SpeechMiner is an open-source framework for analyzing Meltdown-like speculative execution side-channel vulnerabilities. Refer to our NDSS'20 paper for more details.

The framework contains a few page table manipulation components from SGX-STEP.

To build the tool framework, part of the SGX-STEP toolset needs to be built. The related code is extracted to libsgxstep directory and kernel_sgxstep directory. kernel_sgxstep includes the kernel module used by libsgxstep. Due to extra dependency over linux-sgx-driver, please download and build the Linux SGX Driver.

git clone https://github.com/intel/linux-sgx-driver.git
cd linux-sgx-driver
sudo apt-get install linux-headers-$(uname -r)
make
sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"    
sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"    
sudo sh -c "cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules"    
sudo /sbin/depmod
sudo /sbin/modprobe isgx

Afterwards, build kernel_sgxstep.

cd kernel_sgxstep
make

To build libsgxstep, perform

cd libsgxstep
make

and check for the appearance of libsgxstep.a.

Then build the second kernel module.

cd kernel_setexec
make

If you are using a new linux version, the page table structure variables may be renamed to a 5-layer one. A quick fix is to rename them accordingly. (The fix is under development.) In case of a definition error (typically caused by linux kernel updates, as the current version is written for linux 4.10.3), try replacing the relevant function names to the correct ones. For example, native_read_cr3() is not available in linux 5.8. Replace it with __native_read_cr3() instead.

After the two kernel modules are compiled, load them with

sudo insmod kernel_sgxstep/sgx-step.ko
sudo insmod kernel_setexec/setexec.ko

In the root directory, execute

make

to build everything. If you are using a new linux version, you may encounter error: conflicting types for ‘pkey_set’. In such cases, simply rename the function (as well as its references) to pkey_set_.

There is also a 32-bit library and test suites located in directory 32-bit to test segmentation-related vulnerabilities.

cd 32-bit
make

To perform tests, simply execute the generated executables. For example, to test SMAP-related vulnerability, run

sudo ./new_physical_reader_test_smap

SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

Yuan Xiao, Yinqian Zhang, Mircea-Radu Teodorescu, Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, Feb. 2020.