Meltdown PoC Detailed Code Review [closed] - c

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I read all the week-end about Meltdown and Spectre
I also have already read the .pdfs for Spectre and Meltdown
which are Must Read for anyone seeking more knowledge about these exploits but unfortunately don't provide detailed explanations on the code.
I found various PoC on github, which were very interesting but I lack the knowledge to fully understand it. I would be thanksful about more explanation on specific parts:
From this link https://github.com/dendisuhubdy/meltdown/blob/master/src/poc.c , and other git repositories as well, there are many interesting parts in the conception of this exploit.
Time reads
/* Time reads. Order is lightly mixed up to prevent stride prediction */
for (i = 0; i < 256; i++) {
mix_i = ((i * 167) + 13) & 255;
addr = &array2[mix_i * 512];
time1 = __rdtscp(&junk); /* READ TIMER */
junk = *addr; /* MEMORY ACCESS TO TIME */
time2 = __rdtscp(&junk) - time1; /* READ TIMER & COMPUTE ELAPSED TIME */
if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
results[mix_i]++; /* cache hit - add +1 to score for this value */
}
why do we use prime numbers 167 and 13 ?
/* Locate highest & second-highest results results tallies in j/k */
Why do we care about getting the max value ?
Other parts explanations are very welcome as well !!

Related

Recursive values in 4th order RK method for projectile (quadratic drag) in C [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 4 years ago.
Improve this question
I am trying to code projectile motion of a shell using 4th order RK method. I am facing a problem in the following code.
for (i=1; i<=n; i=i+1)
{
ax[i]= (-kk[i]*v[i]*vx[i])/m;
ay[i]= ((-kk[i]*v[i]*vy[i])-(m*g))/m;
k1= ax[i];
m1= ay[i];
k2= (-kk[i]*v[i]*(vx[i]+(k1*delt/2)))/m;
m2= (-kk[i]*v[i]*(vy[i]+(m1*delt/2)))/m;
k3= (-kk[i]*v[i]*(vx[i]+(k2*delt/2)))/m;
m3= (-kk[i]*v[i]*(vy[i]+(m2*delt/2)))/m;
k4= (-kk[i]*v[i]*(vx[i]+(k3*delt)))/m;
m4= (-kk[i]*v[i]*(vy[i]+(m3*delt)))/m;
vx[i+1]= vx[i]+((1/6)*(k1+2*k2+2*k3+k4)*delt);
vy[i+1]= vy[i]+((1/6)*(m1+2*m2+2*m3+m4)*delt);
x[i+1]= vx[i+1]*delt;
y[i+1]= vy[i+1]*delt;
xx[i+1]= x[i+1] + xx[i];
yy[i+1]= y[i+1] + yy[i];
t[i+1]= t[i]+delt;
v[i+1]= sqrt((vx[i+1]*vx[i+1])+(vy[i+1]*vy[i+1]));
if ((yy[i+1]<0)&&(i!=1))
//if (i==100)
{
nn=i;
i=n;
}
printf ("%f\t%f\t%f\t%f\t%f\t%f\t\n", t[i], vx[i], vy[i], v[i], xx[i], yy[i]);
In the above code ax, ay, vx and vy are accelerations and velocity in x and y directions, delt represents the time step. xx and yy are the position of the corresponding time steps.
After using fourth order RK method I try to find the velocities in the next time step to obtain the corresponding values in the loop until the projectile hits the ground. But I am only getting the same values as of vx[1] and vy[1] for every corresponding iteration and repeats.I am a beginner in C programming and still at an initial stage of using loops.
The problem is here:
vx[i+1]= vx[i]+((1/6)*(k1+2*k2+2*k3+k4)*delt);
vy[i+1]= vy[i]+((1/6)*(m1+2*m2+2*m3+m4)*delt);
1/6 - both numbers are integers so this will result in 0 making your statements:
vx[i+1]= vx[i];
vy[i+1]= vy[i];
Make them floating point. And since you calculate often, make it a constant.
const double one_sixth = 1.0 / 6.0;
Then
vx[i+1]= vx[i]+(one_sixth * (k1+2*k2+2*k3+k4)*delt);
vy[i+1]= vy[i]+(one_sixth * (m1+2*m2+2*m3+m4)*delt);

Exploiting strcpy() in C with Buffer overflow, [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I'm new to the subject of computer security, and I came across this table
char *
isdn_net_newslave(char *parm)
{
char *p = strchr(parm, ',');
isdn_net_dev *n;
char newname[10];
if (p) {
/* Slave-Name MUST not be empty */
if (!strlen(p + 1))
return NULL;
strcpy(newname, p + 1);
*p = 0;
/* Master must already exist */
if (!(n = isdn_net_findif(parm)))
return NULL;
/* Master must be a real interface, not a slave */
if (n->local->master)
return NULL;
/* Master must not be started yet */
if (isdn_net_device_started(n))
return NULL;
return (isdn_net_new(newname, n->dev));
}
return NULL;
}
I want to get a root shell by exploiting strcpy() or strchr().
I have some troubles exploiting this with C, though it's got a strcpy() and strchr() inside it, because this is my first buffer overflow exploitation.
My Questions:
I don't know about ASLR well. How does it disturb the buffer overflow with a C script? I don't want to disable it, I'm looking at practical exploitation.
How to manipulate the variable newname?
And how to target this exact piece of code? Actually this code starts at Line 2639 in original code.
Please help me with this! Thank you!
Original Code:
https://kernel.googlesource.com/pub/scm/linux/kernel/git/ralf/linux/+/linux-3.18.19/drivers/isdn/i4l/isdn_net.c
any overflow ( buffer, stack, heap, ... ) requires shell code to lead to an exploit.
ASLR and DEP randomize the location of specific modules ( like i.e. stack, heap, libc ) in memory by a random offset cf https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work
on linux you can see how ASLR works with cat /proc/self/maps ( With ASLR turned on, are all sections of an image get loaded at the same offsets relative to the image base address every time? )
if this would not be done and the modules were at static positions in memory ( like it was back in the old days ) one would have a static address where specific functions are located and these addresses could be used as entry point for the shellcode execution, because any overflow exploit has the goal to place shellcode in memory and execute this shellcode by a pointer to the specific position in memory
i will not tell you more about grey techniques here but maybe have a look at return-oriented programming what is a variant of overflow technique that is still efficient
( Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled )

Why does this if statement not run? [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
I have this C code, and neither the if or else block is running when I go through it with the debugger
Here is the code:
if(P2IN & BIT4 == BIT4 ){
car_lock ^= BIT0;
is_pressed = 1;
}else{
is_pressed = 0;
}
At this point in the code, P2IN = 00010000
It seems like neither the if or else block is running, what am I missing?
The problem is in your if statement. The == operator takes higher precedence than the &, so what's really being evaluated is:
(P2IN & (BIT4 == BIT4))
You need to change your code to:
if ((P2IN & BIT4) == BIT4)
There's a useful webpage about operator precedence here.

What is the C way to report progress of computation? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
This is a follow-up question to Using a thread in C++ to report progress of computations.
Suppose that I have a for loop which executes run_difficult_task() many times, and I would like to infer how far the loop has advanced. I used to write:
int i;
for (i=0; i < 10000; ++i) {
run_difficult_task(i);
if (i % 100 == 0) {
printf("i = %d\n", i);
}
}
but the main problem with such approach is that executing run_difficult_task() might literally take forever (by being stuck in an infinite loop, etc.), so I would like to get a progress report in every k seconds by means of printing out the value of the loop variable i.
I found quite a rich literature on this site regarding object-oriented multithreading (of which I am not really familiar with) in various programming languages, but the questions I found doing this in C-style seem quite outdated. Is there a platform-independent, C11 way to do what I want? If there is not any, then I would be interested in methods working in unix and with gcc.
Note: I do not wish to run various instances of run_difficult_task in parallel (with, for example, OpenMP), but I want to run the for loop and the reporting mechanism in parallel.
Related: How to "multithread" C code and How do I start threads in plain C?
Linux (and also POSIX systems) provide the alarm library call. This allows you to do something after an interval of seconds without interrupting your main thread, and without bothering with multi-threading when you don't really need it. It was very much created for use cases like yours.
You can try using one thread (the worker thread) or possibly two (one that does computations and one that displays output while main is doing something else or just waiting) and some global variables (ugh).
The first thread will be your workhorse doing computations and updating some global variable. The second one (maybe simply the main thread) will then check whether this variable has changed or not and then print the stats (perhaps, that variable will hold the stats, for example, percentage).
What you can try:
int ping = 0, working = 0, data;
// in main thread
for (/* something */){
// spawn worker thread
while (working) {
if (ping) printf("%d\n", data), ping = 0;
}
}
// in worker thread
working = 1;
while (/* something */) {
// do a lot of computations
if (/* some condition */) {
if (! ping) {
data = /* data */
ping = 1;
}
}
}
working = 0;
Here's a simple time based progress indicator that I've often used:
void
progress(int i)
{
time_t tvnow;
static time_t tvlast;
static time_t tvbeg;
if (tvbeg == 0) {
tvbeg = time(NULL);
tvlast = tvbeg - 2;
}
tvnow = time(NULL);
if ((tvnow - tvlast) >= 1) {
printf("\r%ld: i = %d",tvnow - tvbeg,i);
fflush(stdoout);
tvlast = tvnow;
}
}
int i;
for (i=0; i < 10000; ++i) {
run_difficult_task(i);
progress(i);
}
UPDATE:
Does this update if run_difficult_task(i) runs for longer than 2seconds?
No, but I've updated the example to put the progress code in a separate function, which is what I normally do in my own code.
You'll have to add calls to the progress function within run_difficult_task to get finer grain progress--this is something I also do in my own code.
But, notice that I added an elapsed time [in seconds] to the progress.
If you didn't care about that, if run_difficult_task takes longer than 2 seconds to run, there is no progress until it returns as you define it because progress is defined by incrementing i which is done by the outer loop.
For my own stuff, the progress function can handle an arbitrary number of progress indicators from an arbitrary number of worker threads.
So, if that would be of interest to you, and [say] run_difficult_task has some inner loop variables like j, k, l, these could be added to the progress. Or, whatever you wish to report on.

MATLAB loop-index issue [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
Context: I must create a program that describes the motion of a car being tested for a quarter-mile time as part of a performance analysis. This involves time, distance, velocity, acceleration, forces, torque, and rotational speed.
In the last for loop I get the following error with whatever line of code is at the top (in this example the engine torque):
"Attempted to access RPM(2); index out of bounds because numel(RPM)=1."
clear all
close all
clc
time(1) = 0; %[seconds]
dist(1) = 0;
vel(1) = 0;
accel(1) = 0;
RPMmin = 1200;
RPM(1) = RPMmin;
r = 19; %[inches]
wt = 3760; %[pounds]
Ng = [3.253, 2.233, 1.611, 1.243, 1, 0.629]; %{Gear Ratio}
Nd = [3.73]; %differential ratio
dt = 0.1; %time increment
for k = 1:1:6
xntt(k) = Ng(k) * Nd;
xmf(k) = 1 + (0.04 * xntt(k)) + (0.0025 * xntt(k)^2);
gst = 0.25; %gear shift time
end
for i = 1:1:1000
Te(i) = 18.154 + (.1571 * RPM(i)) - (0.0000147 * (RPM(i))^2);
fx(i) = Te(i) * xntt(k)/(r/12);
dV(i + 1) = (32.2/(wt * xmf(k)))*fx(i);
accel(i + 1) = dV(i)/dt;
vel(i + 1) = vel(i) + (dV(i) * dt);
dist(i + 1) = dist(i) + vel(i + 1)*dt;
time(i + 1) = time(i) + dt;
RPM(i) = (vel(i + 1)*60*xntt(k))/((2*pi*r)/12);
end
This happens when i=2 inside the for-loop (second iteration). Depending on RPM, you basically have two choices:
let Te(i) depend on RPM(i-1), so Te(2) will depend on RPM(1) and so on. This will, however, throw an error when i=1 due to the fact that if i=1, then i-1=0 and Matlab allows only positive indices so you need to place an if check inside the loop.
let RPM grow just like Te, so if at iteration i you're writing on Te(i+1), write as well on RPM(i+1).
Both of these approaches lead to a code with no errors (i.e. syntactically correct) but then you must choose the correct approach depending on what your problem is and how such vectors are sort of "linked" together (i.e. your code must be semantically correct as well).

Resources