Transient Execution Attack Pot
TEApot(Transient Execution Attack pot) is a project used to evaluate whether your system is affected by Meltdown and Spectre. My goal is to build a easy-to-use(hard to implement) and configurable transient attack test suite.
This project is mainly based on project Transient Fail developed by IAIK. More information will be found on their paper A Systematic Evaluation of Transient Execution Attacks and Defenses.
Features
Supported Platform
Operating System
Linux with gcc and other dependent libraries.
Developed on 5.4.0-47-generic #51~18.04.1-Ubuntu.
CPU
x86 and arm64 are supported.
Supported Vulnerablities
Meltdown-like and Spectre-like vulnerabilities, more information will be also found on paper A Systematic Evaluation of Transient Execution Attacks and Defenses.
This vulnerablities are supported:
| Systematic type name | CVE | Description |
|---|---|---|
| Meltdown_AC | - | - |
| Meltdown_BR | - | - |
| Meltdown_DE | - | - |
| Meltdown_GP | CVE-2018-3640 | Spectre V3a, rogue system register read |
| Meltdown_NM | CVE-2018-3665 | Lazy FP |
| Meltdown_P | CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 | Foreshadow, L1 terminal fault |
| Meltdown_PK | - | - |
| Meltdown_RW | Spectre V1.2, write to page with read-only flag | |
| Meltdown_SS | - | - |
| Meltdown_UD | - | - |
| Meltdown_US | CVE-2017-5754 | Meltdown, rogue data cache load |
| Spectre_BTB | CVE-2017-5715 | Spectre V2, branch target injection |
| Spectre_PHT | CVE-2017-5753 | Spectre V1, bounds check bypass |
| Spectre_RSB | - | - |
| Spectre_STL | CVE-2018-3693/CVE-2018-3639 | Spectre V1.1, NG and V4, speculative store bypass |
Configurable features
Select vulnerbilities
This test suite allows you to select the vulnerabilities with option "-v".
Default option is "all" for testing all vulnerabilities.
Output valid PoCs
You can enable and specify a markdown file as output of valid PoCs with option "-o"
Show simple options
You can show simple supported vulnerablities options with option "-s"
Simple result output
You can use option "-m" in test mode, simple result output will be available.
0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
Other details
You can use option "-h" to show all help messages or read the last part of this document.
Repository Structure
lib: Global libraries;libcache: Cache operation libraries;libpte: PTEditor developed by Michael Schwarz that allows manipulation of paging structures via a Linux kernel module;meltdown: PoC of Meltdown-like vulnerabilities;spectre: PoC of Spectre-like vulnerabilities;Makefile: Makefile of this test suite;run.sh: Main entry of this test suite;README.md: The file you are reading!
Usage
- Some preparation
sudo apt-get install libelf-dev build-essential pkg-config bison flex libssl-dev libelf-dev bc
sudo apt-get purge libc6-dev
sudo apt-get install libc6-dev
sudo apt-get install libc6-dev-i386
sudo apt-get install build-essential
sudo apt-get install seccomp
sudo apt-get install libseccomp-dev
sudo apt-get install zsh- Clone this repository
git clone https://github.com/Mashiro1995/TEApot.git- Make
make- Grant execution permissions and run!
chmod +x run.sh
./run.sh
# notice that you need input your password for kernel operation during this test- Run options
Usage
Test mode : run.sh [-options]
Generation mode : run.sh [-options] -g [output-path]
Test all vulnerablities : run.sh [-o filename] [-m]
Test specific vulnerablities : run.sh [-v "list of vulnerablities"] [-o filename] [-m]
Show usage : run.sh -h
Show supported vulnerablities: run.sh -l [-m]
Modes
Auto mode will test all vulnerablities covered in this test suite.
In manual mode, you can specify vulnerablities to be tested with options -v and followed by a list of vulnerablities.
Options
-g generation mode, specific path to save specific PoCs
-o enable and specify a markdown file as output of valid PoCs
-v list of vulnerablities to be tested. If not specified, all vuls will be test
-h show usage
-l show supported vulnerablities
-s show simple supported vulnerablities options
-t specific timeout time, default 120s
-m used in test mode, simple result output will be available.
0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
Valid args of -v option
You can select combination of vulnerabilities with following inputs:
| Options | Vulnerabilities to be tested |
|---|---|
| all | All vulnerabilities |
| meltdown | All Meltdown vulnerabilities |
| spectre | All Spectre vulnerabilities |
| spectre_btb | All Spectre_BTB vulnerabilities |
| spectre_pht | All Spectre_PHT vulnerabilities |
| spectre_rsb | All Spectre_RSB vulnerabilities |
You can also use multi_parameters to select specific vulnerabilities and separate them with spaces:
| Options | Vulnerabilities to be tested | Options | Vulnerabilities to be tested |
|---|---|---|---|
| ac | Meltdown_AC | btb_sa_ip | Spectre_BTB_sa_ip |
| br | Meltdown_BR | btb_sa_oop | Spectre_BTB_sa_oop |
| de | Meltdown_DE | btb_ca_ip | Spectre_BTB_ca_ip |
| gp | Meltdown_GP | btb_ca_oop | Spectre_BTB_ca_oop |
| nm | Meltdown_NM | pht_sa_ip | Spectre_PHT_sa_ip |
| p | Meltdown_P | pht_sa_oop | Spectre_PHT_sa_oop |
| pk | Meltdown_PK | pht_ca_ip | Spectre_PHT_ca_ip |
| rw | Meltdown_RW | pht_ca_oop | Spectre_PHT_ca_oop |
| ss | Meltdown_SS | rsb_sa_ip | Spectre_RSB_sa_ip |
| ud | Meltdown_UD | rsb_sa_oop | Spectre_RSB_sa_oop |
| us | Meltdown_US | rsb_ca_ip | Spectre_RSB_ca_ip |
| rsb_ca_oop | Spectre_RSB_ca_oop | ||
| stl | Spectre_STL |
Examples:
# Examples:
run.sh
# Test all vulnerabilities.
run.sh -m
# Test all vulnerabilities and save simple result to result.txt.
run.sh -v "meltdown spectre_btb" -o codes
# Test all Meltdown and all Spectre_BTB type vulnerabilities, and save successful PoCs to path "codes".
run.sh -v "meltdown spectre_btb" -o codes -m
# Test all Meltdown and all Spectre_BTB type vulnerabilities, save simple result to result.txt, and successful PoCs to path "codes".
run.sh -v "meltdown spectre_btb" -g codes
# PoCs of Meltdown and all Spectre_BTB type vulnerabilities will be saved to path "codes" with out test.