InSpectre Gadget: Inspecting the Residual Attack Surface of Cross-privilege Spectre v2
Sander Wiebing
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
In the realm of modern CPU architecture, speculative execution vulnerabilities like Spectre continue to pose a significant threat to system security. This talk, "InSpectre Gadget: Inspecting the Residual Attack Surface of Cross-privilege Spectre v2," presented by Sander Wiebing, delves into the persistent challenge of identifying and exploiting **Spectre v2 gadgets** within privileged code, specifically the Linux kernel. The research introduces **InSpectre Gadget**, a novel tool capable of performing a precise, fine-grained exploitability analysis of these elusive gadgets, moving beyond the limitations of prior approximation-based or over-constraining detection methods.
AI review
This research delivers InSpectre Gadget, a precise symbolic execution tool for Spectre v2 gadget analysis, uncovering over 1,500 exploitable gadgets in the Linux kernel. The demonstrated native BHI attack, leveraging a discovered gadget, bypasses all current mitigations on 13th Gen Intel CPUs to leak arbitrary kernel memory. This unequivocally proves the Spectre v2 attack surface remains wide open.