InSpectre Gadget Results
analysis date: 26-03-2024
reasoner date: 26-03-2024
target: Linux Kernel 6.6-rc4
Run ./build-db.sh to create a querable gadgets.db (requires sqlite3).
These results were obtained by running experiments/scanner-eval/run.sh on Ubuntu 22.04.
General Stats
+--------------------------+--------------------+
| Stats | COUNT(DISTINCT pc) |
+--------------------------+--------------------+
| Exploitable Gadgets | 1565 |
| Reachable Targets | 14391 |
| Exploitable Call Gadgets | 955 |
| Exploitable Jump Gadgets | 610 |
+--------------------------+--------------------+
Stats for Exploitable Gadgets
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| type | transmitter | total | no_techniques | requires_prime_and_probe | is_secret_below_cache_granularity | is_secret_entropy_high | is_max_secret_too_high | is_max_secret_too_high_incl_high_entropy | base_has_direct_secret_dependency | leak_secret_near_valid_base | non_linear | sliding_and_prefix | sliding_and_base_overflow | prefix_and_base_overflow | in_place_training | out_of_place_training |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
| call targets | TransmitterType.LOAD | 738 | 14 | 199 | 69 | 399 | 7 | 79 | 54 | 0 | 592 | 0 | 1 | 96 | 467 | 53 |
| call targets | TransmitterType.STORE | 288 | 2 | 126 | 30 | 121 | 1 | 30 | 74 | 0 | 247 | 0 | 1 | 52 | 210 | 10 |
| reachable call targets | TransmitterType.LOAD | 230 | 1 | 64 | 34 | 107 | 4 | 28 | 29 | 0 | 216 | 0 | 2 | 25 | 174 | 25 |
| reachable call targets | TransmitterType.STORE | 78 | 1 | 51 | 7 | 19 | 1 | 9 | 46 | 0 | 75 | 0 | 2 | 15 | 68 | 2 |
| jump targets | TransmitterType.LOAD | 471 | 0 | 126 | 208 | 135 | 0 | 88 | 13 | 0 | 300 | 0 | 0 | 179 | 153 | 130 |
| jump targets | TransmitterType.STORE | 179 | 0 | 17 | 50 | 110 | 0 | 43 | 1 | 0 | 156 | 0 | 0 | 46 | 52 | 77 |
+------------------------+-----------------------+-------+---------------+--------------------------+-----------------------------------+------------------------+------------------------+------------------------------------------+-----------------------------------+-----------------------------+------------+--------------------+---------------------------+--------------------------+-------------------+-----------------------+
Stats for Non-Exploitable Gadgets
+-----------------------+-------------------------------------+--------------------+
| transmitter | problem | COUNT(DISTINCT pc) |
+-----------------------+-------------------------------------+--------------------+
| TransmitterType.LOAD | indirect base alias | 1322 |
| TransmitterType.STORE | indirect base alias | 730 |
| TransmitterType.LOAD | reachable indirect base alias | 502 |
| TransmitterType.STORE | reachable indirect base alias | 151 |
| TransmitterType.LOAD | invalid base | 32651 |
| TransmitterType.STORE | invalid base | 5619 |
| TransmitterType.LOAD | reachable invalid base | 9270 |
| TransmitterType.STORE | reachable invalid base | 1391 |
| TransmitterType.LOAD | invalid secret address | 412 |
| TransmitterType.STORE | invalid secret address | 78 |
| TransmitterType.LOAD | reachable invalid secret address | 104 |
| TransmitterType.STORE | reachable invalid secret address | 11 |
| TransmitterType.LOAD | CMOVE alias | 773 |
| TransmitterType.STORE | CMOVE alias | 171 |
| TransmitterType.LOAD | reachable CMOVE alias | 246 |
| TransmitterType.STORE | reachable CMOVE alias | 50 |
| TransmitterType.LOAD | secret not inferable | 114 |
| TransmitterType.STORE | secret not inferable | 5 |
| TransmitterType.LOAD | reachable secret not inferable | 59 |
| TransmitterType.STORE | reachable secret not inferable | 1 |
| TransmitterType.LOAD | secret entropy too high | 268 |
| TransmitterType.STORE | secret entropy too high | 56 |
| TransmitterType.LOAD | reachable secret entropy too high | 51 |
| TransmitterType.STORE | reachable secret entropy too high | 9 |
| TransmitterType.LOAD | secret too big | 2045 |
| TransmitterType.STORE | secret too big | 439 |
| TransmitterType.LOAD | reachable secret too big | 282 |
| TransmitterType.STORE | reachable secret too big | 159 |
| TransmitterType.LOAD | secret too small | 561 |
| TransmitterType.STORE | secret too small | 67 |
| TransmitterType.LOAD | reachable secret too small | 198 |
| TransmitterType.STORE | reachable secret too small | 28 |
| TransmitterType.LOAD | contains speculation stop | 34 |
| TransmitterType.STORE | contains speculation stop | 7 |
| TransmitterType.LOAD | reachable contains speculation stop | 6 |
| TransmitterType.STORE | reachable contains speculation stop | 3 |
| TransmitterType.LOAD | TOTAL | 34825 |
| TransmitterType.STORE | TOTAL | 6035 |
| TransmitterType.LOAD | TOTAL reachable | 9609 |
| TransmitterType.STORE | TOTAL reachable | 1530 |
+-----------------------+-------------------------------------+--------------------+
Stats for Fineibt Bypass Gadgets
+---------------------------------+--------------------+
| Fineibt Bypass Gadgets | COUNT(DISTINCT pc) |
+---------------------------------+--------------------+
| FineIBT reachable dispatchers | 88 |
| FineIBT reachable gadgets | 44 |
| FineIBT unreachable gadgets | 548 |
| FineIBT half-gadget dispatchers | 115 |
+---------------------------------+--------------------+
Stats for Dispatch Gadgets
+----------------------------+--------------------+
| Dispatchers | COUNT(DISTINCT pc) |
+----------------------------+--------------------+
| Call Dispatchers | 2039 |
| Reachable Call Dispatchers | 477 |
| Jump Dispatchers | 462 |
+----------------------------+--------------------+
Stats for Exploitable SLAM Gadgets
+-------------------------------------+---------------------------+--------------+-------------------+--------------------+-------+
| type | transmitter | known_prefix | in_place_training | out_place_training | total |
+-------------------------------------+---------------------------+--------------+-------------------+--------------------+-------+
| call targets | TransmitterType.CODE_LOAD | 2377 | 1208 | 87 | 2377 |
| call targets | TransmitterType.LOAD | 13333 | 4299 | 361 | 13339 |
| call targets | TransmitterType.STORE | 3401 | 1804 | 171 | 3414 |
| jump targets | TransmitterType.CODE_LOAD | 479 | 49 | 429 | 479 |
| jump targets | TransmitterType.LOAD | 2026 | 531 | 1177 | 2032 |
| jump targets | TransmitterType.STORE | 952 | 308 | 551 | 953 |
| total SLAM gadgets | - | - | - | - | 16287 |
| total SLAM gadgets, call load+store | - | - | - | - | 13648 |
| total SLAM gadgets, code-load | - | - | - | - | 2856 |
+-------------------------------------+---------------------------+--------------+-------------------+--------------------+-------+