DetectRop: add support that detect jalr in 1/2 + 1/2 slow cycles

3c23055f · Yuxiao Mao · 6e34cc77 · 3c23055f · 3c23055f
Commit 3c23055f authored Sep 01, 2021 by Yuxiao Mao
--- a/src/main/scala/DetectPatternRop.scala
+++ b/src/main/scala/DetectPatternRop.scala
@@ -14,7 +14,7 @@ class DetectPatternRopIn()(implicit val mp: MatanaParams) extends Bundle {
  val isMonitoring = Bool()
  val pack_has_valid = Bool()
  val pack_has_jalr = Bool()
-  val pack_has_jump = Bool()
+  val pack_jalr = Vec(mp.clockDiv, Bool())
  //val pack_has_mispredict = Bool() //TODO
 }

@@ -27,27 +27,50 @@ class DetectPatternRopInternal(params: DetectPatternRopParams)(implicit mp: Mata

  // Attack Pattern
  //   Description: Jalr chained short instruction sequence.
-  //     1) jalr + jalr = c+1, other jump = c-2 (window size 1) (thresh proably 10 as in mispredict1) (window size 2 has high false positive rate)
+  //     1) jalr + jalr = c+1, other jalr = c-2 (window size 1+1) (thresh proably 10 as in mispredict1) (window size 2+1 has high false positive rate)
+  //     2) jalr + jalr = c+1, other jalr = c-2 (window size 1+1, step 1/2)
  //   Note:
  //     1) clockDiv will impact the pattern on window size, smaller clockDiv is perhaps more accurate.
  //     2) ROP gadget destination is likely not in cache, so jalr will take longer and will probably be visible in different clockDiv pack. But this property may increase false positive as legal chain will now seems to be shorter.

  val npackSizeMax = 2
-
  val npack_jalr = RegInit(0.U(npackSizeMax.W)).suggestName("npack_jalr")
  when (in.pack_has_valid) {
    npack_jalr := Cat(npack_jalr(npackSizeMax - 2, 0), in.pack_has_jalr)
  }

+  val nstepNum = 2 // step 1/2 of slow cycle
+  require(mp.clockDiv % nstepNum == 0)
+  require(nstepNum == 2) // Only support value 2 for now, else needs modify the use of dpack_jalr in when
+  val nstepSize: Int = mp.clockDiv / nstepNum
+  val dpack_jalr = Wire(Vec(nstepNum, Bool())).suggestName("dpack_jalr")
+  for (i <- 0 until nstepNum) {
+    dpack_jalr(i) := in.pack_jalr.zipWithIndex.filter{ case (data, index) =>
+        ((index <= nstepSize*(i+1)-1) && (index >= nstepSize*i))
+      }.map(_._1).reduce(_||_)
+  }
+
  val countjalr1 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr1")
+  val countjalr2 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr2")

  when (in.resetCounters) {
    countjalr1 := 0.U
+    countjalr2 := 0.U
  }.otherwise {
-    when (in.isMonitoring && in.pack_has_jump) { // evaluate counter when jump (include pack_has_valid)
-      countjalr1 := Mux(in.pack_has_jalr && npack_jalr(0),
-                        countjalr1 + 1.U,
-                        Mux(countjalr1 >= 2.U, countjalr1 - 2.U, 0.U))
+    when (in.isMonitoring && in.pack_has_jalr) { // evaluate counter when jalr (include pack_has_valid)
+      when (npack_jalr(0)) { // has jalr adjacent
+        countjalr1 := countjalr1 + 1.U
+      }.otherwise { // no jalr adjacent
+        countjalr1 := Mux(countjalr1 >= 2.U, countjalr1 - 2.U, 0.U)
+      }
+      when (npack_jalr(0) && dpack_jalr.reduce(_&&_)) { // has jalr in adjacent window and step
+        countjalr2 := countjalr2 + 2.U
+      }.elsewhen (npack_jalr(0) || dpack_jalr.reduce(_&&_)) { // has jalr in adjacent window or step
+        countjalr2 := countjalr2 + 1.U
+      }.otherwise { // no jalr adjacent
+        countjalr2 := Mux(countjalr2 >= 2.U, countjalr2 - 2.U, 0.U)
+      }
+
    }
  }

@@ -65,6 +88,7 @@ class DetectPatternRopInternal(params: DetectPatternRopParams)(implicit mp: Mata

  override def regmap(offset: Int) =
    RegmapUtil.readValueMax(countjalr1, in.resetCounters, mp.counterWidth, offset, "CountRopJalr1") ++
+    RegmapUtil.readValueMax(countjalr2, in.resetCounters, mp.counterWidth, offset + 0x10, "CountRopJalr2") ++
    Nil
 }


--- a/src/main/scala/MatanaSlowDetection.scala
+++ b/src/main/scala/MatanaSlowDetection.scala
@@ -141,7 +141,7 @@ class MatanaSlowDetectionImp(outer: MatanaSlowDetection, params: MatanaParams)
  detectPatternRop.in.isMonitoring := isMonitoring
  detectPatternRop.in.pack_has_valid := pack_has_valid
  detectPatternRop.in.pack_has_jalr := pack_has_jalr
-  detectPatternRop.in.pack_has_jump := pack_has_jump
+  detectPatternRop.in.pack_jalr := pack_analysis.map(_(4))

  val detectPatternCacheEvent = DetectPatternCacheEvent()
  detectPatternCacheEvent.in.resetCounters := resetCounters