SpecFuzz: Bringing Spectre-type vulnerabilities to the surface


Oleksii Oleksenko and Bohdan Trach, TU Dresden; Mark Silberstein, Technion; Christof Fetzer, TU Dresden


SpecFuzz is the first tool that enables dynamic testing for speculative execution vulnerabilities (e.g., Spectre). The key is a novel concept of speculation exposure: The program is instrumented to simulate speculative execution in software by forcefully executing the code paths that could be triggered due to mispredictions, thereby making the speculative memory accesses visible to integrity checkers (e.g., AddressSanitizer). Combined with the conventional fuzzing techniques, speculation exposure enables more precise identification of potential vulnerabilities compared to state-of-the-art static analyzers.

Our prototype for detecting Spectre V1 vulnerabilities successfully identifies all known variations of Spectre V1 and decreases the mitigation overheads across the evaluated applications, reducing the amount of instrumented branches by up to 77% given a sufficient test coverage.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {251530,
author = {Oleksii Oleksenko and Bohdan Trach and Mark Silberstein and Christof Fetzer},
title = {SpecFuzz: Bringing Spectre-type vulnerabilities to the surface},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1481--1498},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/oleksenko},
publisher = {{USENIX} Association},
month = aug,

Presentation Video