DEFENSE AGAINST MICRO-ARCHITECTURE LEVEL TRANSIENT EXECUTION BASED ATTACKS VIA PROGRAM ANALYSIS

Abstract

Modern processors rely on micro-architectural optimizations predicting or re-ordering the instruction stream to improve performance. These optimizations may introduce security issues in the intermediate state of the execution (transient execution). A key insight into these vulnerabilities is that transient execution in processors can be misused to access secrets. Theoretically, program analysis can verify whether a program is vulnerable to transient execution-based attacks. However, the traditional program analysis does not consider this hardware mechanism. To address this issue, in this dissertation, we focus on novel program analysis methods to explore the potential vulnerabilities related to transient execution. First, we propose a static analysis to check whether a given program binary is vulnerable to Spectre attack. Then, to engage the speculative execution and cache modelling into the traditional symbolic execution, we propose KLEESpectre. Finally, we present a tool called Efuzz to prevent the timing-driven cache side-channel attacks.