Skip to content
oo7, a binary analysis tool to defend against Spectre vulnerabilities
C OCaml Common Lisp Python Scheme NewLisp
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
check new taint sources Nov 12, 2019
ddtbd fix filename Nov 13, 2019
testcases/Kocher_tests initial Nov 12, 2019
tool initial Nov 12, 2019
toy initial Nov 12, 2019
LICENSE.pdf initial Nov 12, 2019 Update Dec 17, 2019

oo7: Detecting and Patching Spectre Vulnerabilities on Binary.

A binary analysis framework to defend against potential vulnerability to Spectre attacks. Our key contribution is to balance the concerns of effectiveness, analysis time and run-time overheads. We employ control flow extraction, taint analysis, and address analysis to detect tainted conditional branches and speculative memory accesses.


Guanhua Wang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. oo7: Low-overhead Defense against Spectre Attacks via Program Analysis. IEEE Transactions on Software Engineering(2020).

Paper link: oo7TSE


  title={{oo7}: Low-overhead Defense against Spectre Attacks via Program Analysis},
  author={Guanhua Wang and Sudipta Chattopadhyay and Ivan Gotovchits and Tulika Mitra and Abhik Roychoudhury},
  journal={IEEE Transactions on Software Engineering},


NOTE: You should agree with the licensing agreement (LICENSE.pdf) before using the tool.

Directory orgnization:

./check                # the lisp files for ddtbd (core engine of oo7)
./ddtbd                # the source code for spectre detection
./toy                  # a toy example from Spectre paper:
./tool                 # a tool to profile the output (incidents) of the detection 
./patch                # patch code for bab
./testcases       	   # simple test cases
    - Kocher_tests/    # the examples from Paul Kocher's post:

How to install and run:

Install opam and Bap.

Please follow the instructions on the following page to install opam and bap:

A. Install opam-1.2.2 or later.
    $ sudo add-apt-repository --yes ppa:avsm/ppa
    $ sudo apt-get update
    $ sudo apt-get --yes install opam

B. Initialize opam and to install OCaml compiler.
    $ opam init --comp=4.05.0
    $ eval `opam config env`

C. Install bap and its system dependencies
    $ opam depext --install bap


Install and compile the development version of Bap.

clone bap project: 
$ git clone
$ git checkout tags/v1.5.0

pin development version of bap to opam:
$ opam pin add bap to/your/bap/project/path
opam will automatically compile the latest bap.

update your PATH:
$ eval `opam config env`

Make sure bap is the version 1.5.0
$ bap --version 

Copy "check/" directory and patch file to your opam share directory.

$ copy check -r ~/.opam/4.05.0/share/bap/
$ copy patch/posix.h ~/.opam/4.05.0/share/bap-api/c/

NOTE: This path may be different according to your opam installation and opam switch

Build and install ddtbd plugin.

$ cd ddtbd/
$ bapbuild -clean 
$ bapbuild ddtbd.plugin -pkgs bap-taint,bap-primus

Install plugin:
$ bapbundle install ddtbd.plugin

Run the toy example.

 $ cd toy/
 $ bap ./test --recipe=check

Profile the output of detection.

$ objdump -S test > test.asm
$ ./tool/ incidents test.asm

You can find a profile file with name "incidents_profile.txt" in you directory. 

The content of incidents_profile.txt
	@branches: 12                # all condition branches
	@S1: 1 (8.333%)              # tainted branches <CB>
	@S2: 1 (8.333%)              # tainted branches with IM1 <CB, IM1>
	@S2_avg_dis: 10              # average distance between CB and IM1
	@S3: 1 (8.333%)              # tainted branches with IM1, IM2 <CB, IM1, IM2>
	@S3_avg_dis: 7               # average distance between CB and IM2

	S1#4005c8                    # address of CB

	S2#4005c8#4005cf#3           # address of CB and IM1 along with the distance of CB and IM1

	S3#4005c8#4005cf#4005de#7    # address of CB, IM1, IM2 along with the distance of CB and IM2

	taint#400648                 # tainted addresses. 

Testing for Paul Kocher' examples:

$ cd Kocher_tests/v01
$ gcc test.c -g -o test
$ bap test/test --recipe=check
$ ../../tool/ incidents test.asm

Other options

use $ bap --ddtbd-help for more options
A. Use '--ddtbd-ignore-program-dependencies' or '--ddtbd-ignore-program-dependencies --ddtbd-ignore-control-dependencies' option will give you less detection results, but it may miss some true positives. 
B. You can edit the "recipe.scm" to enable or disable the options. 
You can’t perform that action at this time.