SpecuSym: Speculative Symbolic Execution for Cache Timing Leak Detection

by   Shengjian Guo, et al.

CPU cache is limited but crucial storage on modern processor whereas the cache timing side-channel could indirectly leak data through the measurable timing variance. Speculative execution, a reason for the variance and a vital optimization in modern CPUs, can engender severe detriment to deliberate branch mispredictions. Though static analysis can qualitatively verify the timing-leakage-free property under speculative execution, it is incapable of producing endorsements including inputs and speculated flows to diagnose leaks in depth. This work proposes a new approach, Speculative symbolic Execution, for precisely validating cache timing leaks introduced by speculative execution. Generally, given a program with sensitive inputs (leakage-free in non-speculative execution), our method systematically explores the program state space. Meanwhile, it models speculative behavior at conditional branches and accumulates the cache side effects along with subsequent execution. Based on the dynamic exploration and a specified cache model, we construct leak conditions for memory accesses and conduct a constraint-solving based cache behavior analysis to generate leak witnesses. We have implemented our method in a tool named SpecuSym on KLEE, and evaluated it against 14 open-source benchmarks. Experiments show that SpecuSym successfully identified leaks in 6 programs on four different caches and eliminated false positives in 2 programs reported by recent work.



page 1

page 2

page 3

page 4


Adversarial Symbolic Execution for Detecting Concurrency-Related Cache Timing Leaks

The timing characteristics of cache, a high-speed storage between the fa...

On the Incomparability of Cache Algorithms in Terms of Timing Leakage

Modern computer architectures rely on caches to reduce the latency gap b...

ETAP: Energy-aware Timing Analysis of Intermittent Programs

Energy harvesting battery-free embedded devices rely only on ambient ene...

Validation of Abstract Side-Channel Models for Computer Architectures

Observational models make tractable the analysis of information flow pro...

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols

The recent Meltdown and Spectre attacks highlight the importance of auto...

Automated Side Channel Analysis of Media Software with Manifold Learning

The prosperous development of cloud computing and machine learning as a ...

CANAL: A Cache Timing Analysis Framework via LLVM Transformation

A unified modeling framework for non-functional properties of a program ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.