SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
This addresses security vulnerabilities in computing systems for developers and users, representing a novel method rather than an incremental improvement.
The authors tackled the problem of detecting speculative execution vulnerabilities like Spectre by developing SpecFuzz, a tool that dynamically tests for these vulnerabilities through software simulation of speculative execution, resulting in identification of all known Spectre V1 variations and reducing mitigation overheads by up to 77% in instrumented branches.
SpecFuzz is the first tool that enables dynamic testing for speculative execution vulnerabilities (e.g., Spectre). The key is a novel concept of speculation exposure: The program is instrumented to simulate speculative execution in software by forcefully executing the code paths that could be triggered due to mispredictions, thereby making the speculative memory accesses visible to integrity checkers (e.g., AddressSanitizer). Combined with the conventional fuzzing techniques, speculation exposure enables more precise identification of potential vulnerabilities compared to state-of-the-art static analyzers. Our prototype for detecting Spectre V1 vulnerabilities successfully identifies all known variations of Spectre V1 and decreases the mitigation overheads across the evaluated applications, reducing the amount of instrumented branches by up to 77% given a sufficient test coverage.