FastSpec: Scalable Generation and Detection of Spectre Gadgets Using Neural Embeddings

  title={FastSpec: Scalable Generation and Detection of Spectre Gadgets Using Neural Embeddings},
  author={M. Caner Tol and Koray Yurtseven and Berk G{\"u}lmezoglu and Berk Sunar},
  journal={2021 IEEE European Symposium on Security and Privacy (EuroS\&P)},
Several techniques have been proposed to detect vulnerable Spectre gadgets in widely deployed commercial software. Unfortunately, detection techniques proposed so far rely on hand-written rules which fall short in covering subtle variations of known Spectre gadgets as well as demand a huge amount of time to analyze each conditional branch in software. Moreover, detection tool evaluations are based only on a handful of these gadgets, as it requires arduous effort to craft new gadgets manually… 

Figures and Tables from this paper

Dynamic Process Isolation
It is shown that it is possible to mount a Spectre attack on such a restricted environment, leaking secrets from co-located tenants, and Dynamic Process Isolation statistically provides the same security guarantees as strict process isolation, fully mitigating Spectre attacks between multiple tenants.
Leaking Control Flow Information via the Hardware Prefetcher
This work presents AfterImage, a new side-channel that exploits the Intel Instruction Pointer-based stride prefetcher, and is the first to publicly demonstrate a methodology that is both algorithm-agnostic and also able to leak kernel data into userspace.
Leaking Secrets through Modern Branch Predictor in the Speculative World
This work demonstrates a new class of speculation-based attacks that targets the branch prediction unit (BPU) and builds a novel attack framework, BranchSpectre, that enables exfiltration of unintended secrets through observing speculative PHT updates (in the form of covert and side channels).
Osiris: Automated Discovery of Microarchitectural Side Channels
This paper presents Osiris, a fuzzing-based framework to automatically discover microarchitectural side channels on CPUs, based on a machine-readable specification of a CPU’s ISA, which generates instruction-sequence triples and automatically tests whether they form a timing-based side channel.
Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned
This is the first systematic study on the basic features used in BCSA by leveraging interpretable feature engineering on a large-scale benchmark and shows that a simple interpretable model with a few basic features can achieve a comparable result to that of recent deep learning-based approaches.


SAFE: Self-Attentive Function Embeddings for Binary Similarity
This paper proposes SAFE, a novel architecture for the embedding of functions based on a self-attentive neural network that works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures.
Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization
An assembly code representation learning model that can find and incorporate rich semantic relationships among tokens appearing in assembly code and significantly outperforms existing methods against changes introduced by obfuscation and optimizations is developed.
MaskGAN: Better Text Generation via Filling in the ______
This work introduces an actor-critic conditional GAN that fills in missing text conditioned on the surrounding context and shows qualitatively and quantitatively, evidence that this produces more realistic conditional and unconditional text samples compared to a maximum likelihood trained model.
oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis
The Spectre vulnerability in modern processors has been widely reported. The key insight in this vulnerability is that speculative execution in processors can be misused to access secrets
SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation
This paper proposes to use Control-Flow Integrity (CFI), a security technique used to stop control-flow hijacking attacks, on the committed path, to prevent speculative control- flow from being hijacked to launch the most dangerous variants of the Spectre attacks.
A Cross-Architecture Instruction Embedding Model for Natural Language Processing-Inspired Binary Code Analysis
This work regards instructions as words in NLP-inspired binary code analysis, and proposes a joint learning approach to generating instruction embeddings that capture not only the semantics of instructions within an architecture, but also their semantic relationships across architectures.
SMoTherSpectre: Exploiting Speculative Execution through Port Contention
SmoTherSpectre is introduced, a speculative code-reuse attack that leverages port-contention in simultaneously multi-threaded processors (SMoTher) as a side channel to leak information from a victim process.
Valgrind: a framework for heavyweight dynamic binary instrumentation
Valgrind is described, a DBI framework designed for building heavyweight DBA tools that can be used to build more interesting, heavyweight tools that are difficult or impossible to build with other DBI frameworks such as Pin and DynamoRIO.
oo7: Low-Overhead Defense Against Spectre Attacks via Program Analysis
The Spectre vulnerability in modern processors has been widely reported. The key insight in this vulnerability is that speculative execution in processors can be misused to access the secrets.
SentiGAN: Generating Sentimental Texts via Mixture Adversarial Networks
This paper proposes a novel framework - SentiGAN, which has multiple generators and one multi-class discriminator, which consistently outperforms several state-of-the-art text generation methods in the sentiment accuracy and quality of generated texts.