Merge pull request #334 from NotRequiem/dev

improved timing attacks

Author: NotRequiem

src/vmaware.hpp

@@ -27,14 +27,14 @@
  *
  *
  * ============================== SECTIONS ==================================
- * - enums for publicly accessible techniques  => line 556
- * - struct for internal cpu operations        => line 749
- * - struct for internal memoization           => line 1220
- * - struct for internal utility functions     => line 1344
- * - struct for internal core components       => line 10066
- * - start of VM detection technique list      => line 2345
- * - start of public VM detection functions    => line 10730
- * - start of externally defined variables     => line 11679
+ * - enums for publicly accessible techniques  => line 551
+ * - struct for internal cpu operations        => line 742
+ * - struct for internal memoization           => line 1213
+ * - struct for internal utility functions     => line 1337
+ * - struct for internal core components       => line 10026
+ * - start of VM detection technique list      => line 2338
+ * - start of public VM detection functions    => line 10690
+ * - start of externally defined variables     => line 11638
  *
  *
  * ============================== EXAMPLE ===================================
@@ -1563,7 +1563,7 @@ struct VM {
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wignored-attributes"
 #endif
-            std::unique_ptr<FILE, decltype(&pclose)> pipe(popen(cmd, "r"), pclose);
+            std::unique_ptr<FILE, int(*)(FILE*)> pipe(popen(cmd, "r"), pclose);
 
 #if (ARM)
 #pragma GCC diagnostic pop
@@ -7831,41 +7831,53 @@ struct VM {
      * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::TIMER
      */
+#if defined(MSVC)
+#pragma optimize("", off)
+#elif defined(__GNUC__)
+#pragma GCC push_options
+#pragma GCC optimize("O0")
+#endif
     [[nodiscard]]
 #if (LINUX)
-    // Disable specific sanitizers for more accurate timing measurements.
     __attribute__((no_sanitize("address", "leak", "thread", "undefined")))
 #endif
     static bool timer() {
 #if (ARM || !x86)
         return false;
 #else
-        constexpr i32 classicIterations = 10;           // Number of iterations for the classic RDTSC check
-        constexpr u32 classicThreshold = 20000u;          // Cycle threshold per iteration for classic RDTSC check
-        constexpr i32 requiredClassicSpikes = classicIterations / 2; // At least 50% of iterations must spike
+        constexpr u8 classicIterations = 10;           // Number of iterations for the classic RDTSC check
+        constexpr u16 classicThreshold = 20000u;          // Cycle threshold per iteration for classic RDTSC check
+        constexpr u8 requiredClassicSpikes = classicIterations / 2; // At least 50% of iterations must spike
 
-        constexpr i32 spammerIterations = 1000;           // Iterations for the multi-CPU/spammer check
-        constexpr u32 spammerAvgThreshold = 55000u;         // Average cycle threshold for the spammer check
+        constexpr u16 spammerIterations = 1000;           // Iterations for the multi-CPU/spammer check
+        constexpr u16 spammerAvgThreshold = 20000u;         // Average cycle threshold for the spammer check
 
 #if (WINDOWS)
-        constexpr int qpcRatioThreshold = 3000;           // QPC ratio threshold
+        constexpr u16 qpcRatioThreshold = 3000;           // QPC ratio threshold
+        constexpr u8 tscIterations = 10;                 // Number of iterations for the TSC synchronization check
+        constexpr u16 tscSyncDiffThreshold = 500;  // TSC difference threshold
 #endif
 
-        constexpr i32 tscIterations = 10;                 // Number of iterations for the TSC synchronization check
-        constexpr u64 tscSyncDiffThreshold = 1000000000LL;  // TSC difference threshold
-
         // to minimize context switching/scheduling
 #if (WINDOWS)
-        HANDLE hThread = GetCurrentThread();
-        int oldPriority = GetThreadPriority(hThread);
+        const HANDLE hThread = GetCurrentThread();
+        const int oldPriority = GetThreadPriority(hThread);
         SetThreadPriority(hThread, THREAD_PRIORITY_TIME_CRITICAL);
 #else
-        int oldPolicy = sched_getscheduler(0);
-        sched_param oldParam;
-        sched_getparam(0, &oldParam);
-        sched_param newParam{};
-        newParam.sched_priority = sched_get_priority_max(SCHED_FIFO);
-        sched_setscheduler(0, SCHED_FIFO, &newParam);
+        bool hasSchedPriority = (geteuid() == 0);
+        int oldPolicy = SCHED_OTHER;
+        sched_param oldParam{};
+
+        if (hasSchedPriority) {
+            oldPolicy = sched_getscheduler(0);
+            sched_getparam(0, &oldParam);
+            sched_param newParam{};
+            newParam.sched_priority = sched_get_priority_max(SCHED_FIFO);
+
+            if (sched_setscheduler(0, SCHED_FIFO, &newParam) == -1) {
+                hasSchedPriority = false;  
+            }
+        }
 #endif
 
         auto restoreThreadPriority = [&]() {
@@ -7877,7 +7889,9 @@ struct VM {
             };
 
         // --- 1. Classic Timing Check (rdtsc + cpuid + rdtsc) ---
+#ifdef __VMAWARE_DEBUG__
         u64 totalCycles = 0;
+#endif
         int spikeCount = 0;
         for (int i = 0; i < classicIterations; i++) {
             u64 start = __rdtsc();
@@ -7892,12 +7906,26 @@ struct VM {
 #endif
             u64 end = __rdtsc();
             u64 cycles = end - start;
+#ifdef __VMAWARE_DEBUG__
             totalCycles += cycles;
+#endif
             if (cycles >= classicThreshold) {
                 spikeCount++;
             }
-            // Sleep to induce cache flushing
-            std::this_thread::sleep_for(std::chrono::microseconds(500));
+            // to induce cache flushing
+            constexpr size_t bufferSize = static_cast<size_t>(64 * 1024) * 1024;
+            volatile char* flushBuffer = new volatile char[bufferSize];
+
+            // better than thread sleeps
+            for (size_t j = 0; j < bufferSize; j += 64) {
+                flushBuffer[j] = static_cast<char>(j);
+#if (x86 && (GCC || CLANG || MSVC))
+                _mm_clflush(const_cast<const void*>(
+                    reinterpret_cast<const volatile void*>(&flushBuffer[j])));
+#endif
+            }
+
+            delete[] flushBuffer;
         }
 
 #ifdef __VMAWARE_DEBUG__
@@ -8014,9 +8042,15 @@ struct VM {
         QueryPerformanceCounter(&startQPC);
         volatile int dummy = 0;
         for (int i = 0; i < 100000; i++) {
-            dummy ^= i; // to prevent optimization
+            dummy ^= i;
+#if (GCC || CLANG)
+            asm volatile("" ::: "memory");  // memory clobber
+#elif (MSVC)
             _ReadWriteBarrier();
+            _mm_mfence();
+#endif
         }
+
         QueryPerformanceCounter(&endQPC);
         LONGLONG dummyTime = endQPC.QuadPart - startQPC.QuadPart;
 
@@ -8038,33 +8072,57 @@ struct VM {
         // Try reading the invariant TSC on two different cores to attempt to detect vCPU timers being shared
         const bool tscSyncDetected = [&]() noexcept -> bool {
             int tscIssueCount = 0;
-            unsigned long long tscCore1 = 0, tscCore2 = 0;
+            u64 tscCore1 = 0, tscCore2 = 0;
             for (int i = 0; i < tscIterations; i++) {
-                __try {
-                    unsigned int aux = 0;
+                unsigned int aux = 0;
+
+                try {
+#if (WINDOWS)
                     DWORD_PTR oldAffinity = SetThreadAffinityMask(GetCurrentThread(), 1);
-                    tscCore1 = __rdtscp(&aux); // the use of a serializing variant for the instruction stream is done on purpose
+                    tscCore1 = __rdtscp(&aux);
                     SetThreadAffinityMask(GetCurrentThread(), 2);
                     tscCore2 = __rdtscp(&aux);
                     SetThreadAffinityMask(GetCurrentThread(), oldAffinity);
+#elif (LINUX)
+                    cpu_set_t origSet;
+                    pthread_getaffinity_np(pthread_self(), sizeof(cpu_set_t), &origSet);
+
+                    // Core 0
+                    cpu_set_t set;
+                    CPU_ZERO(&set);
+                    CPU_SET(0, &set);
+                    pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &set);
+                    tscCore1 = __rdtscp(&aux);
+
+                    // Core 1
+                    CPU_ZERO(&set);
+                    CPU_SET(1, &set);
+                    pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &set);
+                    tscCore2 = __rdtscp(&aux);
+
+                    pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &origSet);
+#endif
                 }
-                __except (GetExceptionCode() == EXCEPTION_ILLEGAL_INSTRUCTION
-                    ? EXCEPTION_EXECUTE_HANDLER
-                    : EXCEPTION_CONTINUE_SEARCH) {
-                    // RDTSCP is widely supported on real hardware, most likely VM
+                catch (...) {
                     tscIssueCount++;
                     continue;
                 }
-                if (std::llabs(static_cast<long long>(tscCore2 - tscCore1)) > tscSyncDiffThreshold) {
+
+                // hypervisors often have nearly identical TSCs across vCPUs
+                const u64 diff = (tscCore2 > tscCore1)
+                    ? (tscCore2 - tscCore1)
+                    : (tscCore1 - tscCore2);
+
+                if (diff < tscSyncDiffThreshold) { 
                     tscIssueCount++;
                 }
             }
 #ifdef __VMAWARE_DEBUG__
             debug("TIMER: TSC sync check",
                 " - Core1: ", tscCore1,
                 " Core2: ", tscCore2,
-                " Diff: ", tscCore2 - tscCore1,
-                " (Threshold: ", tscSyncDiffThreshold,
+                " Delta: ", tscCore2 - tscCore1,
+                " (Threshold: <", tscSyncDiffThreshold,
                 ')');
 #endif
             return (tscIssueCount >= tscIterations / 2);
@@ -8080,6 +8138,11 @@ struct VM {
         return false;
 #endif
     }
+#if defined(MSVC)
+#pragma optimize("", on)
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
 
 
 	/**