Spectre-style attacks disclosed in early 2018 expose data leakage scenarios via cache side channels. Specifically, speculatively executed paths due to branch mis-prediction may bring secret data into the cache, which are then exposed via cache side channels even after the speculative execution is squashed. Symbolic execution is a well-known test generation method to cover program paths at the level of the application software. In this article, we extend symbolic execution with modeling of cache and speculative execution. Our tool KLEE SPECTRE , built on top of the KLEE symbolic execution engine, can thus provide a testing engine to check for data leakage through the cache side channel as shown via Spectre attacks. Our symbolic cache model can verify whether the sensitive data leakage due to speculative execution can be observed by an attacker at a given program point. Our experiments show that KLEE SPECTRE can effectively detect data leakage along speculatively executed paths and our cache model can make the leakage detection more precise.

中文翻译：

---

克利幽灵

2018 年初披露的 Spectre 式攻击通过缓存侧通道暴露了数据泄漏场景。具体来说，由于分支错误预测而导致的推测执行路径可能会将秘密数据带入缓存，然后即使在推测执行被压制之后，这些秘密数据也会通过缓存侧通道暴露出来。符号执行是一种众所周知的测试生成方法，用于覆盖应用软件级别的程序路径。在本文中，我们通过缓存建模和推测执行来扩展符号执行。我们的工具 KLEE幽灵建立在 KLEE 符号执行引擎之上，因此可以提供一个测试引擎来检查通过缓存侧通道的数据泄漏，如 Spectre 攻击所示。我们的符号缓存模型可以验证攻击者是否可以在给定的程序点观察到由于推测执行而导致的敏感数据泄漏。我们的实验表明，KLEE幽灵可以有效地检测沿推测执行路径的数据泄漏，我们的缓存模型可以使泄漏检测更加精确。