Releases: vusec/inspectre-gadget
Releases · vusec/inspectre-gadget
Artifact Evaluation Final
InSpectre Gadget Results
analysis date: 26-03-2024
reasoner date: 26-03-2024
target: Linux Kernel 6.6-rc4
Run ./build-db.sh to create a querable gadgets.db (requires sqlite3).
These results were obtained by running experiments/scanner-eval/run.sh on Ubuntu 22.04.
General Stats
+--------------------------+--------------------+
| Stats | COUNT(DISTINCT pc) |
+--------------------------+--------------------+
| Exploitable Gadgets | 1565 |
| Reachable Targets | 14391 |
| Exploitable Call Gadgets | 955 |
| Exploitable Jump Gadgets | 610 |
+--------------------------+--------------------+
Stats for Exploitable Gadgets
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| type | transmitter | total | no_techniques | requires_prime_and_probe | is_secret_below_cache_granularity | is_secret_entropy_high | is_max_secret_too_high | is_max_secret_too_high_incl_high_entropy | base_has_direct_secret_dependency | leak_secret_near_valid_base | non_linear | sliding_and_prefix | sliding_and_base_overflow | prefix_and_base_overflow | in_place_training | out_of_place_training |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| call targets | TransmitterType.LOAD | 738 | 14 | 199 | 69 | 399 | 7 | 79 | 54 | 0 | 592 | 0 | 1 | 96 | 467 | 53 |
| call targets | TransmitterType.STORE | 288 | 2 | 126 | 30 | 121 | 1 | 30 | 74 | 0 | 247 | 0 | 1 | 52 | 210 | 10 |
| reachable call targets | TransmitterType.LOAD | 230 | 1 | 64 | 34 | 107 | 4 | 28 | 29 | 0 | 216 | 0 | 2 | 25 | 174 | 25 |
| reachable call targets | TransmitterType.STORE | 78 | 1 | 51 | 7 | 19 | 1 | 9 | 46 | 0 | 75 | 0 | 2 | 15 | 68 | 2 |
| jump targets | TransmitterType.LOAD | 471 | 0 | 126 | 208 | 135 | 0 | 88 | 13 | 0 | 300 | 0 | 0 | 179 | 153 | 130 |
| jump targets | TransmitterType.STORE | 179 | 0 | 17 | 50 | 110 | 0 | 43 | 1 | 0 | 156 | 0 | 0 | 46 | 52 | 77 |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
Stats for Non-Exploitable Gadgets
+-----------------------+-------------------------------------+--------------------+
| transmitter | problem | COUNT(DISTINCT pc) |
+-----------------------+-------------------------------------+--------------------+
| TransmitterType.LOAD | indirect base alias | 1322 |
| TransmitterType.STORE | indirect base alias | 730 |
| TransmitterType.LOAD | reachable indirect base alias | 502 |
| TransmitterType.STORE | reachable indirect base alias | 151 |
| TransmitterType.LOAD | invalid base | 32651 |
| TransmitterType.STORE | invalid base | 5619 |
| TransmitterType.LOAD | reachable invalid base | 9270 |
| TransmitterType.STORE | reachable invalid base | 1391 |
| TransmitterType.LOAD | invalid secret address | 412 |
| TransmitterType.STORE | invalid secret address | 78 |
| TransmitterType.LOAD | reachable invalid secret address | 104 |
| TransmitterType.STORE | reachable invalid secret address | 11 |
| TransmitterType.LOAD | CMOVE alias | 773 |
| TransmitterType.STORE | CMOVE alias | 171 |
| TransmitterType.LOAD | reachable CMOVE alias | 246 |
| TransmitterType.STORE | reachable CMOVE alias | 50 |
| TransmitterType.LOAD | secret not inferable | 114 |
| TransmitterType.STORE | secret not inferable | 5 |
| TransmitterType.LOAD | reachable secret not inferable | 59 |
| TransmitterType.STORE | reachable secret not inferable | 1 |
| TransmitterType.LOAD | secret entropy too high | 268 |
| TransmitterType.STORE | secret entropy too high | 56 |
| TransmitterType.LOAD | reachable secret entropy too high | 51 |
| TransmitterType.STORE | reachable secret entropy too high | 9 |
| TransmitterType.LOAD | secret too big | 2045 |
| TransmitterType.STORE | secret too big | 439 |
| TransmitterType.LOAD | reachable secret too big | 282 |
| TransmitterType.STORE | reachable secret too big | 159 |
| TransmitterType.LOAD | secret too small | 561 |
| TransmitterType.STORE | secret too small | 67 |
| TransmitterType.LOAD | reachable secret too small | 198 |
| TransmitterType.STORE | reachable secret too small | 28 |
| TransmitterType.LOAD | contains speculation stop | 34 |
| TransmitterType.STORE | contains speculation stop | 7 |
| TransmitterType.LOAD | reachable contains speculation stop | 6 |
| TransmitterType.STORE | reachable contains speculation stop | 3 |
| TransmitterType.LOAD | TOTAL | 34825 |
| TransmitterType.STORE | TOTAL | 6035 |
| TransmitterType.LOAD | TOTAL reachable | 9609 |
| TransmitterType.STORE | TOTAL reachable | 1530 |
+-----------------------+-------------------------------------+--------------------+
Stats for Fineibt Bypass Gadgets
+---------------------------------+--------------------+
| Fineibt Bypass Gadgets | COUNT(DISTINCT pc) |
+---------------------------------+--------------------+
| FineIBT reachable dispatchers | 88 |
| FineIBT reachable gadgets | 44 |
| FineIBT unreachable gadgets | 548 |
| FineIBT half-gadget dispatchers | 115 |
+---------------------------------+--------------------+
Stats for Dispatch Gadgets
+----------------------------+--------------------+
| Dispatchers | COUNT(DISTINCT pc) |
+----------------------------+--------------------+
| Call Dispatchers | 2039 |
| Reachable Call Dispatchers | 477 |
| Jump Dispatchers | 462 |
+----------------------------+--------------------+
Stats for Exploitable SLAM Gadgets
+-------------------------------------+---------------------------+--------------+...
camera-ready
InSpectre Gadget Results
analysis date: 20-02-2024
reasoner date: 26-02-2024
target: Linux Kernel 6.6-rc4
To reproduce, run scripts/run-queries.sh. This will create gadgets.db and print some stats.
General Stats
+--------------------------+--------------------+
| "Exploitable Gadgets" | COUNT(DISTINCT pc) |
+--------------------------+--------------------+
| Exploitable Gadgets | 1511 |
| Reachable Targets | 14015 |
| Exploitable Call Gadgets | 922 |
| Exploitable Jump Gadgets | 589 |
+--------------------------+--------------------+
Exploitable Gadgets
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| type | transmitter | total | no_techniques | requires_prime_and_probe | is_secret_below_cache_granularity | is_secret_entropy_high | is_max_secret_too_high | is_max_secret_too_high_incl_high_entropy | base_has_direct_secret_dependency | leak_secret_near_valid_base | non_linear | sliding_and_prefix | sliding_and_base_overflow | prefix_and_base_overflow | in_place_training | out_of_place_training |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| call targets | TransmitterType.LOAD | 710 | 12 | 190 | 73 | 391 | 7 | 65 | 46 | 0 | 575 | 0 | 1 | 85 | 452 | 39 |
| call targets | TransmitterType.STORE | 283 | 4 | 118 | 30 | 123 | 0 | 27 | 63 | 0 | 245 | 0 | 1 | 61 | 204 | 10 |
| reachable call targets | TransmitterType.LOAD | 211 | 1 | 50 | 33 | 104 | 4 | 26 | 20 | 0 | 197 | 0 | 2 | 23 | 164 | 13 |
| reachable call targets | TransmitterType.STORE | 75 | 3 | 53 | 5 | 14 | 0 | 6 | 49 | 0 | 70 | 0 | 2 | 20 | 63 | 2 |
| jump targets | TransmitterType.LOAD | 469 | 0 | 126 | 221 | 120 | 0 | 75 | 13 | 0 | 298 | 0 | 0 | 166 | 166 | 115 |
| jump targets | TransmitterType.STORE | 160 | 0 | 13 | 51 | 94 | 0 | 43 | 1 | 0 | 137 | 0 | 0 | 46 | 53 | 57 |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
rebuttal
InSpectre Gadget Results
date: 20-02-2024
target: Linux Kernel 6.6-rc4
To reproduce, run run-queries.sh. This will create gadgets.db and print some stats.
General Stats
+--------------------------+--------------------+
| "Exploitable Gadgets" | COUNT(DISTINCT pc) |
+--------------------------+--------------------+
| Exploitable Gadgets | 1515 |
| Reachable Targets | 14015 |
| Exploitable Call Gadgets | 926 |
| Exploitable Jump Gadgets | 589 |
+--------------------------+--------------------+
Exploitable Gadgets
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| type | transmitter | total | no_techniques | requires_prime_and_probe | is_secret_below_cache_granularity | is_secret_entropy_high | is_max_secret_too_high | is_max_secret_too_high_incl_high_entropy | base_has_direct_secret_dependency | leak_secret_near_valid_base | non_linear | sliding_and_prefix | sliding_and_base_overflow | prefix_and_base_overflow | in_place_training | out_of_place_training |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| call targets | TransmitterType.LOAD | 714 | 12 | 194 | 73 | 391 | 6 | 58 | 50 | 0 | 579 | 0 | 0 | 78 | 456 | 39 |
| call targets | TransmitterType.STORE | 283 | 4 | 118 | 30 | 123 | 0 | 24 | 63 | 0 | 245 | 0 | 1 | 57 | 204 | 10 |
| reachable call targets | TransmitterType.LOAD | 211 | 1 | 50 | 33 | 104 | 3 | 23 | 20 | 0 | 197 | 0 | 1 | 21 | 164 | 13 |
| reachable call targets | TransmitterType.STORE | 75 | 3 | 53 | 5 | 14 | 0 | 5 | 49 | 0 | 70 | 0 | 2 | 19 | 63 | 2 |
| jump targets | TransmitterType.LOAD | 469 | 0 | 126 | 221 | 120 | 0 | 75 | 13 | 0 | 298 | 0 | 0 | 166 | 166 | 115 |
| jump targets | TransmitterType.STORE | 160 | 0 | 13 | 51 | 94 | 0 | 43 | 1 | 0 | 137 | 0 | 0 | 46 | 53 | 57 |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
first release
InSpectre Gadget Results
date: 12-12-2023
target: Linux Kernel 6.6-rc4
To inspect the results, download the tarball and execute run-queries.sh (requires sqlite3). This will create gadgets.db and print
some stats of the gadgets found.
Exploitable Gadgets
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| type | transmitter | total | no_techniques | requires_prime_and_probe | is_secret_below_cache_granularity | is_secret_entropy_high | is_max_secret_too_high | is_max_secret_too_high_incl_high_entropy | base_has_direct_secret_dependency | leak_secret_near_valid_base | non_linear | sliding_and_prefix | sliding_and_base_overflow | prefix_and_base_overflow | in_place_training | out_of_place_training |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| call targets | TransmitterType.LOAD | 771 | 14 | 191 | 71 | 446 | 7 | 131 | 63 | 0 | 626 | 0 | 0 | 134 | 510 | 38 |
| call targets | TransmitterType.STORE | 267 | 4 | 98 | 31 | 126 | 0 | 32 | 62 | 0 | 228 | 0 | 1 | 47 | 193 | 6 |
| reachable call targets | TransmitterType.LOAD | 239 | 1 | 58 | 25 | 133 | 3 | 42 | 22 | 0 | 226 | 0 | 1 | 43 | 190 | 15 |
| reachable call targets | TransmitterType.STORE | 80 | 3 | 51 | 5 | 21 | 0 | 8 | 45 | 0 | 75 | 0 | 2 | 23 | 65 | 3 |
| jump targets | TransmitterType.LOAD | 432 | 0 | 46 | 222 | 161 | 0 | 92 | 21 | 0 | 285 | 0 | 0 | 92 | 162 | 120 |
| jump targets | TransmitterType.STORE | 207 | 0 | 15 | 55 | 134 | 0 | 58 | 1 | 0 | 184 | 0 | 0 | 58 | 78 | 78 |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
Non-Exploitable Gadgets
+-----------------------+---------------------------+--------------------+
| transmitter | problem | COUNT(DISTINCT pc) |
+-----------------------+---------------------------+--------------------+
| TransmitterType.LOAD | indirect base alias | 1228 |
| TransmitterType.STORE | indirect base alias | 450 |
| TransmitterType.LOAD | invalid base | 29762 |
| TransmitterType.STORE | invalid base | 4628 |
| TransmitterType.LOAD | invalid secret address | 1092 |
| TransmitterType.STORE | invalid secret address | 184 |
| TransmitterType.LOAD | secret not inferable | 96 |
| TransmitterType.STORE | secret not inferable | 6 |
| TransmitterType.LOAD | secret entropy too high | 944 |
| TransmitterType.STORE | secret entropy too high | 154 |
| TransmitterType.LOAD | secret too big | 1901 |
| TransmitterType.STORE | secret too big | 396 |
| TransmitterType.LOAD | secret too small | 460 |
| TransmitterType.STORE | secret too small | 63 |
| TransmitterType.LOAD | contains speculation stop | 25 |
| TransmitterType.STORE | contains speculation stop | 8 |
| TransmitterType.LOAD | TOTAL | 31690 |
| TransmitterType.STORE | TOTAL | 5019 |
+-----------------------+---------------------------+--------------------+