SMaCk is a comprehensive toolkit for executing efficient instruction cache attacks via self-modifying code (SMC) conflicts on x86 processors. We leverage the L1 instruction cache by inducing SMC conflicts, which create measurable timing discrepancies that can be exploited for covert channel attacks and sensitive information leakage. Our toolkit demonstrates that SMC mechanisms in modern Intel and AMD microarchitectures can be utilized to enhance traditional Prime+Probe and Spectre attacks on the L1 instruction cache, enabling the extraction of cryptographic keys and the establishment of high bandwidth. To validate our approach, we assume that the attacker injects malicious code into a user-space application running on the victim's device, which monitors instruction cache timings to infer sensitive operations performed by the victim. We collect extensive cache timing traces from 10 distinct x86 microarchitectures, including Intel Cascade Lake, Comet Lake, and AMD Ryzen 5, across multiple cryptographic libraries.
- The experiment can be conducted in 10 different (Intel and AMD) microarchitectures (Table 3 in the paper).
- Here is the example of Intel Microarchitecture Setup
-
- CPU Model: Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz (microcode: 0x5003707)
- OS: Ubuntu 20.04.6 LTS
- Linux Kernel: 5.15.0-119-generic
-
- Software: MATLAB R2021
-
-
This process can be done in the 10 different specific microarchitectures (Table 3 in the paper).
-
Data collection for target microarchitecture.
cd SMaCk/SMaCk_cachetime
make
taskset -c <core#> ./smack_cachetime > {name}.csv -
Data collection for Mastik Toolkit for baseline comparison.
cd SMaCk/Mastik_cachetime
make
taskset -c <core#> ./mastik_cachetime > {name}.csv -
Draw plot for analysis (Matlab)
adjust code with file name from above
Draw_cachetime/cache_draw.m -
Datasets
cd SMaCk/Data -
One-click script operation for demonstration
cd SMaCk/Mastik_cachetime
./auto_cachetime.sh -
Note that timing differences may differ based on the microarchitecture as described in Table 3 in our paper.
-
We can identify the timing difference (On the target microarchitecture) to perform the following attacks based on the figure we draw from the
Draw_cachetime/cache_draw.m.
-
-
-
Performing Prime and IProbe attack
cd SMaCk/SMaCk_PNP
python prime_probe_gen.py {fucntion name} i
make
taskset -c <core#> ./pnp_attack <target_set> <delay_cycle> <nsamples> -
Performing Mastik Prime and Probe attack for baseline
cd SMaCk/Mastik_PNP
make
taskset -c <core#> ./mastik_pnp <target_set> <delay_cycle> <nsamples> -
Binary Datasets
cd SMaCk/SMaCk_PNP_variants -
One-click script operation for demonstration
cd SMaCk/SMaCk_PNP
Attack without victim access
./auto_pnp.sh
Attack with victim access
./auto_pnp_victim.sh
-
-
-
Performing Spectre attack utilizing SMC behavior on L1i cache
-
Function name: load, flush, flushopt, store, lock, prefetch, prefetchnta, execute, clwb
-
Iteration: Iteration for the attack
-
Anomaly: based on the smack_cachetime figure (ex., 500 or 600)
cd SMaCk/SMaCk_ISpectre
make
taskset -c <core#> ./smack_ispectre <Function_name> <Iteration> <Anomaly> -
One-click script operation for demonstration
cd SMaCk/SMaCk_ISpectre
./auto_spectre.sh .sh
-