurement_start:
+    # Enable PFs; edx:eax; store edx:eax, id ecx
+    mov ecx, 0x1a4  # noremove
+    mov edx, 0      # noremove
+    mov eax, 0b000000 # noremove
+    # # Enable DDP
+    # mov ecx, 0x48  # noremove
+    # rdmsr          # noremove
+    # and eax, 0xFFFFFFFB # noremove; Disable SSBD
+    # and eax, 0xFFFFFEFF # noremove; Enable DDP
+    # wrmsr           # noremove
+    # mfence          # noremove
+    # lfence          # noremove
+
+    # 64 random instructions, 32 mem. accesses
+    .macro.random_instructions.64.32: 
+
+    # Disable PFs; edx:eax; store edx:eax, id ecx
+    mov ecx, 0x1a4  # noremove
+    mov edx, 0      # noremove
+    mov eax, 0b101111 # noremove
+    wrmsr           # noremove
+    # # Disable DDP
+    # mov ecx, 0x48  # noremove
+    # rdmsr          # noremove
+    # and eax, 0xFFFFFFFB # noremove; Disable SSBD
+    # or eax, 0x100       # noremove; Disable DDP
+    # wrmsr           # noremove
+    # mfence          # noremove
+    # lfence          # noremove
+    .macro.measurement_end:
+    # Enable PFs; edx:eax; store edx:eax, id ecx
+    mov ecx, 0x1a4  # noremove
+    mov edx, 0      # noremove
+    mov eax, 0b000000 # noremove
+    # # Enable DDP
+    # mov ecx, 0x48  # noremove
+    # rdmsr          # noremove
+    # and eax, 0xFFFFFFFB # noremove; Disable SSBD
+    # and eax, 0xFFFFFEFF # noremove; Enable DDP
+    # wrmsr           # noremove
+    # mfence          # noremove
+    # lfence          # noremove
+.section .data.main
+.test_case_exit:
diff --git a/debug/config/template_nonif.yaml b/debug/config/template_nonif.yaml
@@ -22,8 +22,9 @@ analyser_stat_threshold: 0.2 # Default: 0.2
 
 # Executor
 executor_mode: F+R
-x86_executor_enable_ssbp_patch: true
-x86_executor_enable_prefetcher: true # Test: Only true within measurement area!
+x86_executor_enable_ssbp_patch: false
+x86_executor_disable_ddp_prefetcher: false
+x86_executor_enable_prefetcher: true
 
 # Misc. configuration
 inputs_per_class: 2