Spectre logo

Walkthrough of the Klocwork Spectre checker

on Jun 18, 18 • by Roy Sarkar • with No Comments

A walkthrough of a real example of the detection and remediation of the Spectre vulnerability using Klocwork static code analysis...

Home » Static Analysis » Walkthrough of the Klocwork Spectre checker

In our previous blog on Spectre variant 1, we explained the vulnerability and discussed how the Klocwork SPECTRE.VARIANT1 checker works. Now, we’ll walk through a real example of the detection and remediation of the vulnerability in Klocwork.

For those who prefer something visual, we’ve included a video of this walkthrough below, which includes a detailed technical explanation of the vulnerability by one of our Klocwork developers.

The code sample presented here was originally published by Erik August Johnson, we encourage you to download it and try our Spectre checker for yourself. This walkthrough uses the Klocwork Desktop Plugin for Visual Studio but similar steps can be applied to any flavor of Klocwork.

Configuring the Spectre checker

To enable the Klocwork Spectre checker, open the Klocwork Solution Properties dialog (right-click a solution in the Solution Explorer and select Klocwork Solution Properties) and enable SPECTRE.VARIANT1.

Klocwork Solution Properties dialog

Finding the Spectre vulnerability

Once the analysis is complete, the following results are displayed in the desktop editor, highlighting two conditions that indicate the potential for the Spectre vulnerability to exist:

1. Potentially untrusted data x on line 42
2. Untrusted data x used in a branch that may be executed under speculative execution

Spectre defect found

(Click to enlarge)

For details on how the checker actually works, read our previous blog.

Fixing the found defects

As per Intel’s recommendation, the vulnerability can be remediated using the LFENCE instruction, to stop speculative execution locally, by using_mm_lfence(), Intel’s compiler intrinsic implementing this instruction. Inserting it before the untrusted data is used to access the array on line 43 above, and re-running Klocwork analysis, removes the reported defect:

Spectre defect fixed

(Click to enlarge)

Using your own Spectre mitigation function

If you have your own Spectre mitigation function, you can include a custom KB in the Klocwork analysis, identifying areas of code to the checker that aren’t vulnerable to the exploit. To illustrate this case, we will insert a fence instruction intrinsic function, my_fence_intrinsic() on line 45 and re-run Klocwork analysis:

Spectre defect with unknown fence intrinsic

(Click to enlarge)

The same defect as before is reported because Klocwork doesn’t recognize my_fence_intrinsic() as a remediation to the exploit. Since we know that it is, we include a custom KB file into the project (instructions here) with the following KB record:

my_fence_intrinsic – FENCE

Running the analysis again removes the reported defect, as Klocwork recognizes the intrinsic function:

Spectre defect with unknown fence intrinsic and custom KB

(Click to enlarge)

You can view the complete documentation for the SPECTRE.VARIANT1 checker here.

For a detailed breakdown of the vulnerability and a demonstration of its discovery and remediation in Klocwork, watch this video:

The SPECTRE.VARIANT1 checker is available now for Klocwork 2018 and Klocwork 2017.3.

For those interested in detecting and mitigating the Spectre vulnerability as soon as possible, you can try a free trial of Klocwork now.

We also offer a Spectre audit of your code, where our professional services team analyzes your code base, identifies potential vulnerabilities, and provides remediation guidance tailored to your team.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top