oo7: Low-overhead Defense against Spectre Attacks

by   Guanhua Wang, et al.

The Spectre vulnerability in modern processors has been reported earlier this year (2018). The key insight in this vulnerability is that speculative execution in processors can be misused to access secrets speculatively. Subsequently even though the speculatively executed states are squashed, the secret may linger in micro-architectural data structures such as cache, and hence can be potentially accessed by an attacker via side channels. In this report, we propose oo7, a binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks. Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch. Due to the accuracy of our analysis, oo7 suggests inserting less fences, and is shown experimentally to impose acceptably low performance overheads; less than 2 is observed in our experiments on GNU Core utilities. Moreover, the accuracy of the analysis allows oo7 to effectively detect fourteen (14) out of the fifteen (15) Spectre vulnerable code patterns proposed by Paul Kocher, a feat that could not be achieved by the Spectre mitigation in C/C++ compiler proposed by Microsoft. While oo7 is both low-overhead and effective, for large scale deployment of our solution we need to investigate and optimize the time taken by our compile-time analysis. Finally, we show that similar binary analysis solutions are possible for detecting and fixing Meltdown.


page 1

page 2

page 3

page 4


oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis

The Spectre vulnerability in modern processors has been reported earlier...

Leaking Secrets through Modern Branch Predictor in the Speculative World

Transient execution attacks that exploit speculation have raised signifi...

Short Paper: Static and Microarchitectural ML-Based Approaches For Detecting Spectre Vulnerabilities and Attacks

Spectre intrusions exploit speculative execution design vulnerabilities ...

You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection

LFENCE/JMP is an existing software mitigation option for Branch Target I...

Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization

Intel Software Guard Extensions (SGX) is a promising hardware-based tech...

MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State

The disclosure of the Spectre speculative-execution attacks in January 2...

Semi-static Conditions in Low-latency C++ for High Frequency Trading: Better than Branch Prediction Hints

Conditional branches pose a challenge for code optimisation, particularl...

Please sign up or login with your details

Forgot password? Click here to reset