Spectre is a class of attack that puts various systems at risk, from personal computers to servers [2]. It is a micro-architectural attack that exploits the characteristics of modern processors to extract information it should not be allowed to access. This class of attacks consists in most cases of four phases:
- Identification of a vulnerable point in the victim executable from which to launch the attack.
- Creation of an initial setup known to the attacker
- Waiting for the execution of the victim program
- Checking the setup for changes made during the victim's execution.
The aim of this project is to simplify and automate the first two phases. To do this I will use a technique called fuzzing [1], in an automatic way a large number of random inputs are passed to the program in order to explore all possible paths and detect possible bugs, combined with the Performance Monitoring Unit, a hardware component present in most machines that allows the user to analyse the performance at the architectural and microarchitectural level of the machine, for example obtain information about the core cycles, the number of branch taken, etc. With this methodology we reduce the effort that the attacker must make to carry out the attack, thus making this class more harmful and more accessible to less experienced attackers.
[1] Li, Jun, Bodong Zhao, and Chao Zhang. "Fuzzing: a survey." Cybersecurity 1, no. 1 (2018): 1-13
[2] Xiong, Wenjie, and Jakub Szefer. "Survey of transient execution attacks." arXiv preprint arXiv:2005.13435 (2020).
The innovativeness of this project lies both in the final tool that will be developed and released to the community for possible future developments, and in the research point of view through which the behaviour of processor components will be analysed.
The tool will combine existing techniques such as fuzzing [2][3] with analysis of the machine's microarchitectural state.In particular, the fuzzing technique is a closed loop, in order to generate a new input to be passed to the program, the feedback returned by the program is analysed, i.e. whether there have been any crashes or not, whether new patches have been explored, etc. Until now, only information coming from the software analysis has been used as feedback, while in this project the information will come from several sources, both from the software and from the micro-architectural state, with the aim of directing the analysis of fuzzing in the parts of code interesting for the predetermined purpose and to improve performance because we are going to exclude uninteresting paths.
As far as research is concerned, we will study the functioning of some parts of the processor, in particular the branch predictor, which are not documented in the various manuals and differ from machine to machine [1]. The analysis will be carried out taking into consideration different hardware, on which I will run the same code and study the performance of the individual components of the processor by varying the operating system and the kernel. In the case of the branch predictor we have that in recent software the number of erroneous predictions increases abnormally and since these erroneous predictions are the basis of Spectre attacks it puts the system at risk. So my aim is to exploit this condition to build an attack, but on the other hand to understand why there is this degradation and see if there is an applicable solution.
[1] Fog, A. The microarchitecture of Intel, AMD, and VIA CPUs - An optimization guide for assembly programmers and compiler makers (2021).
[2] Oleksenko, Oleksii, Bohdan Trach, Mark Silberstein, and Christof Fetzer. "SpecFuzz: Bringing Spectre-type vulnerabilities to the surface." In 29th {USENIX} Security Symposium ({USENIX} Security 20), pp. 1481-1498. 2020.
[3] Oleksenko, Oleksii, Christof Fetzer, Boris Köpf, and Mark Silberstein. "Revizor: Fuzzing for Leaks in Black-box CPUs." arXiv preprint arXiv:2105.06872 (2021).