grg/checkm8_tool
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

some bugfixes and changes for a longer term experiment

Browse Source
This commit is contained in:
Gregor Haas
2020-02-24 16:17:01 -05:00
parent 6ec02145b3
commit df40cc6970
2 changed files with 50 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
c8_remote/lib/payload/src/aes_sw.c
View File

@@ -173,6 +173,7 @@ void entry_async(uint64_t *base)
expand_key(key, key_sched, 11, sbox, rc_lookup); expand_key(key, key_sched, 11, sbox, rc_lookup);
// initialize events and buffers
struct aes_sw_bernstein_data *data = (struct aes_sw_bernstein_data *) base; struct aes_sw_bernstein_data *data = (struct aes_sw_bernstein_data *) base;
event_new(&data->ev_data, 1, 0); event_new(&data->ev_data, 1, 0);
event_new(&data->ev_done, 1, 0); event_new(&data->ev_done, 1, 0);
@@ -180,7 +181,7 @@ void entry_async(uint64_t *base)
data->count = 0; data->count = 0;
for(i = 0; i < 16; i++) for(i = 0; i < 16; i++)
{ {
for(j = 0; j < 16; j++) for(j = 0; j < 256; j++)
{ {
data->t[i][j] = 0; data->t[i][j] = 0;
data->tsq[i][j] = 0; data->tsq[i][j] = 0;
@@ -190,17 +191,16 @@ void entry_async(uint64_t *base)
while(1) while(1)
{ {
// randomly generate a new msg based on the old one
for(i = 0; i < 16; i++) for(i = 0; i < 16; i++)
msg_old[i] = msg[i]; msg_old[i] = msg[i];
for(addr = sbox; addr < sbox + 256; addr += 64) // encrypt it and measure time
inv_va(addr);
start = get_ticks(); start = get_ticks();
aes128_encrypt_ecb(msg, msg_len, key, sbox, key_sched, mul2, mul3); aes128_encrypt_ecb(msg, msg_len, key, sbox, key_sched, mul2, mul3);
timing = (double) (get_ticks() - start); timing = (double) (get_ticks() - start);
// update counters
for(i = 0; i < 16; i++) for(i = 0; i < 16; i++)
{ {
data->t[i][msg_old[i]] += timing; data->t[i][msg_old[i]] += timing;
@@ -211,6 +211,7 @@ void entry_async(uint64_t *base)
data->ttotal += timing; data->ttotal += timing;
} }
// check if host has requested data
iter_count++; iter_count++;
if(iter_count % 100000 == 0) if(iter_count % 100000 == 0)
{ {

73
c8_remote/main.c
View File

@@ -490,7 +490,7 @@ void usb_task_exit(struct pwned_device *dev)
int main() int main()
{ {
struct dev_cmd_resp *resp; struct dev_cmd_resp *resp;
struct aes_sw_bernstein_data *data; struct aes_sw_bernstein_data data;
struct pwned_device *dev = exploit_device(); struct pwned_device *dev = exploit_device();
DEV_PTR_T addr_async_buf; DEV_PTR_T addr_async_buf;
@@ -499,6 +499,9 @@ int main()
double udev[16][256]; double udev[16][256];
double taverage; double taverage;
FILE *outfile;
char linebuf[256];
if(dev == NULL || dev->status == DEV_NORMAL) if(dev == NULL || dev->status == DEV_NORMAL)
{ {
printf("Failed to exploit device\n"); printf("Failed to exploit device\n");
@@ -517,7 +520,7 @@ int main()
while(1) while(1)
{ {
sleep(15); sleep(60);
if(IS_CHECKM8_FAIL(open_device_session(dev))) if(IS_CHECKM8_FAIL(open_device_session(dev)))
{ {
printf("failed to open device session"); printf("failed to open device session");
@@ -542,34 +545,9 @@ int main()
return -1; return -1;
} }
data = (struct aes_sw_bernstein_data *) resp->data; memcpy(&data, resp->data, sizeof(struct aes_sw_bernstein_data));
printf("have count %lli\n", data->count);
taverage = data->ttotal / (double) data->count;
for(j = 0; j < 16; j++)
{
for(b = 0; b < 256; b++)
{
u[j][b] = data->t[j][b] / data->tnum[j][b];
udev[j][b] = data->tsq[j][b] / data->tnum[j][b];
udev[j][b] -= u[j][b] * u[j][b];
udev[j][b] = sqrt(udev[j][b]);
}
}
for(j = 0; j < 16; j++)
{
for(b = 0; b < 256; b++)
{
printf("%2d %3d %lli %.3f %.3f %.3f %.3f\n",
j, b, (long long) data->tnum[j][b],
u[j][b], udev[j][b],
u[j][b] - taverage, udev[j][b] / sqrt(data->tnum[j][b])
);
}
}
free_dev_cmd_resp(resp); free_dev_cmd_resp(resp);
resp = execute_gadget(dev, ADDR_EVENT_NOTIFY, 0, 1, resp = execute_gadget(dev, ADDR_EVENT_NOTIFY, 0, 1,
addr_async_buf + offsetof(struct aes_sw_bernstein_data, ev_done)); addr_async_buf + offsetof(struct aes_sw_bernstein_data, ev_done));
if(IS_CHECKM8_FAIL(resp->ret)) if(IS_CHECKM8_FAIL(resp->ret))
@@ -585,6 +563,43 @@ int main()
printf("failed to close device session\n"); printf("failed to close device session\n");
return -1; return -1;
} }
printf("have count %lli\n", data.count);
taverage = data.ttotal / (double) data.count;
for(j = 0; j < 16; j++)
{
for(b = 0; b < 256; b++)
{
u[j][b] = data.t[j][b] / data.tnum[j][b];
udev[j][b] = data.tsq[j][b] / data.tnum[j][b];
udev[j][b] -= u[j][b] * u[j][b];
udev[j][b] = sqrt(udev[j][b]);
}
}
sprintf(linebuf, "dat_%lli.dat", data.count);
outfile = fopen(linebuf, "w+");
if(outfile == NULL)
{
printf("failed to open data file\n");
return -1;
}
for(j = 0; j < 16; j++)
{
for(b = 0; b < 256; b++)
{
sprintf(linebuf,
"%2d %3d %lli %f %f %f %f\n",
j, b, (long long) data.tnum[j][b],
u[j][b], udev[j][b],
u[j][b] - taverage, udev[j][b] / sqrt(data.tnum[j][b]));
fputs(linebuf, outfile);
}
}
fclose(outfile);
} }
free_device(dev); free_device(dev);