In our previous blog on Spectre variant 1, we explained the vulnerability and discussed how the Klocwork SPECTRE.VARIANT1 checker works. Now, we’ll walk through a real example of the detection and remediation of the vulnerability in Klocwork.
For those who prefer something visual, we’ve included a video of this walkthrough below, which includes a detailed technical explanation of the vulnerability by one of our Klocwork developers.
The code sample presented here was originally published by Erik August Johnson, we encourage you to download it and try our Spectre checker for yourself. This walkthrough uses the Klocwork Desktop Plugin for Visual Studio but similar steps can be applied to any flavor of Klocwork.
Configuring the Spectre checker
To enable the Klocwork Spectre checker, open the Klocwork Solution Properties dialog (right-click a solution in the Solution Explorer and select Klocwork Solution Properties) and enable SPECTRE.VARIANT1.
Finding the Spectre vulnerability
Once the analysis is complete, the following results are displayed in the desktop editor, highlighting two conditions that indicate the potential for the Spectre vulnerability to exist:
1. Potentially untrusted data x on line 42
2. Untrusted data x used in a branch that may be executed under speculative execution
For details on how the checker actually works, read our previous blog.
Fixing the found defects
As per Intel’s recommendation, the vulnerability can be remediated using the LFENCE instruction, to stop speculative execution locally, by using_mm_lfence(), Intel’s compiler intrinsic implementing this instruction. Inserting it before the untrusted data is used to access the array on line 43 above, and re-running Klocwork analysis, removes the reported defect:
Using your own Spectre mitigation function
If you have your own Spectre mitigation function, you can include a custom KB in the Klocwork analysis, identifying areas of code to the checker that aren’t vulnerable to the exploit. To illustrate this case, we will insert a fence instruction intrinsic function, my_fence_intrinsic() on line 45 and re-run Klocwork analysis:
The same defect as before is reported because Klocwork doesn’t recognize my_fence_intrinsic() as a remediation to the exploit. Since we know that it is, we include a custom KB file into the project (instructions here) with the following KB record:
my_fence_intrinsic – FENCE
Running the analysis again removes the reported defect, as Klocwork recognizes the intrinsic function:
You can view the complete documentation for the SPECTRE.VARIANT1 checker here.
For a detailed breakdown of the vulnerability and a demonstration of its discovery and remediation in Klocwork, watch this video:
The SPECTRE.VARIANT1 checker is available now for Klocwork 2018 and Klocwork 2017.3.
For those interested in detecting and mitigating the Spectre vulnerability as soon as possible, you can try a free trial of Klocwork now.
We also offer a Spectre audit of your code, where our professional services team analyzes your code base, identifies potential vulnerabilities, and provides remediation guidance tailored to your team.