Setup the lab: Download the SEEDUbuntu16.04 VM https://seedsecuritylabs.org/lab_env.html Download the instructions: https://seedsecuritylabs.org/Labs_16.04/PDF/Spectre_Attack.pdf

Setup the lab:
Download the SEEDUbuntu16.04 VM
https://seedsecuritylabs.org/lab_env.html
Download the instructions:
https://seedsecuritylabs.org/Labs_16.04/PDF/Spectre_Attack.pdf
Download the VirtualBox and install it:
https://www.virtualbox.org/
Launch the VirtualBox and run the SEED lab
Login using the password “dees.”
You will find the Lab setup files on this link:
https://seedsecuritylabs.org/Labs_16.04/System/Spectre_Attack/
3. Task 1 and 2: Side-Channel Attacks via CPU Caches
3.1 Task 1: Reading from Cache versus from Memory
First, we will read the Cache from memory by typing the following code on the CacheTime.c file that will printout the below result after trying more than ten times:
Add the flag,
gcc -march=native -o ct CacheTime.c
print the Cache
./ct
Figure 1. Reading from Cache versus from Memory.
As we can see above in Figure 1, the array [3*4096] and array [7*4096] are faster than the other elements, the most thresholds in CPU cycles in the arrays are demonstrated below:
Access time for array[0*4096]: 902 CPU cycles
Access time for array[1*4096]: 309 CPU cycles
Access time for array[2*4096]: 213 CPU cycles
Access time for array[3*4096]: 47 CPU cycles
Access time for array[4*4096]: 285 CPU cycles
Access time for array[5*4096]: 48 CPU cycles
Access time for array[6*4096]: 47 CPU cycles
Access time for array[7*4096]: 23 CPU cycles
Access time for array[8*4096]: 47 CPU cycles
Access time for array[9*4096]: 47 CPU cycles
Figure 2. arrays value.
Because of the arrays above in the code, it’s faster than others.
3.2 Task 2: Using Cache as a Side Channel
On this task, we are intended to figure out the Secret Value in the Flushreload.c file for the array[94*4096 + 1024]. Before that, we need to check the default value by typing the following codes
Adding the flag to the FlushReload file:
gcc -march=native -o FlushReload FlushReload.c
then, execute the below code to print the result:
./FlushReload
The result printed is:
array[94*4096 + 1024] is in cache.
The Secret = 94.
Figure 3. FlushReload file
So, now we will change the Secret Value for the same array by editing the file with the below code:
Vi FlushReload.c
Figure 4. FlushReload code.
Figure 5. change the secret value
Now, we will execute the flag code gcc -march=native -o FlushReload FlushReload.c to save the changes then, execute the code following ./FlushReload to see the result.
array[83*4096 + 1024] is in cache.
The Secret = 83.
Figure 6. the result of FlushReload after the change.
4 Task 3: Out-of-Order Execution and Branch Prediction
The objective of this task is to understand the out-of-order execution in CPUs. We will use an experiment to help students observe such kinds of performance.
4.1 Out-Of-Order Execution
At this point, we will check the more significant value in the SpectreExperiment.c and observe what would happen if we changed the value from the vi code. Can we change it correctly? Can we put another value in the arrays and work fine? Let us do that.
First, we will execute the command below to add the flag:
gcc -march=native -o se SpectreExperiment.c
Then, we will check the result by typing the code:
./se
Figure 7. The result of Spectre Experiment code.
Now, we will go to the file SpectreExperiment.c and change the victim value:
vi SpectreExperiment.c
Figure 8. Spectre Experiment code
After that, we will change the Victim value from (97) to (83), then again, we will execute the flag command to save the changes:
gcc -march=native -o se SpectreExperiment.c
Lastly, the result will print the below:
Figure 9. the result of this task
5 Task 4: The Spectre Attack
Here we will check the code value after adding the flag command gcc -march=native -o sa SpectreAttack.c and execute the code ./sa to check if it will start from the array Zero run it many times to find out the result.
Figure 10. The secret value of the array each time.
As we can see above, the result would change every time we execute the command, first it is showing the result below “we can get the secret value”:
array[0*4096 + 1024] is in cache.
The Secret = 0.
Then it will show another result, it will be applying the code on the SpectreAttack.c file starting from the score Zero that came fast from the code, and this will happen again with different results till 1000 times that condition inside the code and get which one is the most:
Figure 11. The spectre attack code
Figure 12. the secret value in the code.
6 Task 5: Improve the Attack Accuracy
In this task, we will do the same scenario to check the secret value and the number of hits after adding the flag:
gcc -march=native -o sai SpectreAttackImproved.c
and execute the command to display the result:
./sai
Figure 13. The result of this code file.
The secret value = 0
The number of hits = 1000
And every time I will do this it will shows the same value,
We will try to debug this by modify the code in SpectreAttackImproved.c file and add for statement:
For(a=0;a