Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries

TL;DR

Teapot is a novel static binary rewriting tool that efficiently detects Spectre gadgets in COTS binaries by simulating speculative execution, outperforming previous methods in speed and detection accuracy.

Contribution

It introduces Speculation Shadows and a static binary rewriting approach to detect Spectre gadgets efficiently without source code.

Findings

Teapot achieves over 20x performance improvement.

It outperforms previous binary-based approaches in gadget detection.

Successfully detects Spectre gadgets in real-world binaries.

Abstract

Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.