-
Notifications
You must be signed in to change notification settings - Fork 8
/
README
26 lines (18 loc) · 1.7 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Copyright (C) 2018 Assured Information Security, Inc
See our whitepaper here: https://dfrws.org/sites/default/files/session-files/paper_who_watches_the_watcher_detecting_hypervisor_introspection_from_unprivileged_guests.pdf
# ** Build/run from domU **
# Build the ECR package.
make
# Run the module without any options to obtain timing for each instruction, sans the non-temporal move operations.
sudo ./ecr.sh ecr.ko
# To test the non-temporal instructions, enable kernel memory allocation. See README.libvmi in the ecr_hypervisor Github repository to use xen-emulate-response to cause variations in move instruction timing:
sudo ./ecr.sh ecr.ko -k
# For memory timing introspection:
sudo ./ecr.sh ecr.ko -m
# Memory will be allocated. If using the the AIS modified hypervisor (see Note 3), use the address above for the xen-emulate-response address to emulate. Once it is running, press enter to obtain timing metrics. Repeat as necessary for different address offsets to observe variations across pages.
# For cache timing introspection:
sudo ./ecr.sh ecr.ko -l
# Memory will be allocated. If using the the AIS modified hypervisor (see Note 3), use the address above for the map-addr address to map. Once it is running, press enter to obtain timing metrics. Repeat as necessary for different address offsets to observe variations and/or ensure granularity.
# Note 1: Kernel memory allocation may fail. In this case, simply rerun the module.
# Note 2: To obtain output in a CSV file, run with -c
# Note 3: To obtain the AIS modified hypervisor: git clone --recurse-submodules https://github.com/ainfosec/ecr_hypervisor.git