A Spectre Vulnerability Detection Method Integrating Fuzzing and #br#
Taint Analysis#br#

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (9): 822-.

Previous Articles Next Articles

A Spectre Vulnerability Detection Method Integrating Fuzzing and #br# Taint Analysis#br#

Li Yang, Ma Ziqiang, Miao Li, and Yao Zihao

(School of Information Engineering, Ningxia University, Yinchuan 750021)
(Ningxia Key Laboratory of Artificial Intelligence and Information Security for Channeling Computing Resources from the East to the West(Ningxia University), Yinchuan 750021)
(Collaborative Innovation Center for Ningxia Big Data and Artificial Intelligence Cofounded by Ningxia Municipality and Ministry of Education(Ningxia University), Yinchuan 750021)

Online:2025-09-30 Published:2025-09-30

结合模糊测试和污点分析的幽灵漏洞检测

李扬马自强苗莉姚梓豪

(宁夏大学信息工程学院银川750021)
(宁夏“东数西算”人工智能与信息安全重点实验室(宁夏大学)银川750021)
(宁夏大数据与人工智能省部共建协同创新中心(宁夏大学)银川750021)

通讯作者: 马自强博士，副教授，硕士生导师.主要研究方向为系统安全、网络空间安全、信息安全. maziqiang@nxu.edu.cn
作者简介:李扬硕士研究生.主要研究方向为系统安全、网络空间安全. yangli@stu.nxu.edu.cn 马自强博士，副教授，硕士生导师.主要研究方向为系统安全、网络空间安全、信息安全. maziqiang@nxu.edu.cn 苗莉博士，副教授，硕士生导师.主要研究方向为网络空间安全. limiao_smile@nxu.edu.cn 姚梓豪硕士研究生.主要研究方向为系统安全. 12022131912@stu.nxu.edu.cn

Abstract

Abstract: Aiming at the problems of insufficient applicability of traditional vulnerability detection technology in Spectre V1 vulnerability detection, high false positive rate and false positive rate, a novel method TransFT integrating fuzz testing and taint analysis is proposed. First, program code is refactored to simulate the misprediction behavior of Spectre V1 vulnerabilities. Next, feedbackdriven fuzz testing is utilized to identify highrisk code segments and generate test cases capable of triggering vulnerabilities, thereby improving testing efficiency. Finally, static taint analysis is applied to validate potential vulnerabilities, effectively reducing FNR and FPR. Experimental results demonstrate that the proposed method significantly reduces FNR, FPR, and testing time compared to existing fuzzingbased approaches, showcasing superior detection capabilities.

Key words: Spectre vulnerability, transient execution attack, vulnerability detection, fuzzing testing, taint analysis

摘要： 针对传统漏洞检测技术在Spectre V1漏洞检测中适用性不足、漏报率和误报率较高等问题，提出了一种结合模糊测试与污点分析的Spectre V1漏洞检测方法TransFT.首先，通过对程序代码进行控制流重构，模拟Spectre V1漏洞的错误预测行为；其次，采用反馈驱动的模糊测试技术定位高风险代码片段，并保留和生成能够触发漏洞的测试用例，以提升测试效率；最后，基于静态污点分析对潜在漏洞进行验证，有效降低漏报率和误报率.实验结果表明，与传统方法相比，该方法在漏报率、误报率及测试时间方面均显著改善，展现出更优的漏洞检测能力.

关键词: 幽灵漏洞, 瞬态执行攻击, 漏洞检测, 模糊测试, 污点分析

CLC Number:

TP309

李扬, 马自强, 苗莉, 姚梓豪, . 结合模糊测试和污点分析的幽灵漏洞检测[J]. 信息安全研究, 2025, 11(9): 822-.

References

［1］吴晓慧, 贺也平, 马恒太, 等. 微架构瞬态执行攻击与防御方法［J］. 软件学报, 2020, 31(2): 544563［2］Xiong Wenjie, Szefer J. Survey of transient execution attacks and their mitigations［J］. ACM Computing Surveys, 2021, 54(3): 136［3］李扬, 高菲, 马自强, 等. 瞬态执行攻击防御方法研究进展［J］. 计算机工程与应用, 2025, 61(2): 3758［4］Lipp M, Schwarz M, Gruss D, et al. Meltdown: Reading kernel memory from user space［J］. Communications of the ACM, 2020, 63(6): 4656［5］Kocher P, Horn J, Fogh A, et al. Spectre attacks: Exploiting speculative execution［C］ Proc of the 2019 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE,2019: 119［6］Liu Fangfei, Yarom Y, Ge Qian, et al. Lastlevel cache sidechannel attacks are practical［C］ Proc of the 2015 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2015: 605622［7］Kiriansky V, Waldspurger C. Speculative buffer overflows: Attacks and defenses［J］. arXiv preprint, arXiv:1807.03757, 2018［8］Sternberger M. Spectreng: An avalanche of attacks［COL］ Proc of the 4th Wiesbaden Workshop on Advanced Microkernel Operating Systems. 2018 ［20240223］. https:www.cs.hsrm.de~kaisereventswamos2018wamos18proceedings.pdf#page=23［9］RedHat Cor. Spectre variant 1 scanning tool［EBOL］. (20180821) ［20240715］. https:access.redhat.comblogs766093posts3510331［10］Wang G, Chattopadhyay S, Gotovchits I, et al. Oo7: Lowoverhead defense against spectre attacks via program analysis［J］. IEEE Trans on Software Engineering, 2019, 47(11): 25042519［11］Oleksenko O, Trach B, Silberstein M, et al. SpecFuzz: Bringing spectretype vulnerabilities to the surface［C］ Proc of the 29th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2020: 14811498［12］汪美琴, 夏旸, 贾琼, 等. 模糊测试技术的研究进展与挑战［J］. 信息安全研究, 2024, 10(7): 668674［13］Qi Z, Feng Q, Cheng Y, et al. SpecTaint: Speculative taint analysis for discovering spectre gadgets［COL］ Proc of the Network and Distributed System Security Symposium. 2021: 841855 ［20250820］. https:dx.doi.org10.14722ndss.2021.23466［14］Yarom Y, Falkner K. Flush+ Reload: A high resolution, low noise, L3 cache sidechannel attack［C］ Proc of the 23rd USENIX Security Symposium. Berkeley, CA: USENIX Association, 2014: 719732［15］Microsoft Cor. Spectre mitigations inmsvc［EBOL］.(20180419) ［20240715］. https:devblogs.microsoft.comcppblogspectremitigationsinmsvc［16］Wang G, Chattopadhyay S, Biswas A K, et al. KLEESpectre: Detecting information leakage through speculative cache attacks via symbolic execution［J］. ACM Trans on Software Engineering and Methodology, 2020, 29(3): 131［17］Guarnieri M, Kpf B, Morales J F, et al. Spectector: Principled detection of speculative information flows［C］ Proc of the 2020 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2020: 119［18］崔展齐, 张家铭, 郑丽伟, 等. 覆盖率制导的灰盒模糊测试研究综述［J］. 计算机学报, 2024, 47(7): 16651696［19］Kocher P. Spectremitigations in Microsoft’s CC++ compiler［EBOL］. (20180213)［20250226］. https:www.paulkocher.comdocMicrosoftCompilerSpectreMitigation.html［20］Nodejs. Httpparser: http requestresponse parser for c［EBOL］. (20190421) ［20240714］. https:github.comnodejshttpparser［21］Google. JSMN: A world fastest JSON parsertokenizer［EBOL］. (20190413) ［20240714］. https:github.comzsergejsmn［22］Google. Brotil: A genericpurpose lossless compression algorithm［EBOL］. (20181026) ［20240714］. https:github.comgooglebrotli［23］The YAML Project. LibYAML: A C library for parsing and emitting YAML［EBOL］. (20190521) ［20240714］. https:github.comyamllibyaml［24］OISF. Libhtp: A securityaware parser for the HTTP protocol and the related bits and pieces［EBOL］. (20190513) ［20240714］. https:github.comOISFlibhtp［25］OpenSSL. OpenSSL: TLSSSL and crypto library［EBOL］. (20210903) ［20240714］. https:github.comopensslopenssl

[1]	. A Web Vulnerability Detection Solution Integrating LSTM for Directory Acquisition [J]. Journal of Information Security Reserach, 2024, 10(9): 824-.
[2]	. Source Code Vulnerability Detection Based on Fewshot Learning#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(5): 440-.
[3]	. Research on Source Code Vulnerability Detection Based on BERT Model [J]. Journal of Information Security Reserach, 2024, 10(4): 294-.
[4]	. Reentrancy Vulnerability Detection Method in Smart Contracts #br# Based on Hybrid Model and Attention Mechanism#br# [J]. Journal of Information Security Reserach, 2024, 10(11): 1056-.
[5]	. Machine Learning based Code Injection Attack Vulnerability Detection for Android Hybrid Applications [J]. Journal of Information Security Reserach, 2023, 9(10): 940-.
[6]	. A Vulnerability Detecting Approach Based on Sanitizer Identification for Embedded Devices [J]. Journal of Information Security Reserach, 2023, 9(10): 954-.
[7]	. The Detection Method for Token Trading Vulnerability and Authority Transfer Vulnerability Based on Symbolic Execution [J]. Journal of Information Security Reserach, 2022, 8(7): 632-.
[8]	. Apache Shiro Deserialization Attack Detection Model Based on Attack Characteristics [J]. Journal of Information Security Reserach, 2022, 8(7): 656-.
[9]	. Design and Implementation of Program Vulnerability Detection Tool Based on Dynamic Taint Analysis [J]. Journal of Information Security Reserach, 2022, 8(3): 301-.
[10]	. Vulnerability Detection System of Transformer Substation Host Based on Port Scanning [J]. Journal of Information Security Reserach, 2022, 8(2): 182-.
[11]	. A Survey of IoT Firmware Vulnerability Security Detection [J]. Journal of Information Security Reserach, 2022, 8(12): 1146-.
[12]	. Research and Implementation of Scalable Web Vulnerability Scanning Tool in Smart Microgrid [J]. Journal of Information Security Reserach, 2022, 8(12): 1198-.
[13]	. Research on Source Code Vulnerability Detection Based on Abstract Syntax Tree Compression Coding [J]. Journal of Information Security Reserach, 2022, 8(1): 35-.
[14]	. Advanced Threat Protection with Memory as the Target [J]. Journal of Information Security Reserach, 2021, 7(E1): 46-.
[15]	（国网湖南省电力有限公司信息通信分公司长沙）. Practical Research of IAST Technology under DevOps Development Model [J]. Journal of Information Security Reserach, 2021, 7(12): 1198-.

A Spectre Vulnerability Detection Method Integrating Fuzzing and #br# Taint Analysis#br#

结合模糊测试和污点分析的幽灵漏洞检测

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics