Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries

Fangzheng Lin, Zhongfa Wang, Hiroshi Sasaki

TL;DR

Teapot addresses the challenge of detecting Spectre gadgets in COTS binaries without source code by introducing Speculation Shadows, a two-copy Real/Shadow execution model implemented via static binary rewriting. It combines Binary ASan and Binary DIFT for precise tainting and gadget reporting, enabling fuzzing-driven discovery that achieves orders-of-magnitude runtime improvements over binary-based predecessors and competitive performance with compiler-based tools. The approach delivers robust gadget detection across real-world binaries and demonstrates practical viability for analyzing deployed software. This work advances binary-level security analysis for speculative execution, with potential extensions to additional gadget variants and architectures.

Abstract

Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.

Teapot: Efficiently Uncovering Spectre Gadgets in COTS Binaries

TL;DR

Teapot addresses the challenge of detecting Spectre gadgets in COTS binaries without source code by introducing Speculation Shadows, a two-copy Real/Shadow execution model implemented via static binary rewriting. It combines Binary ASan and Binary DIFT for precise tainting and gadget reporting, enabling fuzzing-driven discovery that achieves orders-of-magnitude runtime improvements over binary-based predecessors and competitive performance with compiler-based tools. The approach delivers robust gadget detection across real-world binaries and demonstrates practical viability for analyzing deployed software. This work advances binary-level security analysis for speculative execution, with potential extensions to additional gadget variants and architectures.

Abstract

Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.

Paper Structure

This paper contains 54 sections, 9 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Spectre attacks
  4. Dynamic detection of Spectre gadgets
  5. SpecFuzz
  6. SpecTaint
  7. Kasper
  8. Threat Model
  9. Motivation
  10. Inefficiencies of full-system emulation
  11. Pitfalls of compiler-based approaches
  12. Teapot: Overview
  13. Speculation Shadows
  14. Problem analysis
  15. Illustrative demonstration
  16. ...and 39 more sections

Figures (9)

  • Figure 1: Comparison of the execution time of two programs instrumented with SpecTaint and SpecFuzz, with large crafted inputs, normalized to the execution time of the native versions. Shorter is better. Averaged over 10 runs.
  • Figure 2: Assembly instructions of a switch statement compiled with GCC and Clang, respectively, with -O2 optimization. The different structures of the generated code affect the existence of Spectre-V1 gadgets.
  • Figure 3: Workflow of detecting Spectre gadgets in binaries with Teapot.
  • Figure 4: Flow of program execution and misspeculation simulation with Speculation Shadows.
  • Figure 5: Examples of control flow escaping into Real Copy.
  • ...and 4 more figures