gem5-users@gem5.org

The gem5 Users mailing list

View all threads

Spectre v2 / BTB

HE
Hossam ElAtali
Fri, Mar 22, 2024 11:40 AM

Hi,

I was wondering if anyone was able to get a PoC for Spectre v2/BTB working on gem5. I was able to get Spectre v1 and ret2spec to work, but not Spectre v2. I tried multiple PoCs, cache thresholds, and gem5 configurations (both se and fs; with different branch predictors) but none seem to work. The problem is that the misspeculated gadget is not executed, not that the flush+reload channel does not work. This is supported by the fact that the other working variants use the same flush+reload code and parameters.

Here are the PoCs I tried, all on x86:

Spectre v2/BTB (all not working):
*
https://github.com/Anton-Cao/spectrev2-poc
*
https://github.com/IAIK/transientfail/tree/master/pocs/spectre/BTB/sa_ip
*
https://github.com/google/safeside/blob/main/demos/spectre_v1_btb_sa.cc
*
Spectre v1/PHT:
*
https://github.com/Eugnis/spectre-attack (working)
*
https://github.com/IAIK/transientfail/tree/master/pocs/spectre/PHT/sa_ip (working but fails with some branch predictors)
*
https://github.com/google/safeside/blob/main/demos/spectre_v1_pht_sa.cc (working)
*
ret2spec:
*
https://github.com/google/safeside/blob/main/demos/ret2spec_sa.cc (working)

Any help would be appreciated. Thank you.

Best,
Hossam

Hi, I was wondering if anyone was able to get a PoC for Spectre v2/BTB working on gem5. I was able to get Spectre v1 and ret2spec to work, but not Spectre v2. I tried multiple PoCs, cache thresholds, and gem5 configurations (both se and fs; with different branch predictors) but none seem to work. The problem is that the misspeculated gadget is not executed, not that the flush+reload channel does not work. This is supported by the fact that the other working variants use the same flush+reload code and parameters. Here are the PoCs I tried, all on x86: * Spectre v2/BTB (all not working): * https://github.com/Anton-Cao/spectrev2-poc * https://github.com/IAIK/transientfail/tree/master/pocs/spectre/BTB/sa_ip * https://github.com/google/safeside/blob/main/demos/spectre_v1_btb_sa.cc * Spectre v1/PHT: * https://github.com/Eugnis/spectre-attack (working) * https://github.com/IAIK/transientfail/tree/master/pocs/spectre/PHT/sa_ip (working but fails with some branch predictors) * https://github.com/google/safeside/blob/main/demos/spectre_v1_pht_sa.cc (working) * ret2spec: * https://github.com/google/safeside/blob/main/demos/ret2spec_sa.cc (working) Any help would be appreciated. Thank you. Best, Hossam