Specognitor: Identifying Spectre Vulnerabilities via Prediction-Aware Symbolic Execution

TL;DR

Specognitor is a prediction-aware symbolic execution tool that effectively detects Spectre vulnerabilities by considering branch prediction mechanisms, outperforming previous static and prediction-agnostic approaches.

Contribution

It introduces a novel prediction-aware symbolic execution engine with dynamic pattern detection for comprehensive Spectre vulnerability analysis.

Findings

Effectively detects Spectre variants 1 and 2.

Outperforms existing static detectors in real-world cryptographic programs.

Efficiently analyzes multiple processor architectures.

Abstract

Spectre attacks exploit speculative execution to leak sensitive information. In the last few years, a number of static side-channel detectors have been proposed to detect cache leakage in the presence of speculative execution. However, these techniques either ignore branch prediction mechanism, detect static pre-defined patterns which is not suitable for detecting new patterns, or lead to false negatives. In this paper, we illustrate the weakness of prediction-agnostic state-of-the-art approaches. We propose Specognitor, a novel prediction-aware symbolic execution engine to soundly explore program paths and detect subtle spectre variant 1 and variant 2 vulnerabilities. We propose a dynamic pattern detection mechanism to account for both existing and future vulnerabilities. Our experimental results show the effectiveness and efficiency of Specognitor in analyzing real-world cryptographic programs w.r.t. different processor families.