Spectre attacks exploit speculative execution to leak sensitive information.
In the last few years, a number of static side-channel detectors have been
proposed to detect cache leakage in the presence of speculative execution.
However, these techniques either ignore branch prediction mechanism, detect
static pre-defined patterns which is not suitable for detecting new patterns,
or lead to false negatives.
In this paper, we illustrate the weakness of prediction-agnostic
state-of-the-art approaches. We propose Specognitor, a novel prediction-aware
symbolic execution engine to soundly explore program paths and detect subtle
spectre variant 1 and variant 2 vulnerabilities. We propose a dynamic pattern
detection mechanism to account for both existing and future vulnerabilities.
Our experimental results show the effectiveness and efficiency of Specognitor
in analyzing real-world cryptographic programs w.r.t. different processor
families