Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries
Speculative execution is crucial in enhancing modern processor performance but inevitably introduces Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detectability).
This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency.
Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20× performant) and gadget detectability than a previously proposed binary-based approach.
Tue 4 MarDisplayed time zone: Pacific Time (US & Canada) change
15:20 - 17:00 | Security, Fault Tolerance & CryptographyMain Conference at Casuarina Ballroom (Level 2) Chair(s): Fernando Magno Quintão Pereira Federal University of Minas Gerais | ||
15:20 20mTalk | Qiwu: Exploiting Ciphertext-Level SIMD Parallelism in Homomorphic Encryption Programs Main Conference Zhang zhongcheng Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory, Ying Liu Institute of Computing Technology, Chinese Academy of Sciences, Yuyang Zhang Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences;, Zhenchuan Chen Institute of Computing Technology, Chinese Academy of Sciences, Jiacheng Zhao Institute of Computing Technology at Chinese Academy of Sciences; University of Chinese Academy of Sciences; Zhongguancun Laboratory, Xiaobing Feng ICT CAS, Huimin Cui Institute of Computing Technology, Chinese Academy of Sciences, Jingling Xue UNSW Sydney | ||
15:40 20mTalk | Cage: Hardware-Accelerated Safe WebAssembly Main Conference Martin Fink Technical University of Munich, Dimitrios Stavrakakis TU Munich and University of Edinburgh, Dennis Sprokholt TU Delft, Soham Chakraborty TU Delft, Jan-Erik Ekberg Huawei Technologies LLC, Pramod Bhatotia TU Munich, Germany | ||
16:00 20mTalk | Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries Main Conference Fangzheng Lin Institute of Science Tokyo, Zhongfa Wang Institute of Science Tokyo, Hiroshi Sasaki Institute of Science Tokyo | ||
16:20 20mTalk | Janitizer: Rethinking Binary Tools for Practical and Comprehensive Security Main Conference Mahwish Arif University of Cambridge, Sam Ainsworth University of Edinburgh, Timothy M. Jones University of Cambridge Pre-print | ||
16:40 20mTalk | Parallaft: Runtime-based CPU Fault Tolerance via Heterogeneous Parallelism Main Conference Boyue Zhang University of Cambridge, Sam Ainsworth University of Edinburgh, Lev Mukhanov Queen Mary University London, Timothy M. Jones University of Cambridge Pre-print |