Speculative execution is crucial in enhancing modern processor performance but inevitably introduces Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detectability).

This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency.

Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20× performant) and gadget detectability than a previously proposed binary-based approach.

Tue 4 Mar

Displayed time zone: Pacific Time (US & Canada) change

15:20 - 17:00
Security, Fault Tolerance & CryptographyMain Conference at Casuarina Ballroom (Level 2)
Chair(s): Fernando Magno Quintão Pereira Federal University of Minas Gerais
15:20
20m
Talk
Qiwu: Exploiting Ciphertext-Level SIMD Parallelism in Homomorphic Encryption Programs
Main Conference
Zhang zhongcheng Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory, Ying Liu Institute of Computing Technology, Chinese Academy of Sciences, Yuyang Zhang Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences;, Zhenchuan Chen Institute of Computing Technology, Chinese Academy of Sciences, Jiacheng Zhao Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory, Xiaobing Feng ICT CAS, Huimin Cui Institute of Computing Technology, Chinese Academy of Sciences, Jingling Xue UNSW Sydney
15:40
20m
Talk
Cage: Hardware-Accelerated Safe WebAssembly
Main Conference
Martin Fink Technical University of Munich, Dimitrios Stavrakakis TU Munich and University of Edinburgh, Dennis Sprokholt TU Delft, Soham Chakraborty TU Delft, Jan-Erik Ekberg Huawei Technologies LLC, Pramod Bhatotia TU Munich, Germany
16:00
20m
Talk
Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries
Main Conference
Fangzheng Lin Institute of Science Tokyo, Zhongfa Wang Institute of Science Tokyo, Hiroshi Sasaki Institute of Science Tokyo
16:20
20m
Talk
Janitizer: Rethinking Binary Tools for Practical and Comprehensive Security
Main Conference
Mahwish Arif University of Cambridge, Sam Ainsworth University of Edinburgh, Timothy M. Jones University of Cambridge
Pre-print
16:40
20m
Talk
Parallaft: Runtime-based CPU Fault Tolerance via Heterogeneous Parallelism
Main Conference
Boyue Zhang University of Cambridge, Sam Ainsworth University of Edinburgh, Lev Mukhanov Queen Mary University London, Timothy M. Jones University of Cambridge
Pre-print