oo7
1.0.0
スペクター攻撃に対する潜在的な脆弱性を防御するためのバイナリ分析フレームワーク。私たちの重要な貢献は、有効性、分析時間、ランタイムのオーバーヘッドの懸念のバランスをとることです。制御フロー抽出、汚染分析、およびアドレス分析を採用して、汚染された条件分岐と投機的メモリアクセスを検出します。
Guanhua Wang、Sudipta Chattopadhyay、Ivan Gotovchits、Tulika Mitra、Abhik Roychoudhury。 OO7:プログラム分析によるスペクター攻撃に対する低オーバーヘッド防御。ソフトウェアエンジニアリングに関するIEEEトランザクション(2020)。
紙リンク:OO7TSE
@article{guanhua2020oo7,
title={{oo7}: Low-overhead Defense against Spectre Attacks via Program Analysis},
author={Guanhua Wang and Sudipta Chattopadhyay and Ivan Gotovchits and Tulika Mitra and Abhik Roychoudhury},
journal={IEEE Transactions on Software Engineering},
year={2020},
publisher={IEEE}
}
注:ツールを使用する前に、ライセンス契約(license.pdf)に同意する必要があります。
./check # the lisp files for ddtbd (core engine of oo7)
./ddtbd # the source code for spectre detection
./toy # a toy example from Spectre paper: https://spectreattack.com/spectre.pdf
./tool # a tool to profile the output (incidents) of the detection
./patch # patch code for bab
./testcases # simple test cases
- Kocher_tests/ # the examples from Paul Kocher's post: https://www.paulkocher.com/doc/MicrosoftCompilerSpectreMitigation.html
Please follow the instructions on the following page to install opam and bap:
A. Install opam-1.2.2 or later.
$ sudo add-apt-repository --yes ppa:avsm/ppa
$ sudo apt-get update
$ sudo apt-get --yes install opam
B. Initialize opam and to install OCaml compiler.
$ opam init --comp=4.05.0
$ eval `opam config env`
C. Install bap and its system dependencies
$ opam depext --install bap
*Reference: https://github.com/BinaryAnalysisPlatform/bap/wiki/Build-tips-and-tricks
clone bap project:
$ git clone https://github.com/BinaryAnalysisPlatform/bap
$ git checkout tags/v1.5.0
pin development version of bap to opam:
$ opam pin add bap to/your/bap/project/path
opam will automatically compile the latest bap.
update your PATH:
$ eval `opam config env`
Make sure bap is the version 1.5.0
$ bap --version
1.5.0-dev
$ copy check -r ~/.opam/4.05.0/share/bap/
$ copy patch/posix.h ~/.opam/4.05.0/share/bap-api/c/
NOTE: This path may be different according to your opam installation and opam switch
Build:
$ cd ddtbd/
$ bapbuild -clean
$ bapbuild ddtbd.plugin -pkgs bap-taint,bap-primus
Install plugin:
$ bapbundle install ddtbd.plugin
$ cd toy/
$ bap ./test --recipe=check
$ objdump -S test > test.asm
$ ./tool/incidents_profile.py incidents test.asm
You can find a profile file with name "incidents_profile.txt" in you directory.
The content of incidents_profile.txt
====================================
@branches: 12 # all condition branches
@S1: 1 (8.333%) # tainted branches <CB>
@S2: 1 (8.333%) # tainted branches with IM1 <CB, IM1>
@S2_avg_dis: 10 # average distance between CB and IM1
@S3: 1 (8.333%) # tainted branches with IM1, IM2 <CB, IM1, IM2>
@S3_avg_dis: 7 # average distance between CB and IM2
S1#4005c8 # address of CB
S2#4005c8#4005cf#3 # address of CB and IM1 along with the distance of CB and IM1
S2#4005c8#4005de#7
S3#4005c8#4005cf#4005de#7 # address of CB, IM1, IM2 along with the distance of CB and IM2
taint#400648 # tainted addresses.
taint#4005d9
taint#4005cf
taint#4005bd
taint#400642
taint#4005d6
...
===================================
$ cd Kocher_tests/v01
$ gcc test.c -g -o test
$ bap test/test --recipe=check
$ ../../tool/incidents_profile.py incidents test.asm
use $ bap --ddtbd-help for more options
Note:
A. Use '--ddtbd-ignore-program-dependencies' or '--ddtbd-ignore-program-dependencies --ddtbd-ignore-control-dependencies' option will give you less detection results, but it may miss some true positives.
B. You can edit the "recipe.scm" to enable or disable the options.
