We present Kasper, a speculative execution gadget scanner for the Linux kernel. Kasper uses taint analysis policies to model an attacker capable of exploiting arbitrary software/hardware vulnerabilities on a transient path to control data (e.g., through memory massaging or LVI), access secrets (e.g., through out-of-bounds or use-after-free accesses), and leak these secrets (e.g., through cache-based, MDS-based, or port contention-based covert channels). Even though the kernel is heavily hardened against transient execution attacks, Kasper finds hundreds of gadgets that are not yet mitigated. You can find the full paper here.
Install dependencies, including go-task as a task-runner:
sudo apt install build-essential clang-11 lld-11 libelf-dev qemu-system-x86 bison flex golang libssl-dev cmake debootstrap python3-pexpect socat ninja-build ccache
sudo sh -c "$(curl -ssL https://taskfile.dev/install.sh)" -- -d -b /usr/local/bin
Initialize/update git submodules (this will take awhile the first time it's run):
task update
Create an initramfs and a disk image to be used with syzkaller:
task initramfs:create
task syzkaller:create-image
Configure and build LLVM with Kasper support:
task llvm:config llvm:build
Build syzkaller with Kasper support:
WARNING: the version of syzkaller we use only works with golang 1.15 (we are using golang 1.15.15)!
task syzkaller:build
Configure and build a Kasper-instrumented Linux kernel:
task kernel:config build kernel:bzImage
Test that the instrumented kernel runs correctly:
task qemu:test
Fuzz the instrumented kernel:
task syzkaller:run-nobench
To aggregate gadgets and run the evaluation please check out kasper-results.