Abstract:Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is: **How to efficiently detect Spectre gadgets from Commercial - Off - The - Shelf (COTS) binary files without relying on the existence of source code**. Specifically, modern processors improve performance through speculative execution, but this may introduce Spectre - type vulnerabilities, leading to the leakage of sensitive information. Existing detection methods usually rely on source code, or have deficiencies in runtime performance and vulnerability detection capabilities. Therefore, this paper proposes a new tool, Teapot, which can efficiently detect Spectre vulnerabilities directly from binary files without source code. ### Main Problems and Challenges 1. **Limitations of Existing Methods**: - Existing dynamic detection tools such as SpecFuzz and Kasper rely on source code and perform static instrumentation on programs at compile time to simulate the effect of speculative execution. - SpecTaint is currently the only binary - based dynamic analysis tool, but it is based on a full - system emulator (such as QEMU), resulting in low runtime efficiency and affecting the vulnerability detection ability. 2. **Unique Challenges of Binary Files**: - For closed - source security - critical applications (such as banking applications, password managers, etc.), the source code cannot be obtained, so a method that can directly analyze binary files is required. - Binary file analysis can not only handle closed - source programs but also check actually deployed applications, ensuring that potential errors in compilers and toolchains do not affect the analysis results. ### Teapot's Solution Teapot solves the above problems in the following ways: - **Static Binary Rewriting**: Teapot is based on static binary rewriting technology, completely separating normal execution code and speculative execution simulation code, thereby improving runtime efficiency. - **Speculation Shadows**: This is the core design principle of Teapot. By dividing binary code into "Real Copy" and "Shadow Copy", unnecessary conditional judgments are eliminated, reducing runtime overhead. - **Fuzzing**: Combined with fuzzing technology, Teapot can efficiently detect Spectre vulnerabilities. Through these methods, Teapot is not only significantly superior to existing binary analysis tools (such as SpecTaint) in runtime performance but also performs excellently in vulnerability detection ability, reaching a level comparable to compiler - based tools. ### Summary The main contribution of this paper is to propose an efficient Spectre vulnerability detection tool for binary files, Teapot, which solves the problems of existing methods relying on source code and having low runtime efficiency, providing a new solution for the security analysis of closed - source programs.

Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries

SMoTherSpectre: exploiting speculative execution through port contention

SpecBox: A Label-Based Transparent Speculation Scheme Against Transient Execution Attacks

Exploiting Security Dependence for Conditional Speculation Against Spectre Attacks

unXpec: Breaking Undo-based Safe Speculation

Lost and Found in Speculation: Hybrid Speculative Vulnerability Detection

Uncovering and Exploiting AMD Speculative Memory Access Predictors for Fun and Profit

Do You Even Lift? Strengthening Compiler Security Guarantees Against Spectre Attacks

StatekeepSpec: Securing Speculative Execution Via Forbidding Change-Of-State.

SpecSafe: detecting cache side channels in a speculative world

SpectreRewind: Leaking Secrets to Past Instructions

An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

SVP: Safe and Efficient Speculative Execution Mechanism Through Value Prediction.

Mitigating Speculation-based Attacks through Configurable Hardware/Software Co-design

SegScope: Probing Fine-grained Interrupts Via Architectural Footprints

Beyond Over-Protection: A Targeted Approach to Spectre Mitigation and Performance Optimization

SymGX: Detecting Cross-boundary Pointer Vulnerabilities of SGX Applications Via Static Symbolic Execution

SoK: Practical Foundations for Software Spectre Defenses

Attack detection based on machine learning algorithms for different variants of Spectre attacks and different Meltdown attack implementations

Software Mitigation of RISC-V Spectre Attacks

Shesha: Multi-head Microarchitectural Leakage Discovery in new-generation Intel Processors