search

defuse / flush-reload-attacks

182 stars 78 forks source link

how the address values in flush-reload/original-from-authors/gpg.probe are determined. #72

Open pengxinjun-stu opened 6 months ago

pengxinjun-stu commented 6 months ago

Recently, I've been attempting to reproduce the Flush+Reload attack. While I've managed to understand most parts of the code, I'm still struggling to comprehend how the address values in flush-reload/original-from-authors/gpg.probe are determined. I've tried performing static analysis on GPG using the radare2 framework, but I found that the function addresses I obtained don't seem to match those in the file.

The addresses I obtained for three functions are as follows:

- 0x0009f630   dbg.mpih_sqr_n
- 0x0009e450   dbg.mpihelp_divrem
- 0x0009f0a0   dbg.mul_n

I'm unsure of the relationship between these values and the ones in your file, and I've been unsuccessful in determining how these values are determined. Could you please provide any helpful suggestions or insights?

pengxinjun-stu commented 6 months ago

Has anyone successfully reproduced the paper? Or someone is trying to replicate the work in the paper.

defuse commented 6 months ago

This repo is a replication of the original work, you'll find the replication in myversion/.

The addresses you've found are the offset of the code into the binary file itself; the tool expects the virtual address of the code once it's loaded into memory. The first step is to disable ASLR on your system so that the binary gets loaded into the same place every time. Then you can either find the addresses by debugging a running program using gdb, or use this Ruby script I wrote to find the addresses of functions:

https://github.com/defuse/flush-reload-attacks/blob/master/flush-reload/myversion/ruby/FindProbeAddresses.rb

An example how it's used to find the addresses of functions in links:

https://github.com/defuse/flush-reload-attacks/blob/6560f7ff713e123e312c11f1b265e5a26ad698f6/experiments/links/find_probe_addresses.sh#L3-L8

defuse commented 6 months ago

There are some instructions on replicating it here: https://github.com/defuse/flush-reload-attacks/blob/master/GettingStarted.md

But keep in mind, I haven't run any of this code in years, so I'm not sure if it will still work.

pengxinjun-stu commented 6 months ago

@defuse Firstly, thank you for your response. After utilizing the methods you mentioned, I indeed obtained some addresses, with the values as follows: My version: ruby FindProbeAddresses.rb -n mul_n -n mpih_sqr_n -n mpihelp_divrem -b /usr/local/bin/gpg mul_n: 0xa0390 mpih_sqr_n: 0xa0920 mpihelp_divrem: 0x9f740

Author's version: base = 0x8048000 0x0810090d S #mpih-mul.c:270 (First cache line in mpih_sqr_n()) 0x080ffdc3 r #mpih-div.c:329 (Loop in default case in mpihelp_divrem()) 0x08100191 M #mpih-mul.c:121 (First cache line of mul_n()) mpih_sqr_n(): 0x0810090d - 0x8048000 = b890d mpihelp_divrem(): 0x080ffdc3 - 0x8048000 = b7dc3 mul_n(): 0x08100191 - 0x8048000 = B 8191

It may be due to the linux version, the addresses I obtained differ from those given in the author's original text.However, I can indeed use the above addresses to obtain the spy attack results. Although they do not completely match the results in the author's text, I am still able to achieve a similar structure. Whaterver, thank you for your response.