SpecFuzz is the first tool that enables dynamic testing for
speculative execution vulnerabilities (e.g., Spectre). The key
is a novel concept of speculation exposure: The program is
instrumented to simulate speculative execution in software by
forcefully executing the code paths that could be triggered due
to mispredictions, thereby making the speculative memory
accesses visible to integrity checkers (e.g., AddressSanitizer).
Combined with the conventional fuzzing techniques, specula-
tion exposure enables more precise identification of potential
vulnerabilities compared to state-of-the-art static analyzers.
Our prototype for detecting Spectre V1 vulnerabilities suc-
cessfully identifies all known variations of Spectre V1 and
decreases the mitigation overheads across the evaluated appli-
cations, reducing the amount of instrumented branches by up
to 77% given a sufficient test coverage.