SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets
Zhenxiao Qi, Feng Qian, Yueqiang Cheng, Mengjia Yan, Peng Li, Heng Yin, Tao Wei
Abstract
Software patching is a crucial mitigation approach against Spectre-type attacks.It utilizes serialization instructions to disable speculative execution of potential Spectre gadgets in a program.Unfortunately, there are no effective solutions to detect gadgets for Spectre-type attacks.In this paper, we propose a novel Spectre gadget detection technique by enabling dynamic taint analysis on speculative execution paths.To this end, we simulate and explore speculative execution at system level (within a CPU emulator).We have implemented a prototype called SpecTaint to demonstrate the efficacy of our proposed approach.We evaluated SpecTaint on our Spectre Samples Dataset, and compared SpecTaint with existing state-of-the-art Spectre gadget detection approaches on real-world applications.Our experimental results demonstrate that SpecTaint outperforms existing methods with respect to detection precision and recall by large margins, and it also detects new Spectre gadgets in real-world applications such as Caffe and Brotli.Besides, SpecTaint significantly reduces the performance overhead after patching the detected gadgets, compared with other approaches.