Commit 6363fcc0 authored by Yuxiao Mao's avatar Yuxiao Mao
Browse files

ROP: add multiples packsize for 1 divClock detection

parent c37bffea
......@@ -27,29 +27,82 @@ class DetectPatternRopInternal(params: DetectPatternRopParams)(implicit mp: Mata
// Attack Pattern
// Description: Jalr chained short instruction sequence.
// 1) jalr + jalr = c+1, other jalr = c-2 (window size 1+1) (thresh proably 10 as in mispredict1) (window size 2+1 has high false positive rate)
// 2) jalr + jalr = c+1, other jalr = c-2 (window size 1+1, step 1/2)
// 1) jalr + jalr = c+1, other jalr = c-2 (window size N+1) (thresh proably 10 as in mispredict1)
// Note:
// 1) clockDiv will impact the pattern on window size, smaller clockDiv is perhaps more accurate.
// 2) ROP gadget destination is likely not in cache, so jalr will take longer and will probably be visible in different clockDiv pack. But this property may increase false positive as legal chain will now seems to be shorter.
val npackSizeMax = 2
val npackSizeMax = 16
val npackSize1 = 6
val npackSize2 = 8
val npackSize3 = 10
val npackSize4 = 12
val npackSize5 = 14
val npackSize6 = 16
val npack_jalr = RegInit(0.U(npackSizeMax.W)).suggestName("npack_jalr") // if last N valid cycles has jalr
val npack_jalr_orR1 = RegInit(false.B)
val npack_jalr_orR2 = RegInit(false.B)
val npack_jalr_orR3 = RegInit(false.B)
val npack_jalr_orR4 = RegInit(false.B)
val npack_jalr_orR5 = RegInit(false.B)
val npack_jalr_orR6 = RegInit(false.B)
when (in.pack_has_valid) {
npack_jalr := Cat(npack_jalr(npackSizeMax - 2, 0), in.pack_has_jalr)
npack_jalr := Cat(npack_jalr(npackSizeMax-2, 0), in.pack_has_jalr)
npack_jalr_orR1 := npack_jalr(npackSize1-2, 0).orR || in.pack_has_jalr
npack_jalr_orR2 := npack_jalr(npackSize2-2, 0).orR || in.pack_has_jalr
npack_jalr_orR3 := npack_jalr(npackSize3-2, 0).orR || in.pack_has_jalr
npack_jalr_orR4 := npack_jalr(npackSize4-2, 0).orR || in.pack_has_jalr
npack_jalr_orR5 := npack_jalr(npackSize5-2, 0).orR || in.pack_has_jalr
npack_jalr_orR6 := npack_jalr(npackSize6-2, 0).orR || in.pack_has_jalr
}
val countjalr1 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr1")
val countjalr2 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr2")
val countjalr3 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr3")
val countjalr4 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr4")
val countjalr5 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr5")
val countjalr6 = RegInit(0.U(mp.counterWidth.W)).suggestName("dprop_countjalr6")
when (in.resetCounters) {
countjalr1 := 0.U
countjalr2 := 0.U
countjalr3 := 0.U
countjalr4 := 0.U
countjalr5 := 0.U
countjalr6 := 0.U
}.otherwise {
when (in.isMonitoring && in.pack_has_jalr) { // evaluate counter when jalr (include pack_has_valid)
when (npack_jalr(0)) { // has jalr adjacent
when (npack_jalr_orR1) { // has jalr adjacent
countjalr1 := countjalr1 + 1.U
}.otherwise { // no jalr adjacent
countjalr1 := Mux(countjalr1 >= 2.U, countjalr1 - 2.U, 0.U)
}
when (npack_jalr_orR2) { // has jalr adjacent
countjalr2 := countjalr2 + 1.U
}.otherwise { // no jalr adjacent
countjalr2 := Mux(countjalr2 >= 2.U, countjalr2 - 2.U, 0.U)
}
when (npack_jalr_orR3) { // has jalr adjacent
countjalr3 := countjalr3 + 1.U
}.otherwise { // no jalr adjacent
countjalr3 := Mux(countjalr3 >= 2.U, countjalr3 - 2.U, 0.U)
}
when (npack_jalr_orR4) { // has jalr adjacent
countjalr4 := countjalr4 + 1.U
}.otherwise { // no jalr adjacent
countjalr4 := Mux(countjalr4 >= 2.U, countjalr4 - 2.U, 0.U)
}
when (npack_jalr_orR5) { // has jalr adjacent
countjalr5 := countjalr5 + 1.U
}.otherwise { // no jalr adjacent
countjalr5 := Mux(countjalr5 >= 2.U, countjalr5 - 2.U, 0.U)
}
when (npack_jalr_orR6) { // has jalr adjacent
countjalr6 := countjalr6 + 1.U
}.otherwise { // no jalr adjacent
countjalr6 := Mux(countjalr6 >= 2.U, countjalr6 - 2.U, 0.U)
}
}
}
......@@ -67,6 +120,11 @@ class DetectPatternRopInternal(params: DetectPatternRopParams)(implicit mp: Mata
override def regmap(offset: Int) =
RegmapUtil.readValueMax(countjalr1, in.resetCounters, mp.counterWidth, offset, "CountRopJalr1") ++
RegmapUtil.readValueMax(countjalr2, in.resetCounters, mp.counterWidth, offset + 0x8, "CountRopJalr2") ++
RegmapUtil.readValueMax(countjalr3, in.resetCounters, mp.counterWidth, offset + 0x10, "CountRopJalr3") ++
RegmapUtil.readValueMax(countjalr4, in.resetCounters, mp.counterWidth, offset + 0x18, "CountRopJalr4") ++
RegmapUtil.readValueMax(countjalr5, in.resetCounters, mp.counterWidth, offset + 0x20, "CountRopJalr5") ++
RegmapUtil.readValueMax(countjalr6, in.resetCounters, mp.counterWidth, offset + 0x28, "CountRopJalr6") ++
Nil
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment