‘007’ code helps stop Spectre exploits before they exist

At arXiv, Singaporean and US researchers have published work, appropriately dubbed “007”, which checks code to see if it’s trying to exploit Spectre; and at Virus Bulletin, Fortinet’s Axelle Apvrille takes a look at the bug from an Android point of view.

Apvrille’s work backs up what we’ve heard from other researchers: so far, Spectre exploitation is theoretical, with no exploits in the wild. She wrote that while there was a flurry of “Spectre exploit” stories based on AV-Test sample collection, it turned out that all of the reported samples were proofs-of-concept rather than genuine malware.

She adds: “there is a significant difference between a PoC of Spectre and a piece of malware using Spectre. Turning a PoC into a malicious executable is far from a trivial process.”

That doesn’t make this kind of work pointless, though, since it’s a good thing to stay ahead of whatever nasties black hats might devise.

In developing a detection technique, Apvrille’s second conclusion was also good news: an attack against Spectre, she found, seems relatively easy to detect.

She wrote that “we had expected several false positives with this signature, but that was not the case: this imperfect signature turns out to be quite good in practice.”

The signature Apvrille searched for (using the in-practice impracticably-slow technique of searching whole binaries) was to identify “Flush+Reload cache attacks in ELF x86-64 executables”.

Source: ‘007’ code helps stop Spectre exploits before they exist • The Register