Skip to content

ainfosec/ecr_toolkit

Repository files navigation

Copyright (C) 2018 Assured Information Security, Inc

See our whitepaper here: https://dfrws.org/sites/default/files/session-files/paper_who_watches_the_watcher_detecting_hypervisor_introspection_from_unprivileged_guests.pdf

# ** Build/run from domU **
 
# Build the ECR package.
    make

    # Run the module without any options to obtain timing for each instruction, sans the non-temporal move operations.
        sudo ./ecr.sh ecr.ko

        # To test the non-temporal instructions, enable kernel memory allocation. See README.libvmi in the ecr_hypervisor Github repository to use xen-emulate-response to cause variations in move instruction timing:
            sudo ./ecr.sh ecr.ko -k

    # For memory timing introspection:
        sudo ./ecr.sh ecr.ko -m
        # Memory will be allocated. If using the the AIS modified hypervisor (see Note 3), use the address above for the xen-emulate-response address to emulate. Once it is running, press enter to obtain timing metrics. Repeat as necessary for different address offsets to observe variations across pages.
                   
    # For cache timing introspection:
        sudo ./ecr.sh ecr.ko -l
        # Memory will be allocated. If using the the AIS modified hypervisor (see Note 3), use the address above for the map-addr address to map. Once it is running, press enter to obtain timing metrics. Repeat as necessary for different address offsets to observe variations and/or ensure granularity.

    # Note 1: Kernel memory allocation may fail. In this case, simply rerun the module.
    # Note 2: To obtain output in a CSV file, run with -c
    # Note 3: To obtain the AIS modified hypervisor: git clone --recurse-submodules https://github.com/ainfosec/ecr_hypervisor.git