Detect Potentially Vulnerable Code Snippets Of Spectre Attacks Via LLVM Analysis

Spectre vulnerabilities was discovered in 2017 and publicly disclosed in 2018.It has wide impact on modern microprocessors that perform branch prediction,including those from Intel,AMD and ARM.There are many variants of the Spectre vulnerabilities,which are mainly divided into two categories: Spectre variant 1 and Spectre variant 2.There exist potential solutions for Spectre variant 2 vulnerabilities.Due to the complexity of Spectre variant 1,it still has serious threat to the security of the system.Existing researches on Spectre Variant 1 have great deficiencies,and further research on Spectre Variant 1 is needed.Therefore,the main purpose of this paper is to find vulnerable code snippets in the program.The main contributions of this paper are as follows:1.Design the detect patterns of Spectre variant 1.This thesis found that current Spectre mitigation approaches have many false negatives and false positives.The main challenge is that there are many variants of Spectre Variant 1 itself,and it is necessary to write reasonable detection rules to cover these variants.Therefore,this thesis analyzes how Spectre attacks work,and designs the corresponding vulnerability detection pattern,which can cover more security vulnerabilities and has a lower false positive rate.2.Design and implement static analysis tool that can detect potentially vulnerable code snippets.The solution is based on LLVM IR analysis,which is platform-independent,language-agnostic and static single assignment.This work implemented static analysis tool using taint analysis to detect tainted values,and find Spectre-vulnerable code patterns.3.Propose and implement a bottom-up analysis method.In order to support the analysis of large programs,this paper proposes and implements optimization measures to improve analysis performance.This work draws the call graph of the kernel to extract the functions to be analyzed,and uses bottom-up analysis methods to improve analysis performance.Evaluation shows this work can detect all 15 purpose-built Spectrevulnerable code patterns,whereas Microsoft compiler with Spectre mitigation mechanism can only detect 4 of them.It is also compared with the existing tools such as Smatch.It shows that this design is more accurate.This thesis also applies this tool to analyze Linux kernel,and discovered 20 Spectre vulnerable code snippets in the kernel,with 7 confirmed.Two of the 7 confirmed security vulnerabilities are newly found in this design.Corresponding patches have been submitted to the developers.This work has made some contributions to the Linux kernel.