Skip to content

necst/aca25-xiangshan-spectre

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
cachehitmisstime
cachehitmisstime
 
 
deliverables
deliverables
 
 
spectre-v1
spectre-v1
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Spectre on XiangShan

This repository contains the code for the project of Advanced Computer Architectures (A.Y. 2025@Politecnico di Milano).

Intro

The scope of the project is to verify whether XiangShan (an open source RISC-V processor) was vulnerable to speculative attacks such as Spectre. In the results contained in the report, we found out that both XiangShan V2 (Nanhu) and XiangShan V3 (Kunmighu) are vulnerable. We tested Spectre-v1 attack with a Flush+Reload cache side channel on the following commits of the XiangShan repository:

  • Nanhu: nanhu/0a68ebc.
  • Kunmingu: master/167da6a.

Using the following xs-env commit: d857953

The folder deliverables contains the final presentation for the project and the report, where further details on the attack can be found.

Replicating the attack

In the following we explain how to replicate the attack:

  1. Setup the XiangShan simulation environment documented here XiangShan Front-end Development Environment
    1. Make sure the XiangShan folder is at either of the commits specified above (167da6a for V3 or 0a68ebc for V2).
    2. When performing the make emu command use:
      • CONFIG=MinimalConfig for V2
      • CONFIG=MinimalConfig (or CONFIG=KunminghuV2Config to use CMOs) for V3

    Note: to improve simulation performance you can set EMU_THREADS=num to make the simulator run on num threads.

    1. Navigate to the nexus-am folder, edit the Makefile.compile file and remove:
      • CC_OPT ?= -O2
      • in CFLAGS remove -Wall and -Werror
    2. Only if you want to use the version with CMO instructions: navigate to nexus-am/am/arch and edit the riscv64-xs.mk file adding _zicbom_zicboz at the end of the MARCH list.
  2. Navigate to the xs-env/nexus-am/apps/ folder.
  3. Clone this repository.
  4. Enter the cloned folder and go to the spectre-v1 directory.
  5. Run make ARCH=riscv64-xs to compile the workload.
  6. To run the workload use path_to_xs-env/XiangShan/build/emu --no-diff -i ./build/spectre-v1-riscv64-xs.bin.

Note that if you want to use a different eviction function you need to comment out flushCache() and uncomment the for loop and the function you want to use inside it.

Credits

About

Research project about Spectre attack on XiangShan open-source RISC-V processor

Topics

spectre hardware-security side-channel-attacks speculative-execution xiangshan

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages