Phantom Trails Components
April 3, 2025 ยท View on GitHub
In this repo you will find:
- Our custom setup for the BOOM core (
BOOM/folder) - Our fork of the Spike architectural simulator (
ArchSim/folder) - Our instrumentation infrastructure, based on LLVM (
llvmfolder) - Our fuzzing infrastructure, including of our fork of AFL++ (
AFL/folder ) and LibAFL (Fuzzer/LibAFLfolder), and our LibAFL fuzzing driver (Fuzzer) - A collection of RISC-V PoCs for the BOOM core (
Samples/)
BOOM
The BOOM setup consists of:
- A simulation harness used for detection (
BOOM/boom-wrapper/src)src/main/resources/csrccontains themainentrypoint for the verilated sinmulationsrc/main/resources/vsrccontains the Black-Box simulated DRAMsrc/main/scalacontains all the Configurations we use for evaluation
- The bootrom code (
BOOM/boom-wrapper/boot) - The initialization code (
BOOM/boom-wrapper/init) - A patch to add MDS-Store Buffer to BOOM (
BOOM/patches/boom-mds.patch) - A
Dockerfilefor building and running the instrumented simulation with all dependencies (seeBOOM/README.md)
ArchSim
To automatically infer secrets, the BOOM wrapper uses a custom
library that wraps the Spike architectural simulation.
In the ArchSim/ folder you can find:
- The
processor.patchapplied to Spike (adds logging and early exit) - The
ArchSim.hfile containing code to run Spike - The
SpikeWrapperAPI used to run Spike from the fuzzer code
LLVM Instrumentation
Our bit-precise taint tracking sanitizer (BFSAN) is implemented as a patch to MSAN (llvm/ folder) and applied when compiling the Verilated
simulation into a binary.
Check the LLVM fork commits to see how MSAN was modified.
Fuzzer
Our fuzzing infrastructure consists of:
- AFL++ fork that adds taint coverage (
AFL/)- this commit contains the relevant diff
- Fuzzing driver (
Fuzzer/)LibAFL/: Our fork of LibAFL with minor patches to avoid crashes/timeoutsopcodes/: Our fork of riscv-opcodes that adds C++ and Rust headers generation- Instruction generator and mutator (inside
Fuzzer/src)
Samples
We provide the PoC testsuite we used to evaluate our detector on different transient execution vulnerabilities (Samples/), including:
- different versions of our newly found vulnerability Spectre-LoopPredictor (
Sample/src/spectre-lp) - PoCs of known vulnerabilities (
Samples/src/pocs)