[Simulavr-devel] modification of AVR simulator for SCA

[Nikita]

Hello,

My name is Nikita, I am a researcher at a university in Brussels and I
am currently trying to modify simulavr
to produce data for side-channel analysis (SCA) ofr security &
cryptography research purposes.
I am very happy with the way this simulator works and I figured out how
to modify it in order to
make something that I need for my research.
However I have a small problem that I can not figure out and I hope that
you can help me with it.

I took the latest version of your code on the official website (1.0.0).
I am modifiyng avrdevice.cpp in the following way:
there are several Get and Set reg methods in the class AvrDevice
What I need is to output the value beeing read and/or written at each
memory access, so for example:

unsigned char AvrDevice::GetCoreReg(unsigned addr) {
    assert(addr < registerSpaceSize);
    return *(rw[addr]);
}

Became:
unsigned char AvrDevice::GetCoreReg(unsigned addr) {
    assert(addr < registerSpaceSize);
    leakValue( *(rw[addr]) ); // funciton that actually appends the
value into a file "trace.txt"
    return *(rw[addr]);
}

These modifications work ok on all these Get and Set functions except
the ons that work with IOReg:
 - AvrDevice::GetIOReg
 - AvrDevice::SetIOReg
 - AvrDevice::SetIORegBit

If I do something like that on AvrDevice::GetIOReg it changes the
behaviour of the program when I test it:
only each 2nd character entered by the used is actually handled by the
program
(I am testing it on examples/simple_ex1 that is also on the website).
I found a hack to me it work for AvrDevice::GetIOReg by just reading the
value once in a tmp variable and then using it
in my leakValue funciton and in the return, like that:

unsigned char AvrDevice::GetIOReg(unsigned addr) {
    assert(addr < ioSpaceSize);  // callers do use 0x00 base, not 0x20
    unsigned char tmp = *(rw[addr + registerSpaceSize]);
    leakOnRead( tmp );
    return tmp;
}

However as soon as I try to do something similar on AvrDevice::SetIOReg
I get the following error during the execution:

simulavr: hwstack.cpp:282: void ThreadList::OnSPRead(int): Assertion `0
!= SP_value' failed.
Aborted (core dumped)

This is the command that I am using:
./simulavr -d atmega128 -f ../examples/simple_ex1/simple_atmega128.elf
-W 0x20,- -R 0x22,- -T exit

For the Set command what I would like to have it the previous value
stored in
the memory and the new one beeing written, something like that (which
works perfectly for CoreReg):

bool AvrDevice::SetCoreReg(unsigned addr, unsigned char val) {
    assert(addr < registerSpaceSize);
    leakOnWrite(*(rw[addr]), val); // this is my only addition to the
original code
    *(rw[addr]) = val;
    return true;
}

And here is the gdb execution trace:

_______________________________________________________________________________________
simulavr: hwstack.cpp:282: void ThreadList::OnSPRead(int): Assertion `0
!= SP_value' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff720ecc9 in __GI_raise (address@hidden)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff720ecc9 in __GI_raise (address@hidden)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff72120d8 in __GI_abort () at abort.c:89
#2  0x00007ffff7207b86 in __assert_fail_base (
    fmt=0x7ffff7358830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    address@hidden "0 != SP_value",
    address@hidden "hwstack.cpp", address@hidden,
    address@hidden
<ThreadList::OnSPRead(int)::__PRETTY_FUNCTION__> "void
ThreadList::OnSPRead(int)") at assert.c:92
#3  0x00007ffff7207c32 in __GI___assert_fail (
    assertion=0x47d28c "0 != SP_value", file=0x47d24a "hwstack.cpp",
line=282,
    function=0x47d3a0 <ThreadList::OnSPRead(int)::__PRETTY_FUNCTION__>
"void ThreadList::OnSPRead(int)") at assert.c:101
#4  0x000000000044a30d in ThreadList::OnSPRead (address@hidden,
    SP_value=<optimised out>) at hwstack.cpp:282
#5  0x000000000044a31c in HWStackSram::OnSPReadByTarget (
    address@hidden) at hwstack.cpp:182
#6  0x000000000044a329 in HWStackSram::GetSph (this=0x15aa3d0)
    at hwstack.cpp:173
#7  0x000000000044ba88 in IOReg<HWStackSram>::get (this=<optimised out>)
    at rwmem.h:199
#8  0x000000000042b016 in AvrDevice::SetIOReg (this=0x6a43c0,
    addr=<optimised out>, val=<optimised out>) at avrdevice.cpp:636
---Type <return> to continue, or q <return> to quit---
#9  0x00000000004328b1 in avr_op_OUT::operator() (this=0x6a5d30)
    at decoder.cpp:1183
#10 0x000000000042ca4e in AvrDevice::Step (this=0x6a43c0,
    address@hidden: false,
nextStepIn_ns=0x7fffffffd8e8)
    at avrdevice.cpp:512
#11 0x000000000046f59a in SystemClock::Step (
    address@hidden <SystemClock::Instance()::obj>,
    address@hidden: false) at systemclock.cpp:157
#12 0x000000000046f778 in SystemClock::Endless (
    this=0x6a2240 <SystemClock::Instance()::obj>) at systemclock.cpp:222
#13 0x0000000000406772 in main (argc=<optimised out>, argv=<optimised out>)
    at cmd/main.cpp:410
(gdb) quit
A debugging session is active.

    Inferior 1 [process 20712] will be killed.

_______________________________________________________________________________________

this is, basically, the only modificaiton that I am trying to do,
I've looked throug the IOReg, RWMem and some other classes that are
involved in this memory access,
but I can not figure out what exactly is the problem there.

Is there any way of getting the old value that was in the IOReg just
before writing into it?

I would really appreciate if you can help me with this task.

Best regards,

-- 
Nikita