scieee Science in your language
[en] (orig)

InSpectre Gadget: Inspecting the residual attack surface of cross-privilege Spectre v2

Author: Sander Wiebing; Alvise de Faveri Tron; Herbert Bos; Cristiano Giuffrida
Publisher: Zenodo
DOI: 10.5281/zenodo.13771606
Source: https://zenodo.org/records/13771606/files/usenixsecurity24-wiebing.pdf
This pape is included in he P oceedings o he
33 d USENIX Secu i y Symposium.
Augus 14–16, 2024 • Philadelphia, PA, USA
978-1-939133-44-1
Open access o he P oceedings o he
33 d USENIX Secu i y Symposium
is sponso ed by USENIX.
InSpec e Gadge : Inspec ing he Residual A ack
Su ace o C oss-p i ilege Spec e 2
Sande Wiebing, Al ise de Fa e i T on, He be Bos,
and C is iano Giu ida, V ije Uni e si ei Ams e dam
h ps://www.usenix.o g/con e ence/usenixsecu i y24/p esen a ion/wiebing
InSpec e Gadge : Inspec ing he Residual A ack Su ace
o C oss-p i ilege Spec e 2
Sande Wiebing∗Al ise de Fa e i T on∗He be Bos C is iano Giu ida
V ije Uni e si ei Ams e dam
∗Equal con ibu ion join i s au ho s
Abs ac
Spec e 2 is one o he mos se e e ansien execu ion ul-
ne abili ies, as i allows an unp i ileged a acke o lu e a
p i ileged (e.g., ke nel) ic im in o specula i ely jumping o
a chosen gadge , which hen leaks da a back o he a acke .
Spec e 2 is ha d o e adica e. E en on las -gene a ion In el
CPUs, secu i y hinges on he una ailabili y o exploi able
gadge s. None heless, wi h (i) deployed mi iga ions—eIBRS,
no-eBPF, (Fine)IBT—all aimed a hinde ing many usable gad-
ge s, (ii) exis ing exploi s elying on now-p i ileged ea u es
(eBPF), and (iii) ecen Linux ke nel gadge analysis s udies
epo ing no exploi able gadge s, he common belie is ha
he e is no esidual a ack su ace o p ac ical conce n.
In his pape , we challenge his belie and unco e a signi -
ican esidual a ack su ace o c oss-p i ilege Spec e- 2 a -
acks. To his end, we p esen InSpec e Gadge , a new gadge
analysis ool o in-dep h inspec ion o Spec e gadge s. Un-
like exis ing ools, ou s pe o ms gene ic cons ain analysis
and models knowledge o ad anced exploi a ion echniques o
accu a ely eason o e gadge exploi abili y in an au oma ed
ashion. We show ha ou ool can no only unco e new (un-
con en ionally) exploi able gadge s in he Linux ke nel, bu
ha hose gadge s a e su icien o bypass all deployed In el
mi iga ions. As a demons a ion, we p esen he i s na i e
Spec e- 2 exploi agains he Linux ke nel on las -gene a ion
In el CPUs, based on he ecen BHI a ian and able o leak
a bi a y ke nel memo y a 3.5 kB/sec. We also p esen a
numbe o gadge s and exploi a ion echniques o bypass he
ecen FineIBT mi iga ion, along wi h a case s udy on a 13 h
Gen In el CPU ha can leak ke nel memo y a 18 by es/sec.
1 In oduc ion
As he communi y slowly comes o g ips wi h a ious o ms
o ansien execu ion a acks [16,32,34,35,38,54], Spec e
2 o B anch Ta ge Injec ion (BTI) [2] emains one o he
mos se e e ones, able o ansien ly di e he con ol low o
a p og am. I a acke s can ind a snippe o code ha encodes
sec e da a in o he mic oa chi ec u al s a e, i.e., a (disclosu e)
gadge , hey can o ce a ic im p og am, e.g., he ke nel, o
ansien ly jump o i . E en in he ace o ha dwa e mi iga-
ions such as eIBRS, esea che s ha e shown ha Spec e
2 can s ill leak sec e da a ac oss p i ilege le els on In el
sys ems h ough wha is known as B anch His o y Injec ion
(BHI) [16].
Howe e , nei he academia [16] no indus y [8] e e ound
an exploi able “na i e” gadge and he only exis ing exploi
elies on a gadge injec ed by he au ho s hemsel es using
eBPF. Since hen, new ad anced mi iga ions such as Indi ec
B anch T acking (IBT) and i s ecen ine-g ained coun e pa
FineIBT, ha e educed he se o usable gadge s e en (much)
u he . As a esul , i is a common belie ha deployed mi i-
ga ions such as eIBRS and p i ileged eBPF (now de aul in
all popula Linux dis ibu ions) a e su icien o elimina e he
c oss-p i ilege Spec e- 2 a ack su ace—and e en mo e so
in combina ion wi h he op -in (Fine)IBT mi iga ions.
To challenge his belie , ou key obse a ion is ha cu en
echniques o iden i y such gadge s ei he o e i “s anda d”
pa e ns—iden i ying only gadge s ha look like a hand ul
o known Spec e examples and igno ing less con en ional
pa e ns—o g ossly o e app oxima e—iden i ying many po-
en ial gadge s o which exploi abili y is highly unce ain.
Examples o he la e a e app oaches ha iden i y gadge s
based on hei high-le el da a low, lea ing exploi abili y o
manual analysis [16,24,31]. Examples o he o me include
all pa e n-based gadge scanne s [40,42,43], bu also all
simpli ying and sel -limi ing gadge de ini ions [8]. O e ly
cons aining he de ini ion o a gadge is dange ous, because
e en snippe s ha do no mee all he p econdi ions o a s an-
da d gadge can s ill leak da a wi h ad anced exploi a ion
echniques [24,31,54]—lea ing a gap be ween wha a ack-
e s need o exploi a ion and wha endo s and de elope s
conside o mi iga ion.
In his pape , we p esen InSpec e Gadge , an in-dep h
Spec e gadge inspec o ha uses symbolic execu ion o ac-
cu a ely eason abou exploi abili y o usable gadge s. To his
end, ou ool explici ly models da a cons ain s and knowl-
USENIX Associa ion 33 d USENIX Secu i y Symposium 577
edge o ad anced exploi a ion echniques. This s a egy e-
laxes he common p econdi ions o s anda d gadge s, while
s ill a oiding he common o e app oxima ions ha would
o he wise epo many unexploi able gadge s. Mo eo e , i
p o ides he analys wi h insigh s in o exploi abili y cha -
ac e is ics, such as he exploi a ion echniques equi ed, he
cons ain s o be me , he alues ha can be leaked, e c.
Scanning he Linux Ke nel, InSpec e Gadge inds 1,565
gadge s leading o sec e ansmission, a signi ican esid-
ual a ack su ace. Fu he mo e, i unco e s hund eds dis-
pa ch gadge s, i.e., gadge s con aining an indi ec b anch o
an a acke -con olled a ge and, as we will show, p o id-
ing he a acke wi h a a ie y o in e es ing capabili ies o
exploi a ion in ace o deployed mi iga ions. Examples in-
clude inc easing con ol o e egis e s, expanding he se o
eachable gadge s, o c a ing disclosu e gadge s by chaining
mul iple loads. To demons a e he p ac icali y o ou ind-
ings, we use he epo ed gadge s o implemen he i s na i e
Spec e- 2 exploi agains he Linux ke nel on las -gene a ion
In el CPUs. Ou exploi is based on he BHI a ian and is
able o leak ke nel memo y a 3.5 kB/sec wi hou eBPF.
Fu he mo e, in con as o p e ious indings, we show he
ecen (Fine)IBT mi iga ions s ill allow ansien execu ion o
be ween 4 and 6 (unchecked) dependen loads. To exploi he
esul ing a ack su ace, we showcase a numbe o gadge s
and exploi a ion echniques, along wi h a case s udy on a 13 h
Gen In el CPU, leaking ke nel memo y a 18 by es/sec.
Con ibu ions. To summa ize ou con ibu ions:
1.
We build InSpec e Gadge , a gadge inspec o ha
e alua es exploi abili y o po en ial gadge s, inco po-
a ing da a cons ain s and knowledge o ad anced ex-
ploi a ion echniques. InSpec e Gadge is a ailable a
h ps://gi hub.com/ usec/inspec e-gadge , along wi h a
da abase o gadge s ound o Linux ke nel 6.6- c4.
2.
We p esen he i s na i e (no-eBPF) BHI exploi on
he la es Linux ke nel and las -gene a ion In el CPUs
(CVE-2024-2201).
3.
We analyze he e ec i eness o bo h he IBT and
FineIBT mi iga ions and demons a e hey a e insu i-
cien o hinde na i e BHI exploi a ion.
4.
We unco e a la ge p esence o dispa ch gadge s in he
ke nel, showing how an a acke can abuse hem o u -
he he a ack su ace and bypass deployed mi iga ions.
2 Backg ound
2.1 T ansien Execu ion A acks
Mode n CPUs ely on a mul i ude o specula ion mechanisms
o achie e be e pe o mance. Fo example, whene e a CPU
encoun e s a con ol low ins uc ion like a condi ional b anch
HA
HV
Specula e
Ke nelUse
3
4
HA
HV
call [ ax]
BTB
Collision
legi
a ge
eBPF
gadge
1 2
call [ ax]
CA
CV
TA
TV
eBPF
ic im
Figu e 1: The BHI a ack. The a acke i s igge s he
b anch
CA
wi h his o y
HA1

, which inse s he a ge
TA
in o
he BTB
2

, hen igge s he ic im b anch
CV
wi h his o y
HV3

. The his o ies a e c a ed so ha
CA
and
CV
sha e he
same BTB en y, so om CV he CPU specula es o TA4
.
o an indi ec b anch, he co ec a ge migh no be known
ye . To a oid s alling, he CPU uses a se o in e nal s uc-
u es, called p edic o s, o de e mine he nex ins uc ion o
e ch, and s a s specula i ely execu ing ins uc ions. I he
specula ion is la e e ealed o be inco ec , he CPU will
undo he e ec s o he ansien execu ion and es a om
he co ec jump a ge . Howe e , aces o he ansien com-
pu a ion can s ill be obse ed in he sha ed mic oa chi ec u al
s a e, e.g. in he cache. An a acke can hen measu e hese
aces wi h echniques such as FLUSH+RELOAD [55] and
PRIME+PROBE [36] and eco e he alues o egis e s and
memo y used du ing he ansien compu a ion.
2.2 Spec e 2
In 2018, he disclosu e o Spec e [32] amously demons a ed
how specula ion can be used o leak da a ac oss secu i y do-
mains. One a ian p esen ed in he pape , o iginally known as
Spec e 2 o B anch Ta ge Injec ion (BTI), shows how spec-
ula ion o indi ec b anches can be used o ansien ly di e
he con ol low o a p og am and edi ec i o an a acke -
chosen loca ion. The a ack wo ks by poisoning one o he
CPU p edic o s, he B anch Ta ge Bu e (BTB), which is
used o decide whe e o jump on indi ec b anch specula-
ion. Ini ially, mi iga ions we e p oposed a he so wa e le el
and, la e , in-silicon mi iga ions such as In el eIBRS [6] an
ARM CSV2 [14] we e added o newe gene a ions o CPUs
o isola e p edic ions ac oss p i ilege le els.
2.3 B anch His o y Injec ion
In 2022, B anch His o y Injec ion (BHI) [16] showed ha ,
despi e mi iga ions, c oss-p i ilege Spec e 2 is s ill possible
on la es In el CPUs by poisoning he B anch His o y Bu e
(BHB). Figu e 1p o ides a high-le el o e iew o he a ack.
578 33 d USENIX Secu i y Symposium USENIX Associa ion
In summa y, by execu ing a sequence o condi ional
b anches (HAand HV) igh be o e pe o ming a sys em call,
an unp i ileged a acke can cause he CPU o ansien ly
jump o a chosen a ge (
TA
) when specula ing o e an indi-
ec call in he ke nel (
CV
). This happens because he CPU
picks he specula i e a ge o
CV
om a sha ed s uc u e, he
BTB, ha is indexed using bo h he add ess o he ins uc ion
and he his o y o p e ious condi ional b anches, which is
s o ed in he B anch His o y Bu e (BHB). Finding he igh
combina ion o his o ies ha will esul in a collision can be
done wi h b u e- o cing.
To ensu e he injec ed a ge ,
TA
, con ains a disclosu e gad-
ge , he o iginal BHI a ack elied on he p esence o he
ex ended Be keley Packe Fil e (eBPF), h ough which an
unp i ileged use can c a code ha li es in he ke nel.
2.4 De enses
As a ecommended mi iga ion o BHI, In el has ad ised o
disable unp i ileged eBPF, which is now disabled by de aul in
he Linux ke nel, and o mi iga e po en ial disclosu e gadge s
by p epending a LFENCE ins uc ion o hem [1].
A ack Su ace Analysis. The o iginal BHI pape p e-
sen ed an ini ial es ima e o he BHI a ack su ace beyond
eBPF using simple da a- low analysis and a loose de ini ion
o disclosu e gadge [16]. The analysis pinpoin ed 1,177 po-
en ial gadge s in he Linux ke nel, bu wi h no insigh s in o
hei exploi abili y. La e , In el esea che s s a ically analyzed
he Linux ke nel [8], adop ing a mo e e ined da a- low-based
app oach and inding an o de o magni ude mo e po en ial
gadge s. Again, wi h he analysis unable o au oma ically ea-
son o e exploi abili y, In el esea che s eso ed o manually
assessing exploi abili y o he 8 simples (linea ) gadge s. No
gadge s we e deemed exploi able (6 due o eachabili y issues,
2 due o leakage cons ain s). Ul ima ely, wi h many po en ial
gadge s unco e ed by bo h scanne s bu no e idence o p ac-
ical exploi abili y, no addi ional mi iga ions we e deployed.
Ha dwa e mi iga ions. On he ha dwa e on , In el has
p oposed a ha dwa e mi iga ion, he
BHI_DIS_S
indi ec p e-
dic o con ol, which p e en s he CPU om selec ing BTB
en ies based on his o y coming om lowe secu i y domains.
As he pe o mance o e head is non i ial, u u e CPUs migh
come wi h an op imized e sion, namely
BHI_NO
. A he ime
o w i ing, while Alde Lake and Rap o Lake In el CPUs
suppo
BHI_DIS_S
a e applying a mic ocode upda e, he
Linux Ke nel does no ha e suppo o enable his ea u e.
Ad anced so wa e mi iga ions. Addi ional so wa e mi -
iga ions, like Re poline [10] o a so wa e BHB-clea ing se-
quence [1], ha e been p oposed as spo ixes. Howe e , hey
come wi h a p ohibi i e pe o mance cos , discou aging p ac-
ical deploymen . Fo Linux, in pa icula , he so wa e BHB-
clea ing sequence ecommended by In el has no been imple-
men ed a all, as de elope s ely on unp i ileged eBPF being
“ he only known eal-wo ld BHB a ack ec o ” [11].
IBT. Indi ec B anch T acking (IBT) [48] is a de ense o
code- euse a acks, such as e u n-o ien ed p og amming [46]
and jump-o ien ed p og amming [19], which ensu es ha
indi ec b anches always jump o an in ended a ge . In el
CPUs implemen a coa se-g ained e sion o IBT in ha d-
wa e, which ensu es ha e e y indi ec b anch lands on a
special ins uc ion (
endb 32
o
endb 64
), which has o be
inse ed by he compile . While IBT was o iginally designed
o add ess a chi ec u al con ol- low hijacking, i is also pa
o In el’s mi iga ion guidance o BHI [1]. This is o p o ide
de ense-in-dep h agains specula i e con ol- low hijacking,
limi ing—somewha simila ly o he exis ing eIBRS— he pos-
sible Spec e- 2 disclosu e gadge loca ions o he beginning
o any indi ec b anch a ge in he ke nel. Suppo o IBT
was added o In el p ocesso s wi h he Tige Lake se ies [7]
and is enabled by de aul om Linux ke nel 6.2 [4].
FineIBT. Resea che s ha e ecen ly p oposed a ine -
g ained IBT a ian in so wa e, called FineIBT [23]. The
idea is o ins umen he calle o each IBT-gua ded indi ec
call o load a unique alue in o a egis e as well as he callee
o check said alue. I he alue is di e en om he expec ed
one, he execu ion pa h is di ec ed o an illegal ins uc ion o
abo execu ion.
This u he es ic s indi ec calls o (a chi ec u ally o
specula i ely) a ge only complian callees. Suppo o
FineIBT was ecen ly in oduced in Linux ke nel 6.2 [5].
Since FineIBT elies on Clang-ins umen ed ke nels [23], o
ou knowledge, i is no ye enabled by de aul in any Linux
dis ibu ion (unlike i s IBT building block).
3 Th ea Model
We conside a adi ional c oss-p i ilege Spec e- 2 h ea
model, wi h a local unp i ileged a acke seeking o disclose
in o ma ion om a p i ileged ic im, such as he ope a ing
sys em ke nel o he hype iso . We speci ically ocus on
a ic im Linux ke nel, unning wi h all de aul Spec e- 2
mi iga ions on las -gene a ion In el CPUs such as eIBRS [6]
and p i ileged eBPF. Finally, we assume o he classes o
ulne abili ies (e.g., memo y e o s) a e subjec o o hogonal
mi iga ions and no pa o he a ack su ace unde s udy.
4 O e iew
To pe o m a Spec e- 2 a ack agains he ke nel on las -
gene a ion In el sys ems, one mus a ge an indi ec b anch
in he ke nel ha jumps o a disclosu e gadge . Using BHI,
one can hen specula i ely hijack a ic im b anch o he cho-
sen gadge . InSpec e Gadge aids he analys in choosing a
sui able gadge , ollowing he wo k low depic ed in Figu e 2.
As shown in he igu e, he analys p o ides InSpec e Gad-
ge wi h a ke nel image and a lis o candida e gadge s in
inpu . Ou ool inspec s each candida e o a ixed numbe
USENIX Associa ion 33 d USENIX Secu i y Symposium 579
Exploi able
Gadge s
Fil e ed
Gadge s
1
2
3
Con ol
De enses

C a
Exploi
call [ ax]
call [ ax]
InSpec e
Gadge
Chosen
gadge
+
Ke nel Ta ge s
Figu e 2: InSpec e gadge wo k low. The analys p o ides
a ke nel image and a lis o a ge add esses o InSpec e
Gadge
1

, which pe o ms in-dep h inspec ion o ind gadge s
ha can leak sec e s and ou pu hei cha ac e is ics. The
gadge s can be il e ed
2

based on he a ailable a acke -
con olled egis e s and he mi iga ions enabled, and used o
c a Spec e- 2 exploi s agains he ke nel 3
.
o basic blocks wi h symbolic execu ion and e u ns a lis
o gadge s ha lead o he ansmission o a sec e . Along
wi h he gadge s, ou ool ou pu s a numbe o gadge cha -
ac e is ics: he ad anced exploi a ion echniques equi ed (i
any), he cons ain s ha ha e o be me , he egis e s ha
ha e o be con olled, and he alues ha can be leaked. Such
cha ac e is ics a e s o ed in o a da abase, which he analys
can la e il e acco ding o wha a ge s a e eachable, wha
egis e s a e con olled when he specula i e hijack happens,
and wha mi iga ions a e enabled o a gi en a ge . Addi ion-
ally, an anno a ed assembly ile is gene a ed o each gadge
o gi e he analys a quick o e iew o he gadge , as shown
in Appendix C. The esul ing gadge s can hen be exploi ed
o moun end- o-end Spec e- 2 ke nel a acks.
In he nex sec ions, we i s elabo a e on how InSpec e
Gadge models gadge s (cons ain s, exploi abili y, e c.) and
how i hen pe o ms exploi a ion-awa e gadge inspec ion.
Nex , we demons a e how an a acke can use i s ou pu o
moun an end- o-end BHI a ack agains he Linux ke nel.
5 InSpec e Gadge
A ecu ing p oblem in ansien execu ion a acks is e al-
ua ing i a gi en ins uc ion sequence can leak a sec e ia
a— ypically cache [27,33,36,41,47,55]—co e channel. To
leak a sec e h ough he cache, an a acke needs o open a
specula ion window and accommoda e a disclosu e gadge .
In his sec ion, we explain ha p ac ical disclosu e gadge s
ex end well beyond hose ha i exis ing na ow de ini ions.
Nex ,we show how InSpec e Gadge uses symbolic execu ion
o analyze he candida e gadge s o Spec e- 2 exploi abili y.
Lis ing 1: S anda d Spec e disclosu e gadge .
1// Load om a acke -con olled add ess
2uin 64_ sec e = *a acke ;
3// Mask he loaded alue
4uin 8_ sec e By e =(sec e & 0xFF);
5// Shi he esul
6uin 32_ sec e =sec e By e << 9;
7// Use ansmission sec e as index.
8uin 64_ ansmission = *( base + sec e );
5.1 S anda d Gadge s
Today’s ools ypically concen a e on inding specula ion
windows and o e app oxima ing exploi abili y—lea ing he
analysis o disclosu e gadge s o he human analys . Un o u-
na ely, he complexi y o such exploi abili y analysis is daun -
ing and, unsu p isingly, analys s gene ally look o s anda d
Spec e disclosu e gadge s, such as he one in Lis ing 1.
In a s anda d (o “pe ec ”) gadge , he CPU loads a sec e
om an a acke -con olled add ess. The loaded sec e mus
be su icien ly small, ei he by na u e, o as he esul o a
bi mask (Line 4), o se e as an index in o a second bu e —
ideally sha ed wi h he a acke . This second bu e is known
as he eload bu e . Mo eo e , o ensu e ha each alue o
he sec e co esponds o a di e en cache line, he gadge
should shi he alue le by some s ide (Line 6). The esul is
known as he ansmi ed sec e . As he gadge subsequen ly
adds i o a second a acke -con olled alue which we e e o
as he ansmission base and de e e ences he esul ing alue,
i inad e en ly es ablishes a ansmission h ough a cache
co e channel. Speci ically, by i e a ing o e he eload bu e
wi h he same s ide while iming he accesses, a acke s can
in e ha he sec e alue is he index o he bu e elemen
o which he access is as (because i is in he cache).
5.2 Exploi a ion-Awa e Gadge Analysis
S anda d gadge s a e he mos in ui i e o unde s and and he
mos s aigh o wa d o exploi , bu hey a e by no means
he only exploi able ones. While limi ing he analysis o
s anda d gadge s educes he complexi y, a acke s a e unde
no obliga ion o espec such es ic ions. BLINDSIDE [24],
KASPER [31], PACMAN [44], and RETBLEED [54], o ex-
ample, all exploi gadge s ha de ia e om such na ow de i-
ni ions. Mo eo e , besides leaking in o ma ion h ough he
cache, a acke s may a ail hemsel es o a my iad o o he
co e channels [18,22,25,45,52]. In his sec ion, we elax
he assump ions o s anda d gadge s, desc ibe he addi ional
challenge posed by each elaxa ion, and whe e app op ia e,
explain how we can mee he challenge and s ill leak sec e s.
C1. Base no con olled. To pe o m FLUSH+RELOAD an
a acke needs o be in con ol no only o he sec e add ess,
bu also o he ansmission base, so ha he ansmission load
alls inside o he eload bu e . Howe e , i he base is no
580 33 d USENIX Secu i y Symposium USENIX Associa ion

bu - 0xdeadbe00 + 0xdeadbee
T ansmission
Base Known P e ix
00 00 00 00 de ?
00 00 00 00 de ad be ?
00 00 00 00 ?
1
2
3
Sec e
Figu e 3: Known-p e ix echnique. The a acke i s poin s
he sec e add ess o some known da a
1

. Then, by shi ing
he add ess
2

, small po ions o he sec e a e e ealed. Wi h
ha , one can adjus he base o subsequen ansmissions
3

.
con olled, a acke s can s ill pe o m PRIME+PROBE [36].
C2. Sec e en opy oo big. I he code does no mask
he sec e p io o i s ansmission, he en opy impedes i s
eco e y by he a acke who would ha e o p obe oo many
memo y loca ions. Howe e , i he a acke s con ol he ans-
mission base, hey can s ill exploi such gadge s by epu -
posing a echnique pionee ed in ea lie a acks [24,52,54],
which we call he known-p e ix echnique. Fi s , he a acke
chooses a loca ion in memo y nea he sec e ha con ains a
small known alue, and uses ha as he sec e add ess. Then,
by inc easingly shi ing he add ess, he a acke makes su e
ha only a ew by es o he sec e a e unknown a any gi en
ansmission, and adjus s he ansmission base acco ding o
he by es ha a e al eady known (see Figu e 3).
C3. Max sec e oo high. Ano he p oblem ha may oc-
cu when leaking a la ge sec e alue is ha he ansmission
add ess migh end up ou side he alid add ess space. How-
e e , i enough bi s o he ansmission base a e unde a acke
con ol, one can adjus he base o o e low he sec e alue,
ensu ing ha he ansmission always occu s in he alid ad-
d ess space. We call his echnique base adjus ing and i is
o en used in conjunc ion wi h he known-p e ix echnique.
C4. Sec e oo small. I he gadge does no shi he sec e
alue p io o ansmission, he lowe bi s canno be eco e ed
h ough cache co e channels, since nea by add esses belong
o he same cache line. Howe e , i a leas one by e o he
sec e is abo e cache-line g anula i y, we can use he known-
p e ix echnique o leak he uppe mos by e in each i e a ion.
O he wise, an a acke may use he sliding echnique o RET-
BLEED [54], which exploi s he ac ha p e e che s gene ally
do no p e e ch cache lines ac oss pages [49]. An a acke
may now adjus he base add ess o be nea a page bounda y,
so ha e en a one-bi di e ence in he sec e alue will e-
sul in he ansmission being obse ed on ano he memo y
page. Doing so elimina es any cache and p e e che noise ha
would o he wise make wo di e en alues indis inguishable.
C5. Base aliasing. In some cases, e en i he ansmission
base is a acke -con olled, he base canno be chosen wi hou
in luencing he sec e add ess—a phenomenon we e e o
as aliasing. This may occu , o ins ance, i he base is com-
pu ed om a alue ha is also used o compu e he sec e
add ess. In his case, an a acke can s ill leak alues using
PRIME+PROBE. Howe e , no all sec e add esses may be a -
ge ed as he p obe egion mus eside wi hin mapped memo y.
Speci ically, since he p obe egion ypically ollows he se-
c e add ess, he inal sec e add esses esul in a non-mapped
p obe egion. O he , mo e complex dependencies be ween he
base and he sec e add ess ou o scope. InSpec e Gadge
ma ks hese cases as no (easily) exploi able.
C6. Non-linea gadge s. An implici assump ion o mos
s a ic analysis echniques o gadge scanning is ha all he
ins uc ions ha e o be in he same basic block. Since mode n
CPUs all suppo nes ed specula ion, his is no a limi a ion
in p ac ice. The a acke can ei he ain b anches o simply
use s a ic p edic ion o ensu e ha he ansmission gadge is
eached du ing specula i e execu ion. An a acke can also
use SMT con en ion, as demons a ed by p io wo k [39], o
delay b anch esolu ion and c ea e la ge specula ion windows
ha can accommoda e mul iple basic blocks.
C7. O he ansmi e s. Finally, a ple ho a o co e
channels exis in mode n CPUs ou side o caches (e.g., he
TLB [37]) and one should lexibly suppo di e en ans-
mi e s. Fo b e i y, we ocus ou main analysis on classic
sec e -dependen da a load/s o e ansmi e s and la e show
ou ool can be easily ex ended o suppo o he ec o s such
as he ecen SLAM co e channel [29].
5.3 Design
While ad anced exploi a ion echniques elax he assump-
ions o s anda d gadge s, each has i s own equi emen s and
cons ain s o applicabili y. To eason o e he cons ain s
and o assess i he code sa is ies hem, InSpec e Gadge em-
ploys symbolic execu ion—exp essing a iables as symbols,
and explo ing all he possible di ec ions o a p og am’s con-
ol low a he same ime, while eco ding he co esponding
symbolic cons ain s. To his end, we build ou ool on op o
ANGR [50], a symbolic execu ion engine widely used in he
ield o so wa e secu i y and e e se enginee ing.
Al hough symbolic execu ion quickly leads o s a e explo-
sion in he gene al case, InSpec e Gadge explo es only a
small ac ion o he p og am’s con ol low. In pa icula ,
since he numbe o ins uc ions execu ed du ing a specula-
ion window is limi ed, symbolic execu ion can easily explo e
mul iple pa hs, while keeping he numbe o explo ed s a es
small. All he s eps desc ibed below a e pe o med au oma i-
cally by InSpec e Gadge .
T acking a acke con ol. We s a ou analysis by subs i-
u ing all he alues s o ed in egis e s and on he s ack wi h
USENIX Associa ion 33 d USENIX Secu i y Symposium 581
T ansmission
Base
Sec e
T ansmi ed Sec e
LOAD[ LOAD[ ax] + (( LOAD[ bx] & 0x ) * 8) ]
Figu e 4: Ana omy o a ansmission. Once a po en ial ans-
mission is iden i ied h ough symbolic execu ion, InSpec e
Gadge dissec s i s symbolic exp ession in o componen s,
which a e hen analyzed o eason abou exploi abili y.
symbolic a iables, which o now we assume a e a acke -
con olled, and ma ked as such. Nex , we symbolically exe-
cu e code s a ing om a gi en loca ion. On each load, we
p oduce a new symbolic alue wi h a label a ached o i . I he
load comes om an a acke -con olled symbol, i is ma ked
as a po en ial sec e . I he add ess comes om a po en ial
sec e , i is ma ked as a po en ial ansmission. No e ha po-
en ial sec e implies a acke -con olled, since i is any alue
loaded om an a acke -chosen loca ion. Simila ly, po en ial
ansmission implies po en ial sec e . This s a egy allows us
o ack o a acke con ol h ough complex chains o loads.
S o e- o-Load Fo wa ding (STL). We model S o e-To-
Load Fo wa ding by keeping a lis o all he symbolic s o es,
and checking his lis o each o he loads encoun e ed by he
symbolic execu ion engine. I he symbolic exp ession o he
load add ess aliases wi h ha o a p e ious s o e, we o wa d
he s o ed alue o he load. S o e- o-Load o wa ding can be
enabled o disabled wi h a un ime lag.
Po en ial ansmissions. We le he symbolic execu ion en-
gine un o a con igu able numbe o basic blocks, eco ding
all he cons ain s ha migh be added, o ins ance by
cmo e
o b anch ins uc ions. We also eco d he symbolic exp es-
sion o each load. Finally, a e he scanning phase is inished,
he scanne epo s a lis o po en ial ansmissions, i.e., loads
whose symbolic add ess has been ma ked as a po en ial sec e .
In a second phase, we inspec he AST o he symbolic ex-
p ession o each po en ial ansmission, iden i ying he ans-
mission base, ansmi ed sec e , and sec e add ess. A high-
le el example is shown in Figu e 4. Finally, we check i he
base depends on any alue used o cons uc he sec e add ess,
pe o m a ange analysis o in e he minimum, maximum
and s ide o all he ansmission componen s, and pe o m an
in e able-bi s analysis o in e which bi s o he sec e end up
in he ansmission and a which posi ion. This comp ehen-
si e analysis is c ucial o accu a e exploi abili y easoning.
Fo ins ance, da a- low in o ma ion alone is insu icien o
de e mine he con ollabili y equi emen s o be me .
Gadge easoning. Wi h his in o ma ion, we can inally
eason abou each gadge . All he p ope ies ound du ing he
analysis, along wi h a lis o egis e s ha he a acke needs
o con ol o each gadge , a e sa ed in a da abase. We now
use a easone o model exploi a ion echniques wi h da abase
que ies. The easone inse s columns indica ing which gad-
ge s can leak a sec e , and, i needed, which echniques a e
equi ed. Fo ins ance, i a gadge has a high sec e en opy
(i.e., numbe o ansmi ed bi s > 16), he easone checks
i we can pe o m he known-p e ix echnique (i.e., sec e
add ess is a acke -con olled wi h g anula i y <= 16 bi s).
5.4 E alua ion
To e alua e he abili y o InSpec e Gadge o unco e a new
a ack su ace, we analyzed he Linux ke nel e sion 6.6- c4
(la es a ime o w i ing) wi h he de aul con igu a ion. By
lis ing all he code loca ions ha con ain an
endb
ins uc ion
and looking a he symbol able, we ound a o al o 35,212
indi ec call a ge s (ha e a symbol), and 7,562 indi ec jump
a ge s (ha e no associa ed symbol). InSpec e Gadge ook
app oxima ely 14 hou s o analyze all indi ec b anch a ge s,
unning on he i9-13900K In el CPU wi h 20 co es. We coun
each unique ansmission add ess as a gadge , so mul iple
pa hs leading o he same ansmission coun as 1 gadge .
Addi ionally, while InSpec e Gadge does no di ec ly ou -
pu in o ma ion abou eachable gadge s (i.e., hose ha can
be use - igge ed h ough a syscall), we es ima e eachabil-
i y o call a ge s by c oss- e e encing he labels wi h he
co e age epo gene a ed by Syzkalle [13], a s a e-o - he-
a ke nel uzze . We use he openly-a ailable esul s om
he Syzbo p ojec [12], which uns Syzkalle o 24 hou s,
inding a o al o 14,391 eachable a ge s. This app oach
unde app oxima es he numbe o eachable gadge s, as he
comple eness is subjec o uzzing co e age, bu i is use ul
o p o ide an es ima e.
Table 1summa izes he gadge s we unco e ed. We ound
a o al o 955 and 610 gadge s in ke nel indi ec call and
jump a ge s ( espec i ely). We manually analyzed 40 an-
domly sampled gadge s om he lis by manually inspec ing
he assembly code (in app oxima ely 3 hou s). A e manual
analysis, we conside ed 35 o be exploi able. This shows In-
Spec e Gadge p o ides good accu acy, wi h he ew misses
caused by imp ecise con ollabili y modeling o ou cu en
p o o ype (Sec ion 5.5).
Figu e 5shows s a is ics ha we can use o es ima e he
size o he equi ed specula ion window, e.g., he numbe o
ins uc ions and b anches p esen in he gadge , o how many
dependen loads ha e o i in he window o leak a sec e .
Finally, Table 2p esen s he numbe o po en ial gadge s
ha we e no deemed exploi able by ou ool. Gadge s wi h
an in alid base a e gadge s whe e he a acke does no com-
ple ely con ol he ansmission base, and in pa icula , o
some alues o he sec e , he ansmission add ess would
be in alid, wi hou he a acke being able o compensa e by
adjus ing he ansmission base. Gadge s classi ied as ha ing
an in alid sec e add ess do no allow he a acke o choose
an a bi a y memo y loca ion o leak, and gadge s whe e no
582 33 d USENIX Secu i y Symposium USENIX Associa ion
Table 1: The numbe o exploi able gadge s ound by InSpec-
e Gadge in indi ec call a ge s and indi ec jump a ge s o
he ke nel, g ouped by echnique needed o exploi a ion.
Technique Call Ta ge s Reachable Jump Ta ge s
Load S o e Load S o e Load S o e
None 14 2 1 1 0 0
P ime+P obe 199 126 64 51 126 17
Sliding 69 30 34 7 208 50
Known P e ix 399 121 107 19 135 110
Base Adjus 7 1 4 1 0 0
(Base Adjus +
Known P e ix)
(79) (30) (28) (9) (88) (43)
T ain In-Place 467 210 174 68 153 52
T ain OOP 53 10 25 2 130 77
To al 738 288 230 78 471 179
bi s o he sec e su i e be o e being ansmi ed, e.g., i he
sec e is XOR-ed wi h i sel , a e classi ied as No In e able.
Finally, he labels Sec e Too Big,Sec e Too Small and Base
Alias e e o he p oblems men ioned in Sec ion 5.2.
As men ioned ea lie , InSpec e Gadge can be easily ex-
ended o suppo new co e channels. As a demons a ion,
we added suppo o bo h he ecen SLAM co e chan-
nel [29] and he code-load (i.e., sec e -dependen unc ion
poin e de e e ence) co e channel [45]. Wi h ou ool, we
ound ~4x mo e exploi able gadge s han SLAM’s simple
scanne , p ima ily due o ou abili y o eason abou he ex-
ploi abili y o complex gadge s. The code-load co e channel
u he e ealed o e 2,000 SLAM gadge s, al hough no new
adi ional gadge s we e ound. Fo a mo e de ailed analysis,
we e e he eade o Appendix A.
5.5 Limi a ions
As opposed o ools like KASPER [31], InSpec e Gadge is
designed o analyze only he con en o specula ion windows
(e.g., call and jump a ge s o Spec e- 2), whose en y poin s
ha e o be p o ided by he analys . O he aspec s needed o
end- o-end exploi a ion, such as he eachabili y o he a ge
and he p esence o a sui able ic im b anch, a e no pa
o he ool’s ou pu . None heless, in Sec ion 6.1, we show
how o cons uc an end- o-end a ack based on he esul s o
ou analysis. Mo eo e , InSpec e Gadge canno comple ely
p o e he absence o gadge s in a gi en snippe o code.
Rega ding exploi abili y esul s, ou cu en p o o ype has
a numbe o limi a ions po en ially impac ing accu acy. Fi s ,
ou ool is based on ANGR and elies on bo h i s disassemble
(CAPSTONE) and cons ain sol e (Z3). Whene e an e o
occu s in one o hese componen s, e.g., on unsuppo ed in-
s uc ions, we ha e o bail ou om he analysis, lea ing some
symbolic s a es unexplo ed. Second, ansmissions ha con-
Table 2: The numbe o po en ial gadge s ma ked as “no
exploi able” by InSpec e Gadge , b oken down by he eason
o which hey we e deemed unexploi able.
P oblem # o Gadge s # Reachable
Load S o e Load S o e
Base Alias 1322 730 502 151
In alid Base 32651 5619 9270 1391
In alid Sec e Add ess 412 78 104 11
CMOVE Alias 773 171 246 50
Sec e No In e able 114 5 59 1
In alid T ansmission 268 56 51 9
Sec e Too Big 2045 439 282 159
Sec e Too Small 561 67 198 28
To al 34825 6035 9609 1530
ain a complex symbolic exp ession, e.g., wo independen ly-
con olled loads used in a XOR ope a ion, canno be easily
unpacked in o a base and a ansmi ed sec e , bu migh s ill
leak a alue. We ma k hese cases as complex and app oxi-
ma e hei anges by que ying he SAT sol e o he minimum
and maximum alues o he whole exp ession and o each
sub-exp ession. We also use his app oach when pe o ming
ange analysis on exp essions wi h complex (symbolic) con-
s ain s, whose alues canno be easily educed o an in e al
o a small se . Fo hese cases, besides epo ing he minimum
and he maximum alues, we also check i ce ain bi s a e
always 0 o 1 o app oxima e he s ide.
Finally, a he momen ou ool models he a acke ’s con-
ol o e complex chains o loads as a bina y condi ion (con-
olled o no con olled), as opposed o epo ing he deg ee
o con ol as done o ansmission componen s. Fo complex
aliasing cases, his can in oduce imp ecision (e.g., inaccu a e
classi ica ion o he equi ed exploi a ion echniques).
6 Na i e BHI
In he p e ious sec ion, we saw ha InSpec e Gadge was
able o unco e in he Linux ke nel many gadge s ha can lead
o he ansmission o a sec e . In his sec ion, we demons a e
how an a acke can use such gadge s o moun an end- o-end
Spec e- 2 exploi agains he ke nel, by p esen ing he i s
na i e BHI a ack (wi hou he need o unp i ileged eBPF).
6.1 P elimina ies
To pe o m na i e BHI, an a acke mus i s igge he gad-
ge ia a syscall o inse i s en y in he BTB. As discussed in
Sec ion 5.4, we use he epo s om Syzkalle o de e mine
which a ge can be igge ed, and how. No e ha , since we use
alid indi ec call a ge s, he a ack is comple ely una ec ed
by he eIBRS and IBT mi iga ions.
USENIX Associa ion 33 d USENIX Secu i y Symposium 583
0 20 40 60
Numbe o Ins uc ions
0
200
400
600
800
Cumula i e # o Gadge s
Call
Jump
Reachable
0123456
Numbe o B anches
0
200
400
600
800
Cumula i e # o Gagde s
Call
Jump
Reachable
012345
Numbe o Loads
0
200
400
600
800
Cumula i e # o Gadge s
Call
Jump
Reachable
Figu e 5: Cumula i e dis ibu ions o he numbe o ins uc ions, b anches and dependen loads ound in disclosu e gadge s.
In addi ion, we mus choose a ic im indi ec b anch. A -
acke s need o ensu e hey con ol he egis e s and memo y
equi ed by he gadge , when he ic im call is igge ed. To
ind po en ial ic ims, we use ANGR o sea ch o indi ec
b anches om he syscall en y poin . Upon de ec ing an indi-
ec b anch, we pe o m ange analysis on a acke -con olled
egis e s. To ind a acke -con olled alues ha equi e an
ex a de e e ence wi h a small o se , we i s que y he sol e
o de e mine i he exp ession s o ed in a egis e has a single
solu ion. I so, we examine he memo y a his add ess and he
adjacen 256 by es o a acke -con olled alues and pe o m
ange analysis on hem i ound.
We iden i ied 21 indi ec b anches ac oss 11 syscalls, each
wi h a leas one egis e unde su icien a acke con ol o
pass a ke nel poin e .
6.2 End-To-End Exploi
In his sec ion, we show how we c a an end- o-end exploi
agains he Linux ke nel o leak he con en o
/e c/shadow
on he la es In el CPUs in unde wo minu es. Figu e 6shows
a gene al o e iew o he a ack.
Disclosu e gadge and ic im b anch. As a i s s ep, we
sea ch o a FLUSH+RELOAD gadge o p o ide an e icien
co e channel, by il e ing he da abase gene a ed by InSpec-
e Gadge . In pa icula , we selec
cg oup_seq ile_show
,
shown in Lis ing 2, as ou gadge . The co esponding an-
no a ed assembly ile, gene a ed by InSpec e Gadge , is in-
cluded in Appendix C.
As ou ic im b anch, we choose he ke nel syscall handle .
When execu ing his b anch, all o he (a acke -con olled)
syscall a gumen s ha e al eady been pushed on he s ack,
while
di
poin s o he loca ion o hese a gumen s. Since
cg oup_seq ile_show
loads a alue om
di + 0x70
and uses i o compu e all o he alues, a acke s need o
con ol jus he i s syscall a gumen when he misp edic ion
occu s.
Inse ing he BTB en y. To ensu e ha he CPU misp e-
dic s o ou gadge , i s add ess mus be injec ed in o he BTB
be o e calling he ic im. To his end, we igge he gadge
om use space exac ly once. Manual analysis shows ha we
call [ ax]
call [ ax]
Collision
legi
a ge
Specula e
Leak
Ke nelUse
12
34
<cg oup_seq ile_show>
ax = load[ di+0x70]
ax = load[ ax]

ansmi [ di+ ax*8]
[ di+0x70]
con olled
ead ile
syscall
Figu e 6: Wo k low o he na i e BHI exploi . The a acke
i s igge s an indi ec call in ke nel
1

, which jumps o
cg oup_seq ile_show 2

. Then, a colliding his o y is exe-
cu ed, and he syscall dispa che is in oked
3

, which expec s
he use -p o ided syscall a gumen a add ess
di+0x70
.
Be o e execu ing he in ended a ge , he CPU ansien ly
jumps o
cg oup_seq ile_show 4

, which de e e ences
di+0x70 and uses i s alue o cons uc a ansmission.
can igge
cg oup_seq ile_show
by eading a ile in he
cg oup di ec o y (/sys/ s/cg oup) om use space.
Inc easing he ansien window size. The induced an-
sien window mus be su icien ly la ge o i ou ansmission.
The e a e a ious ways o achie e his. In ou case, we op ed
o e ic ing om he cache he syscall able en y ha con-
ains he legi ima e a ge o ou ic im, making he ic im
call slow. Ou expe imen s show ha e ic ing he en y om
he L2 da a cache p o ides a window ha is la ge enough.
Finding he eload bu e . To use FLUSH+RELOAD, he e
needs o be a sha ed bu e be ween he a acke and he ic im.
We can ob ain such a eload bu e by alloca ing a use page
and iden i ying i s co esponding add ess in he ke nel’s di ec
map o physical memo y. Howe e , he map add ess is no
known in ad ance, and mus be leaked.
In p inciple, an a acke can b u e- o ce his add ess by
exploi ing BHI o ansien ly jump o an a acke -con olled
load, and check i he load b ough he use page in o he
cache. Howe e , wo signi ican sou ces o en opy s and in
584 33 d USENIX Secu i y Symposium USENIX Associa ion
Re e ences
[1]
BHI and in a-mode BTI. h ps://www.in el.com/
con en /www/us/en/de elope /a icles/ echnical/
so wa e-secu i y-guidance/ echnical-documen a ion/
b anch-his o y-injec ion.h ml.
[2]
B anch a ge injec ion. h ps://www.in el.com/con en /
www/us/en/de elope /a icles/ echnical/so wa e-
secu i y-guidance/ad iso y-guidance/b anch- a ge -
injec ion.h ml.
[3]
Don’ o ce use o indi ec calls o sys-
em calls. h ps://gi .ke nel.o g/pub/scm/
linux/ke nel/gi / o alds/linux.gi /commi /?id=
1e3ad78334a69b36e107232e337 9d693dcc9d 2.
[4]
Enable ke nel IBT by de aul . h ps://lo e.ke nel.o g/
lkml/166764458451.4906.10224019690835731804.
ip-bo 2@ ip-bo 2/T/.
[5]
Implemen FineIBT. h ps://gi .ke nel.o g/pub/
scm/linux/ke nel/gi / o alds/linux.gi /commi /?id=
931ab63664 0.
[6]
Indi ec b anch es ic ed specula ion. h ps://www.in el.
com/con en /www/us/en/de elope /a icles/ echnical/
so wa e-secu i y-guidance/ echnical-documen a ion/
indi ec -b anch- es ic ed-specula ion.h ml.
[7]
Indi ec b anch acking o In el CPUs. h ps://lwn.ne /
A icles/889475.
[8]
In el esea ch on disclosu e gadge s a indi ec b anch
a ge s in he Linux ke nel. h ps://www.in el.com/
con en /www/us/en/de elope /a icles/news/upda e- o-
esea ch-on-disclosu e-gadge s-in-linux.h ml.
[9]
Me ge ag ’na i ebhi’. h ps://gi .ke nel.o g/pub/
scm/linux/ke nel/gi / o alds/linux.gi /commi /?id=
2bb69 5 c72183e1c62547d900 560d0e9334925.
[10]
Re poline: A b anch a ge injec ion mi iga ion.
h ps://www.in el.com/con en /www/us/en/de elope /
a icles/ echnical/so wa e-secu i y-guidance/
echnical-documen a ion/ e poline-b anch- a ge -
injec ion-mi iga ion.h ml.
[11]
Spec e side channels. h ps://docs.ke nel.o g/admin-
guide/hw- uln/spec e.h ml#spec e- a ian -2-b anch-
a ge -injec ion.
[12] Syzbo . h ps://syzkalle .appspo .com/.
[13] Syzkalle . h ps://gi hub.com/google/syzkalle .
[14]
Vulne abili y o specula i e p ocesso s. h ps:
//de elope .a m.com/suppo /a m-secu i y-upda es/
specula i e-p ocesso - ulne abili y.
[15]
Nada Ami , F ed Jacobs, and Michael Wei. Jump-
Swi ches: Res o ing he pe o mance o indi ec
b anches in he e a o Spec e. In USENIX ATC, 2019.
[16]
En ico Ba be is, Pie o F igo, Ma ius Muench, He be
Bos, and C is iano Giu ida. B anch his o y injec ion:
On he e ec i eness o ha dwa e mi iga ions agains
C oss-P i ilege Spec e- 2 a acks. In USENIX Secu i y,
2022.
[17]
A i Bha acha yya, And és Sánchez, Esmaeil M Ko-
uyeh, Nael Abu-Ghazaleh, Chengyu Song, and Ma h-
ias Paye . SpecROP: Specula i e exploi a ion o ROP
chains. In RAID, 2020.
[18]
A i Bha acha yya, Alexand a Sandulescu, Ma hias
Neugschwand ne , Alessand o So nio i, Babak Falsa i,
Ma hias Paye , and Anil Ku mus. SMoThe Spec e: Ex-
ploi ing specula i e execu ion h ough po con en ion.
In CCS, 2019.
[19]
Tyle Ble sch, Xuxian Jiang, Vince W. F eeh, and
Zhenkai Liang. Jump-o ien ed p og amming: A new
class o code- euse a ack. In ASIACCS, 2011.
[20]
Sunjay Cauligi, C aig Disselkoen, Klaus Gleissen hall,
Dean Tullsen, Deian S e an, Tama a Rezk, and Gilles
Ba he. Cons an - ime ounda ions o he new Spec e
e a. In PLDI, 2020.
[21]
Lesly-Ann Daniel, Sébas ien Ba din, and Tama a Rezk.
Hun ing he haun e -e icien ela ional symbolic execu-
ion o Spec e wi h haun ed else. In NDSS, 2021.
[22]
Dmi y E yushkin, Ryan Riley, Nael CSE Abu-
Ghazaleh, ECE, and Dmi y Ponoma e . B anchScope:
A new side-channel a ack on di ec ional b anch p edic-
o . In ASPLOS, 2018.
[23]
Alexande J Gaidis, Joao Mo ei a, Ke Sun, Alyssa
Milbu n, Vaggelis A lidakis, and Vasileios P Keme lis.
FineIBT: Fine-g ain con ol- low en o cemen wi h in-
di ec b anch acking. ACM 2023, 2023.
[24]
Enes Gök as, Ka eh Raza i, Geo gios Po okalidis, He -
be Bos, and C is iano Giu ida. Specula i e p obing:
Hacking blind in he Spec e e a. In CCS, 2020.
[25]
Ben G as, Ka eh Raza i, He be Bos, C is iano Giu -
ida, e al. T ansla ion leak-aside bu e : De ea ing
cache side-channel p o ec ions wi h TLB a acks. In
USENIX Secu i y, 2018.
[26]
Daniel G uss, Clémen ine Mau ice, Ande s Fogh,
Mo i z Lipp, and S e an Manga d. P e e ch side-channel
a acks: Bypassing SMAP and ke nel ASLR. In CCS,
2016.
USENIX Associa ion 33 d USENIX Secu i y Symposium 591

[27]
Daniel G uss, Clémen ine Mau ice, Klaus Wagne , and
S e an Manga d. Flush+Flush: A as and s eal hy cache
a ack, 2016.
[28]
Ma co Gua nie i, Bo is Köp , José F Mo ales, Jan
Reineke, and And és Sánchez. Spec ec o : P incipled
de ec ion o specula i e in o ma ion lows. In IEEE
S&P, 2020.
[29]
Ma hé He ogh, Sande Wiebing, and C is iano Giu -
ida. Leaky add ess masking: Exploi ing unmasked
Spec e gadge s wi h noncanonical add ess ansla ion.
In IEEE S&P, 2024.
[30]
In el. In el 64 and IA-32 a chi ec u es so wa e de el-
ope ’s manual combined olumes. 2019.
[31]
B ian Johannesmeye , Jakob Koschel, Ka eh Raza i,
He be Bos, and C is iano Giu ida. Kaspe : scanning
o gene alized ansien execu ion gadge s in he Linux
ke nel. In NDSS, 2022.
[32]
Paul Koche , Jann Ho n, Ande s Fogh, Daniel Genkin,
Daniel G uss, We ne Haas, Mike Hambu g, Mo i z
Lipp, S e an Manga d, Thomas P esche , Michael
Schwa z, and Yu al Ya om. Spec e a acks: Exploi ing
specula i e execu ion. In IEEE S&P, 2019.
[33]
Paul C. Koche . Timing a acks on implemen a ions
o Di ie-Hellman, RSA, DSS, and o he sys ems. In
CRYPTO, 1996.
[34]
Esmaeil Mohammadian Ko uyeh, Khaled N. Kha-
sawneh, Chengyu Song, and Nael Abu-Ghazaleh. Spec-
e e u ns! specula ion a acks using he e u n s ack
bu e . In WOOT, 2018.
[35]
Mo i z Lipp, Michael Schwa z, Daniel G uss, Thomas
P esche , We ne Haas, Ande s Fogh, Jann Ho n, S e an
Manga d, Paul Koche , Daniel Genkin, e al. Mel down:
eading ke nel memo y om use space. In USENIX
Secu i y, 2018.
[36]
Fang ei Liu, Yu al Ya om, Qian Ge, Ge no Heise , and
Ruby B. Lee. Las -le el cache side-channel a acks a e
p ac ical. In IEEE S&P, 2015.
[37]
Ke in Loughlin, Ian Neal, Jiacheng Ma, Elisa Tsai,
O i Weisse, Sa ish Na ayanasamy, and Ba is Kasikci.
DOLMA: Secu ing specula ion wi h he p inciple o
ansien non-obse abili y. In USENIX Secu i y, 2021.
[38]
Gio gi Maisu adze and Ch is ian Rossow. e 2spec:
Specula i e execu ion using e u n s ack bu e s. In
CCS, 2018.
[39]
Alyssa Milbu n, Ke Sun, and Hen ique Kawakami. You
canno always win he ace: Analyzing mi iga ions o
b anch a ge p edic ion a acks. In IEEE Eu oS&P,
2023.
[40]
Oleksii Oleksenko, Bohdan T ach, Ma k Silbe s ein, and
Ch is o Fe ze . SpecFuzz: B inging Spec e- ype ul-
ne abili ies o he su ace. In USENIX Secu i y, 2020.
[41]
Colin Pe ci al. Cache missing o un and p o i . 2005.
[42]
Zhenxiao Qi, Qian Feng, Yueqiang Cheng, Mengjia Yan,
Peng Li, Heng Yin, and Tao Wei. SpecTain : Specula i e
ain analysis o disco e ing Spec e gadge s. In NDSS,
2021.
[43]
Hany Ragab, And ea Mamb e i, Anil Ku mus, and C is-
iano Giu ida. Ghos Race: Exploi ing and mi iga ing
specula i e ace condi ions. In USENIX Secu i y, 2024.
[44]
Joseph Ra ichand an, Weon Taek Na, Jay Lang, and
Mengjia Yan. PACMAN: A acking ARM poin e au-
hen ica ion wi h specula i e execu ion. In ISCA, 2022.
[45]
Xida Ren, Logan Moody, Mohammadkazem Ta am,
Ma hew Jo dan, Dean M. Tullsen, and Ashish Venka . I
see dead µops: Leaking sec e s ia In el/AMD mic o-op
caches. In ISCA, 2021.
[46]
Ho a Shacham. The geome y o innocen lesh on
he bone: Re u n-in o-libc wi hou unc ion calls (on he
x86). In CCS, 2007.
[47]
Dag A ne Os ik Shami , Adi and E an T ome . Cache
a acks and coun e measu es: he case o AES, 2005.
[48]
Ved yas Shanbhogue, Deepak Gup a, and Ra i Sahi a.
Secu i y analysis o p ocesso ins uc ion se a chi ec-
u e o en o cing con ol- low in eg i y. In S&P, 2019.
[49]
Youngjoo Shin, Hyung Chan Kim, Dokeun Kwon,
Ji Hoon Jeong, and Junbeom Hu . Un eiling ha dwa e-
based da a p e e che , a hidden sou ce o in o ma ion
leakage. In ACM CCS, 2018.
[50]
Yan Shoshi aish ili, Ruoyu Wang, Ch is ophe Salls,
Nick S ephens, Ma io Polino, And ew Du che , John
G osen, Siji Feng, Ch is ophe Hause , Ch is ophe
K uegel, and Gio anni Vigna. (S a e o ) he a o wa :
O ensi e echniques in bina y analysis. In IEEE S&P,
2016.
[51]
Daniël T ujillo, Johannes Wikne , and Ka eh Raza i.
Incep ion: Exposing new a ack su aces wi h aining
in ansien execu ion. In USENIX Secu i y, 2023.
[52]
S ephan Van Schaik, Alyssa Milbu n, Sebas ian Ös e -
lund, Pie o F igo, Gio gi Maisu adze, Ka eh Raza i,
He be Bos, and C is iano Giu ida. RIDL: Rogue
in- ligh da a load. In IEEE S&P, 2019.
592 33 d USENIX Secu i y Symposium USENIX Associa ion
[53]
Guanhua Wang, Sudip a Cha opadhyay, A nab Ku-
ma Biswas, Tulika Mi a, and Abhik Roychoud-
hu y. KLEESPECTRE: De ec ing in o ma ion leakage
h ough specula i e cache a acks ia symbolic execu-
ion. ACM TOSEM, 2020.
[54]
Johannes Wikne and Ka eh Raza i. RETBLEED: A bi-
a y specula i e code execu ion wi h e u n ins uc ions.
In USENIX Secu i y, 2022.
[55]
Yu al Ya om and Ka ina Falkne . FLUSH+RELOAD:
A high esolu ion, low noise, L3 cache side-channel
a ack. In USENIX Secu i y, 2014.
[56]
Hosein Ya a zadeh, Mohammadkazem Ta am, Sh a an
Na ayan, Deian S e an, and Dean Tullsen. Hal &Hal :
Demys i ying In el’s di ec ional b anch p edic o s o
as , secu e pa i ioned execu ion. In IEEE S&P, 2023.
A Ex a Co e Channels
To demons a e he lexibili y o InSpec e Gadge , we ex-
ended he ool o include wo ex a co e channels, namely
he code-load co e channel [45], which equi es a sec e -
dependen unc ion poin e , and he ecen SLAM co e chan-
nel [29]. SLAM le e ages In el’s ecen ly announced Linea
Add ess Masking (LAM) ea u e, as well as mic oa chi ec-
u al ace condi ions p esen on some exis ing AMD CPUs.
Via SLAM, an a acke can leak da a ia a s aigh o wa d
de e e ence o a 64-bi sec e , ypically a noncanonical ad-
d ess, by ansien ly bypassing canonicali y checks.
Suppo ing SLAM equi ed modi ica ions only in he ea-
sone , wi h 83 line changes. The code-load co e channel
equi ed e en ewe modi ica ions, wi h only 7 line changes in
he scanne . We an he ex ended implemen a ion o InSpec e
Gadge wi h he same se up desc ibed in Sec ion 5.4. Table 5
p esen s ou esul s. We coun each en y poin as a single
gadge , in line wi h SLAM’s de ini ion.
The SLAM pape epo s a la ge po en ial a ack su ace
when scanning he Linux ke nel’s indi ec call a ge s (16,046
po en ial gadge s), bu p ac ical exploi abili y is app oxi-
ma ed by pa e n-ma ching simple cases, esul ing in 4,194
exploi able gadge s. In con as , by easoning on complex
gadge s as well, InSpec e Gadge is able o unco e 13,648
SLAM gadge s ha pass all exploi abili y es s in indi ec
call a ge s, and a o al o 16,287 exploi able SLAM gadge s
when conside ing also indi ec jump a ge s and code-loads.
While we did no unco e any new adi ional gadge s ia he
code-load co e channel, we iden i ied 2,856 SLAM gadge s
ha a e exploi able ia he code-load co e channel.
B FineIBT Case S udy Gadge
Lis ing 6p esen s he assembly code o he unix_poll_gadge ,
he gadge used in he FineIBT bypass case s udy. The gadge
Table 5: The numbe o exploi able SLAM gadge s ound by
InSpec e Gadge in indi ec call a ge s and indi ec jump
a ge s o he ke nel, g ouped by echnique needed o ex-
ploi a ion. Coun ed by he numbe o indi ec en y poin s
wi h a leas one gadge .
Technique Call Ta ge s Jump Ta ge s
Code- Code-
Load S o e load Load S o e load
Known P e ix 14,840 3,470 2,440 1,981 831 474
T ain In-Place 5,285 1,796 1,230 531 308 49
T ain OOP 363 174 75 1,132 430 424
To al 14,847 3,485 2,440 1,987 832 474
loads a sec e om memo y wi h a acke -con olled egis e
si
as add ess. Nex , he gadge loads he call a ge om he
a acke -con olled add ess in
dx
and calls i subsequen ly.
The sec e is ansmi ed by he ins uc ion a he call a ge ,
selec ed by he a acke , ha pe o ms a load wi h he sec e as
an a gumen and an a acke -con olled alue as he base. We
selec ed he ins uc ion
mo zx ebx, BYTE PTR[ 8+ bx]
ound in he uuid_s ing unc ion.
Lis ing 6: Assembly o he
unix_poll
gadge . Linux ke nel
6.6- c4, FineIBT enabled.
1__c i_unix_poll:
2endb 64
3sub 10d,0x1eb58ddc
4je <unix_poll>
5ud2
6nop
7unix_poll:
8nop WORD PTR [ ax]
9push bp
10 push 14
11 push bx
12 mo bx,QWORD PTR [ si+0x18]; load sec e
13 es dx, dx
14 je <unix_poll+55>
15 mo 11,QWORD PTR [ dx]; load call a ge
16 es 11, 11
17 je <unix_poll+55>
18 add si,0x40
19 mo 10d,0xd0 acb91
20 sub 11,0x10
21 nop DWORD PTR [ ax+0x0]
22 call 11; call a acke chosen a ge
C Anno a ed Assembly Ou pu
Figu e 10 shows he anno a ed assembly ou pu o he
(cg oup_seq ile_show) gadge used in ou exploi .
USENIX Associa ion 33 d USENIX Secu i y Symposium 593
----------------- TRANSMISSION -----------------
cg oup_seq ile_show:
8114 30 endb 64
8114 34 push bp
8114 35 mo ax,qwo d p [ di+0x70] ; {A acke @ di} -> {A acke @0x 8114 35}
8114 39 mo 8, si
8114 3c mo bp, di
8114 3 mo ax,qwo d p [ ax] ; {A acke @0x 8114 35} -> {A acke @0x 8114 3 }
8114 42 mo si,qwo d p [ ax+0x60] ; {A acke @0x 8114 3 } -> {A acke @0x 8114 42}
8114 46 mo dx,qwo d p [ ax+0x8] ; {A acke @0x 8114 3 } -> {A acke @0x 8114 46}
8114 4a mo ax,qwo d p [ si+0x58] ; {A acke @0x 8114 42} -> {A acke @0x 8114 4a}
8114 4e mo di,qwo d p [ dx+0x60] ; {A acke @0x 8114 46} -> {A acke @0x 8114 4e}
8114 52 es ax, ax
8114 55 je 0x 8114 67 ; No Taken <Bool LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 di + 0x70>]_21>]_22
+ 0x60>]_23 + 0x58>]_25 != 0x0>
8114 57 mo sxd ax,dwo d p [ ax+0x9c] ; {A acke @0x 8114 4a} -> {Sec e @0x 8114 57}
8114 62 mo di,qwo d p [ di+ ax*0x8+0x8] ; {A acke @0x 8114 4e, Sec e @0x 8114 57} -> TRANSMISSION
8114 67 mo ax,qwo d p [ si+0x98]
8114 6e es ax, ax
8114 71 je 0x 8114 7

------------------------------------------------
uuid: 5bb996d2-d414-4452-a858-c2d306eedb9a
ansmi e : T ansmi e Type.LOAD
Sec e Add ess:
- Exp : LOAD_64[ LOAD_64[ LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x60]_23 + 0x58]_25 + 0x9c
- Range: (0x0,0x ,0x1) Exac : T ue
T ansmi ed Sec e :
- Exp : (0#32 .. LOAD_32[ LOAD_64[ LOAD_64[ LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x60]_23 + 0x58]_25 + 0x9c]_27) << 0x3
- Range: (0x0,0x3 8,0x8) Exac : T ue
- Sp ead: 3 - 34
- Numbe o Bi s In e able: 32
Base:
- Exp : LOAD_64[ LOAD_64[ LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x8]_24 + 0x60]_26 + 0x178
- Range: (0x0,0x ,0x1) Exac : T ue
- Independen Exp : LOAD_64[ LOAD_64[ LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x8]_24 + 0x60]_26 + 0x178
- Independen Range: (0x0,0x ,0x1) Exac : T ue
T ansmission:
- Exp : 0x8 + LOAD_64[ LOAD_64[ LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x8]_24 + 0x60]_26 + (0x170 + ((0#32 .. LOAD_32[ LOAD_64[ LOAD_64[
LOAD_64[ LOAD_64[ di + 0x70]_21]_22 + 0x60]_23 + 0x58]_25 + 0x9c]_27) << 0x3))
- Range: (0x0,0x ,0x1) Exac : False
Regis e Requi emen s: { di }
Cons ain s: [('0x 8114 57', <Bool LOAD_32[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 di + 0x70]_21]_22 + 0x60]_23
+ 0x58]_25 + 0x9c]_27[31:31] == 0, 'Condi ionType.SIGN_EXT')]
B anches: [('0x 8114 55', <Bool LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 LOAD_64[<BV64 di + 0x70]_21]_22 + 0x60]_23 + 0x58]_25 != 0x0
, 'No Taken')]
------------------------------------------------
1
2
3
4
5
6
6
7
6
8
6
9
Figu e 10: Anno a ed assembly ile gene a ed by InSpec e Gadge . Righ o he assembly ins uc ions, we ou pu he
anno a ions a ached o he sou ce and des ina ion ope ands (sou ce
→
des ina ion). The anno a ions include he o igin o he
alue, which is ei he he ins uc ion poin e o he sou ce load o a egis e (e.g.,
@ di
). As we gene a e o each de ec ed gadge
an anno a ed assembly ile, we do no p in anno a ions ha a e i ele an o he gadge low and we eplace all sec e anno a ions
wi h an a acke anno a ion ha a e, o his speci ic gadge , no used as a sec e bu as an a acke -con olled alue. In he case o
a b anch ins uc ion, we show he b anch condi ion o hold ins ead.
As shown by he anno a ions, he a acke -con olled alue
di
is used in he i s load
1

, ollowed by a se ies o loads whose
con ollabili y is acked
2

. The encoun e ed b anch condi ion is eco ded
3

. Subsequen ly, he sec e alue is loaded om an
a acke -con olled alue
4

and ansmi ed using an a acke -con olled alue as he base
5

. We ou pu key de ails a e he
assembly code, including he symbolic exp ession and he ange—i.e., (min, max, s ide)— o each ansmission componen
6

,
insigh s abou he ansmi ed sec e bi s 7
, de ails abou which egis e s an a acke should con ol o exploi he gadge 8
as
well as he cons ain s and b anches encoun e ed 9
.
594 33 d USENIX Secu i y Symposium USENIX Associa ion