oo7: A binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks

  • Our solution employs control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch.
  • oo7 suggests inserting less fences, and is shown experimentally to impose acceptably low performance overheads; less than 2% performance overhead is observed in our experiments on GNU Core utilities.
  • Affects most modern processors employing speculative execution. Innocuous code can speculatively access secrets which then linger in cache.
    input x; if (x < array_size){ y = array2[array[x]*256]; }