A group of researchers from the Free University of Amsterdam has published a Kasper toolkit designed to identify code snippets in the Linux kernel that can be used to exploit Specter class vulnerabilities caused by speculative code execution by the processor. The source texts of the toolkit are distributed under the Apache 2.0 license.
Recall that in order to carry out attacks such as Specter v1, which make it possible to determine the contents of memory, a certain sequence of commands (gadgets) is required in the privileged code, leading to the speculative execution of instructions. In order to optimize, the processor starts executing such gadgets in a speculative mode, then determines that the branch prediction has not come true and rolls back the operations to their original state, but the data processed during the speculative execution settles in the cache and microarchitectural buffers and is available for extraction from them using various methods determination of residual data through third-party channels.
Previously available pattern-based gadget scanning tools for the Specter vulnerability showed a very high false positive rate, while missing many real gadgets (experiments showed that 99% of gadgets detected by such tools could not be used for attacks, and 33% of working gadgets capable of leading to an attack were not seen).
To improve the quality of identifying problematic gadgets, Kasper models vulnerabilities that an attacker can use at each step of the Specter class attacks - problems are modeled that allow control of data (for example, substitution of attacker data into microarchitectural structures to influence subsequent speculative execution using LVI class attacks), get access to confidential information (for example, when the buffer is out of bounds or memory is used after it has been freed) and leak confidential information (for example, by analyzing the state of the processor cache or using the MDS method).
When testing, the kernel contacts the Kasper runtime libraries and checks that work at the LLVM level. During the check, speculative code execution is emulated using the checkpoint-restore mechanism, which specifically executes an incorrectly predicted code branch, after which it rolls back to its original state before the branch began. Kasper also tries to model various software and hardware vulnerabilities, analyzes the influence of architectural and microarchitectural effects, and performs fuzzing testing of possible attacker actions. For analysis of execution flows, the DataFlowSanitizer port for the Linux kernel is used, and for fuzzing testing, a modified version of the syzkaller package.
While scanning the Linux kernel with Kasper, 1379 previously unknown gadgets were identified, potentially leading to data leakage during speculative execution of instructions. It is noted that perhaps only some of them can present real problems, but to demonstrate that there is a real danger, and not just a theoretical one, a working prototype of an exploit was developed for one of the problematic code fragments, leading to leakage of information from the kernel memory.
Source: opennet.ru