oo7: Spectre Attack Defence

A binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks.


Introduction


Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch.

oo7 suggests inserting less fences, and is shown experimentally to impose acceptably low performance overheads; less than 6% performance overhead is observed in our experiments on GNU Core utilities.

Affects most modern processors employing speculative execution. Innocuous code can speculatively access secrets which then linger in cache.
input x; if (x < array_size) { y = array2[array[x]*256]; }


oo7

Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses.

TSE paper

oo7 in the News