All of lore.kernel.org
 help / color / mirror / Atom feed
* Side channel attack
@ 2016-04-15  7:49 Zakirasafi
  2016-04-15  9:39 ` Wei Liu
  2016-04-15 13:00 ` Mihai Donțu
  0 siblings, 2 replies; 4+ messages in thread
From: Zakirasafi @ 2016-04-15  7:49 UTC (permalink / raw)
  To: xen-devel


[-- Attachment #1.1: Type: text/plain, Size: 1975 bytes --]

Dear All
The following code is for side channel attack on xen hypevisor. In this
code I am having problem in understanding the highlighted red line. In the
line what ".byte 15, byte 49" do???

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
 #include <openssl/aes.h>
unsigned int timestamp(void)
 {
unsigned int bottom;
unsigned int top;
*asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
 }
unsigned char key[16];
AES_KEY expanded;
unsigned char zero[16];
unsigned char scrambledzero[16];

void handle(char out[40],char in[],int len)
 {
 unsigned char workarea[len * 3];
int i;

for (i = 0;i < 40;++i) out[i] = 0;
 *(unsigned int *) (out + 32) = timestamp();
if (len < 16) return; for (i = 0;i < 16;++i) out[i] = in[i];
for (i = 16;i < len;++i) workarea[i] = in[i];

AES_encrypt(in,workarea,&expanded);

 /* a real server would now check AES-based authenticator, */
/* process legitimate packets, and generate useful output */
for (i = 0;i < 16;++i) out[16 + i] = scrambledzero[i];
 *(unsigned int *) (out + 36) = timestamp();
}
struct sockaddr_in server;
 struct sockaddr_in client;
 socklen_t clientlen;
int s;
char in[1537];
int r;
char out[40];
main(int argc,char **argv)
 { if (read(0,key,sizeof key) < sizeof key) return 111;
 AES_set_encrypt_key(key,128,&expanded);
AES_encrypt(zero,scrambledzero,&expanded);
if (!argv[1]) return 100;
if (!inet_aton(argv[1],&server.sin_addr)) return 100;
 server.sin_family = AF_INET;
 server.sin_port = htons(10000);
s = socket(AF_INET,SOCK_DGRAM,0);
 if (s == -1) return 111;
if (bind(s,(struct sockaddr *) &server,sizeof server) == -1) return 111;
for (;;)
 { clientlen = sizeof client;
 r = recvfrom(s,in,sizeof in,0
 ,(struct sockaddr *) &client,&clientlen);
if (r < 16) continue;
 if (r >= sizeof in) continue;
handle(out,in,r);
sendto(s,out,40,0,(struct sockaddr *) &client,clientlen); }
}




*Thanks and Regards,*
Zakira Inayat
Ph.D Scholar in University of Malaya, Malaysia

[-- Attachment #1.2: Type: text/html, Size: 3024 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Side channel attack
  2016-04-15  7:49 Side channel attack Zakirasafi
@ 2016-04-15  9:39 ` Wei Liu
  2016-04-15 13:00 ` Mihai Donțu
  1 sibling, 0 replies; 4+ messages in thread
From: Wei Liu @ 2016-04-15  9:39 UTC (permalink / raw)
  To: Zakirasafi; +Cc: xen-devel, Wei Liu

Hello

Please don't post HTML mails.

On Fri, Apr 15, 2016 at 03:49:20PM +0800, Zakirasafi wrote:
> Dear All
> The following code is for side channel attack on xen hypevisor. In this
> code I am having problem in understanding the highlighted red line. In the
> line what ".byte 15, byte 49" do???
> 

I don't have HTML capable mail reader, so I can't see "highlighted red
line", but I get you idea.

> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>  #include <openssl/aes.h>
> unsigned int timestamp(void)
>  {
> unsigned int bottom;
> unsigned int top;
> *asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
>  }

This is probably some sort of opcode. You can probably find out what
they mean in Intel or AMD software developer manual.

Other than that, I don't think we can help you much regarding this
program. You will have better luck contacting the researchers (?) who
wrote this code.

And, if you do find it a security issue in real life, we have a process
of dealing with that, too.

http://www.xenproject.org/security-policy.html


Thanks
Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Side channel attack
  2016-04-15  7:49 Side channel attack Zakirasafi
  2016-04-15  9:39 ` Wei Liu
@ 2016-04-15 13:00 ` Mihai Donțu
  1 sibling, 0 replies; 4+ messages in thread
From: Mihai Donțu @ 2016-04-15 13:00 UTC (permalink / raw)
  To: Zakirasafi; +Cc: xen-devel

On Fri, 15 Apr 2016 15:49:20 +0800 Zakirasafi wrote:
> The following code is for side channel attack on xen hypevisor. In this
> code I am having problem in understanding the highlighted red line. In the
> line what ".byte 15, byte 49" do???

You can use this trick in the future:

$ printf "\xf\x31" | ndisasm -b 64 -
00000000  0F31              rdtsc

-- 
Mihai Donțu

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Side channel attack
@ 2016-04-15 12:35 liuweijie
  0 siblings, 0 replies; 4+ messages in thread
From: liuweijie @ 2016-04-15 12:35 UTC (permalink / raw)
  To: zakirasafi; +Cc: xen-devel

Hi Zakirasafi,

> unsigned int timestamp(void)
> {
> unsigned int bottom;
> unsigned int top;
> *asm volatile(".byte 15;.byte 49" : "=a"(bottom),"=d"(top)); return bottom;*
> }

It is ‘RDTSC’ instruction.

Besides, I am happy that someone is also working on side channel attack on Xen. Maybe we can contact in private.

Weijie.



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-04-15 13:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-15  7:49 Side channel attack Zakirasafi
2016-04-15  9:39 ` Wei Liu
2016-04-15 13:00 ` Mihai Donțu
2016-04-15 12:35 liuweijie

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.