Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5753 PoC — Intel和ARM CPU芯片信息泄露漏洞

Source
https://github.com/pedrolucasoliva/spectre-attack-demo
Associated Vulnerability
Title:Intel和ARM CPU芯片信息泄露漏洞 (CVE-2017-5753)
Description:Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Description
Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715)
Readme
# Spectre Attack Example
Example of using revealed "Spectre" exploit from 2 Jan 2018 (CVE-2017-5753 and CVE-2017-5715)

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

* [Spectre paper] - Spectre paper and source of code

## Language
C, uses libs:
* stdio.h
* stdlib.h
* stdint.h
* intrin.h - for rdtscp and clflush

## What's example do?
We're putting text "The Magic Words are Squeamish Ossifrage." in memory and then we're trying to read it using exploit. If system is vulnerable, you'll see same text in output, read from memory.
***
In this code, if the compiled instructions in `victim_function()` were executed in strict program order, the function would only read from `array1[0..15]` since array1 size = 16. However, when executed speculatively, out-of-bounds reads are possible. The `readMemoryByte()` function makes several training calls to `victim_function()` to make the branch predictor expect valid values for x, then calls with an out-of-bounds x. The conditional branch mispredicts, and the ensuing speculative execution reads a secret byte using the out-of-bounds x. The speculative code then reads from `array2[array1[x] * 512]`, leaking the value of `array1[x]` into the cache state. To complete the attack, a simple flush+probe is used to identify which cache line in `array2` was loaded, revealing the memory contents. The attack is repeated several times, so even if the target byte was initially uncached, the first iteration will bring it into the cache.

The unoptimized code reads approximately 10KB/second on an i7 Surface Pro 3.

## Sources
* [Spectre exploits info]
* [CVE-2017-5753] - Variant 1: bounds check bypass
* [CVE-2017-5715] - Variant 2: branch target injection
* [Intel affected CPUs list]

[Spectre paper]: <https://spectreattack.com/spectre.pdf>
[Spectre exploits info]: <https://spectreattack.com>
[CVE-2017-5753]: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753>
[CVE-2017-5715]: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715>
[Intel affected CPUs list]: <https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr>
File Snapshot

 [4.0K]  /data/pocs/eddbb840e132d7cd95f01d516f04046fe8eba24c
├── [ 183]  Makefile
├── [2.3K]  README.md
└── [4.4K]  souce.C

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →