Group of researchers from Amsterdam free university published kasper , Designed To identify in the Linux core excerpts, which can be used for operation Spectre class vulnerabilities caused by the speculative execution code of the processor. The source texts of the toolkit distributed under the APACHE 2.0 license.
Recall that for conducting such attacks as Spectre V1, which gives you the ability to determine the contents of the memory, the presence in the privileged code of a specific command sequence (gadgets), which leads to speculative execution of instructions. In order to optimize, the processor begins to perform similar gadgets in speculative mode, then determines that the prediction of the branching was not justified and rolled back operations into the initial state, but the data processed during the speculative execution are settled in cache and microarch-graphic buffers and are available to extract from them using various methods. definitions of residual data on third-party channels.
Previously available tools for scanning gadgets for Spectre vulnerabilities, based on the search for typical templates, showed a very high level of false positives, flowing at the same time a lot of real gadgets (the experiments have shown that 99% identified by such instruments of gadgets could not be used for attacks, and 33% of operating gadgets that can lead to attack were not seen).
To improve the quality of definition of problem gadgets Kasper
Simulates the vulnerabilities that an attacker can use at each step implementation of the Spectre class attacks – problems that allow you to control the data (for example, substitution of the attacker data into microchilderal structures to influence the subsequent speculative execution using the LVI class attacks), access confidential information (for example , When you exit the border of the buffer or use of memory after its release) and organize leakage of confidential information (for example, analyzing the state of the processor cache or using the MDS method).
When testing, the kernel is associated with the Kasper Runtime libraries and checks operating at the LLVM level. In the process of checking, an emulation of a speculative execution of the code, implemented using the CHECKPOINT-RESTORE mechanism, which performs an incorrectly predicted branch of the code, after which it rolls back to the initial state before the branch. Kasper is also trying to simulate various software and hardware vulnerabilities, analyzes the effect of architectural and microarchitectural effects, and performs fuzzing testing of possible attacking. To analyze the execution streams, the DataFlowAsAnitizer port for the Linux kernel is used, and for
Fuzzing testing Modified version