The Spectre vulnerability in modern processors has been widely reported. The key insight in this vulnerability is that speculative execution in processors can be misused to access secrets speculatively. Subsequently even though the speculatively executed instructions are squashed, the secret may linger in micro-architectural states such as cache, and can potentially be accessed by an attacker via side channels. We propose oo7, a static analysis approach that can mitigate Spectre attacks by detecting potentially vulnerable code snippets in program binaries and protecting them against the attack. We employ control flow extraction, taint analysis and address analysis to detect tainted conditional branches and speculative memory accesses. oo7 can detect all fifteen purpose-built Spectre-vulnerable code patterns [1], whereas Microsoft compiler with Spectre mitigation option can only detect two of them. We also report the results of a large-scale study on applying oo7 to over 500 program binaries (average binary size 261 KB) from different real-world projects. We protect programs against Spectre attack by selectively inserting fences only at vulnerable conditional branches to prevent speculative execution. Our approach is experimentally observed to incur around 4% performance overheads on SPECint 2006 benchmarks. Finally, we demonstrate that our approach is flexible and can be tuned to detect many other emerging Spectre variants, as well as Meltdown and Foreshadow attacks.
We present Saluki, a new tool for checking taintstyle (data dependence) security properties in binary code. Saluki provides a domain specific language for expressing taint-based policies. Saluki can find vulnerabilities in real programs for a number of CWE types, including those for command injection, weak PRNG seeds, and missing sanitization checks such as SQL escape routines or checks on buffer lengths. Saluki includes two new ideas in binary program analysis. First, Saluki uses µflux, a new static analysis technique for path-sensitive, contextsensitive recovery of data dependence facts in binaries. Second, Saluki introduces a sound logic system for reasoning over data dependence facts. We develop a domain-specific language on top of our logic system to express security properties as formal specifications. Saluki includes a decidable solver procedure to prove (based on the underlying logic) whether a set of data dependence facts satisfy a security property. Our evaluation shows that Saluki is capable of finding vulnerabilities in COTS x86, x86-64, and ARM software, including 0-days
No abstract
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.