* Side channel attack
@ 2016-04-15 7:49 Zakirasafi
2016-04-15 9:39 ` Wei Liu
2016-04-15 13:00 ` Mihai Donțu
0 siblings, 2 replies; 4+ messages in thread
From: Zakirasafi @ 2016-04-15 7:49 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1975 bytes --]
Dear All
The following code is for side channel attack on xen hypevisor. In this
code I am having problem in understanding the highlighted red line. In the
line what ".byte 15, byte 49" do???
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <openssl/aes.h>
unsigned int timestamp(void)
{
unsigned int bottom;
unsigned int top;
*asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
}
unsigned char key[16];
AES_KEY expanded;
unsigned char zero[16];
unsigned char scrambledzero[16];
void handle(char out[40],char in[],int len)
{
unsigned char workarea[len * 3];
int i;
for (i = 0;i < 40;++i) out[i] = 0;
*(unsigned int *) (out + 32) = timestamp();
if (len < 16) return; for (i = 0;i < 16;++i) out[i] = in[i];
for (i = 16;i < len;++i) workarea[i] = in[i];
AES_encrypt(in,workarea,&expanded);
/* a real server would now check AES-based authenticator, */
/* process legitimate packets, and generate useful output */
for (i = 0;i < 16;++i) out[16 + i] = scrambledzero[i];
*(unsigned int *) (out + 36) = timestamp();
}
struct sockaddr_in server;
struct sockaddr_in client;
socklen_t clientlen;
int s;
char in[1537];
int r;
char out[40];
main(int argc,char **argv)
{ if (read(0,key,sizeof key) < sizeof key) return 111;
AES_set_encrypt_key(key,128,&expanded);
AES_encrypt(zero,scrambledzero,&expanded);
if (!argv[1]) return 100;
if (!inet_aton(argv[1],&server.sin_addr)) return 100;
server.sin_family = AF_INET;
server.sin_port = htons(10000);
s = socket(AF_INET,SOCK_DGRAM,0);
if (s == -1) return 111;
if (bind(s,(struct sockaddr *) &server,sizeof server) == -1) return 111;
for (;;)
{ clientlen = sizeof client;
r = recvfrom(s,in,sizeof in,0
,(struct sockaddr *) &client,&clientlen);
if (r < 16) continue;
if (r >= sizeof in) continue;
handle(out,in,r);
sendto(s,out,40,0,(struct sockaddr *) &client,clientlen); }
}
*Thanks and Regards,*
Zakira Inayat
Ph.D Scholar in University of Malaya, Malaysia
[-- Attachment #1.2: Type: text/html, Size: 3024 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Side channel attack
2016-04-15 7:49 Side channel attack Zakirasafi
@ 2016-04-15 9:39 ` Wei Liu
2016-04-15 13:00 ` Mihai Donțu
1 sibling, 0 replies; 4+ messages in thread
From: Wei Liu @ 2016-04-15 9:39 UTC (permalink / raw)
To: Zakirasafi; +Cc: xen-devel, Wei Liu
Hello
Please don't post HTML mails.
On Fri, Apr 15, 2016 at 03:49:20PM +0800, Zakirasafi wrote:
> Dear All
> The following code is for side channel attack on xen hypevisor. In this
> code I am having problem in understanding the highlighted red line. In the
> line what ".byte 15, byte 49" do???
>
I don't have HTML capable mail reader, so I can't see "highlighted red
line", but I get you idea.
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <openssl/aes.h>
> unsigned int timestamp(void)
> {
> unsigned int bottom;
> unsigned int top;
> *asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
> }
This is probably some sort of opcode. You can probably find out what
they mean in Intel or AMD software developer manual.
Other than that, I don't think we can help you much regarding this
program. You will have better luck contacting the researchers (?) who
wrote this code.
And, if you do find it a security issue in real life, we have a process
of dealing with that, too.
http://www.xenproject.org/security-policy.html
Thanks
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Side channel attack
2016-04-15 7:49 Side channel attack Zakirasafi
2016-04-15 9:39 ` Wei Liu
@ 2016-04-15 13:00 ` Mihai Donțu
1 sibling, 0 replies; 4+ messages in thread
From: Mihai Donțu @ 2016-04-15 13:00 UTC (permalink / raw)
To: Zakirasafi; +Cc: xen-devel
On Fri, 15 Apr 2016 15:49:20 +0800 Zakirasafi wrote:
> The following code is for side channel attack on xen hypevisor. In this
> code I am having problem in understanding the highlighted red line. In the
> line what ".byte 15, byte 49" do???
You can use this trick in the future:
$ printf "\xf\x31" | ndisasm -b 64 -
00000000 0F31 rdtsc
--
Mihai Donțu
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Side channel attack
@ 2016-04-15 12:35 liuweijie
0 siblings, 0 replies; 4+ messages in thread
From: liuweijie @ 2016-04-15 12:35 UTC (permalink / raw)
To: zakirasafi; +Cc: xen-devel
Hi Zakirasafi,
> unsigned int timestamp(void)
> {
> unsigned int bottom;
> unsigned int top;
> *asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
> }
It is ‘RDTSC’ instruction.
Besides, I am happy that someone is also working on side channel attack on Xen. Maybe we can contact in private.
Weijie.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-04-15 13:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-15 7:49 Side channel attack Zakirasafi
2016-04-15 9:39 ` Wei Liu
2016-04-15 13:00 ` Mihai Donțu
2016-04-15 12:35 liuweijie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.