This is WIP write-up.

§ praise LLM!

While playing with spectre V2 side channel, I found an issue and LLM helped me to solve it in no time, that would otherwise cost me a lot of sanity.

A shared memory between the victim and attacker processes is used as a probe array to exploit cache flush/reload timing attack

I tried two differnet methods of creating it:

1. a file-backed shared memory:

   int fd = open("shared_file", O_RDWR);
   void *shared_mem = mmap((addr, size, pflags, MAP_SHARED, fd, 0);
   

2. Sys V SHM

   key_t key = ftok("keyfile", 'A');
   int shmid = shmget(key, size, IPC_CREAT | 0666);
   void *shared_mem = shmat(shmid, addr, 0);
   

The spectre V2 attack with method 1. is consistantly better than with 2.

Here is the take away:

• (seemingly the prominent factor: swap and reclaim behaviour.

  #include <sys/mman.h>
  mlock(addr, len); // after attaching
  

• Sys V shm defaults to THP (transparent huge page); kernel may promote 4K pages to 2MB huge pages, see while file backed shared memory is not subject to THP unless specified. To toggle this behaviour
  System wide:

  echo never | sudo tee /sys/kernel/mm/transparent_hugepage/shmem_enabled
  

  Per process:

  #include <sys/prctl.h>
  prctl(PR_SET_THP_DISABLE, 1, 0, 0, 0);
  

  Per allocation (call after shmat:

  #include <sys/mman.h>
  madvise(addr, length, MADV_NOHUGEPAGE);