SpecuSym: Speculative Symbolic Execution for Cache Timing Leak Detection by Guo, Shengjian et al.
SpecuSym: Speculative Symbolic Execution for Cache Timing
Leak Detection
Shengjian Guo
Baidu X-Lab
Yueqi Chen
Pennsylvania State University
Peng Li
Baidu X-Lab
Yueqiang Cheng
Baidu X-Lab
Huibo Wang
Baidu X-Lab
Meng Wu
Ant Financial
Zhiqiang Zuo
Nanjing University
ABSTRACT
CPU cache is limited but crucial storage on modern processor
whereas the cache timing side-channel could indirectly leak data
through the measurable timing variance. Speculative execution, a
reason for the variance and a vital optimization in modern CPUs,
can engender severe detriment to deliberate branch mispredictions.
Though static analysis can qualitatively verify the timing-leakage-
free property under speculative execution, it is incapable of produc-
ing endorsements including inputs and speculated flows to diagnose
leaks in depth. This work proposes a new approach, Speculative
symbolic Execution, for precisely validating cache timing leaks in-
troduced by speculative execution. Generally, given a program with
sensitive inputs (leakage-free in non-speculative execution), our
method systematically explores the program state space. Mean-
while, it models speculative behavior at conditional branches, and
accumulates the cache side effects along with subsequent execu-
tion. Based on the dynamic exploration and a specified cache model,
we construct leak conditions for memory accesses, and conduct
a constraint-solving based cache behavior analysis to generate
leak witnesses. We have implemented our method in a tool named
SpecuSym on KLEE, and evaluated it against 14 open-source bench-
marks. Experiments show that SpecuSym successfully identified
leaks in 6 programs on four different caches and eliminated false
positives in 2 programs reported by recent work.
1 INTRODUCTION
Computer cache is a limited but crucial storage area on processor
chips. It primarily relieves the speed gap between the rapid proces-
sors and the slow main memory, by buffering recently used data for
faster reuse. Cache timing side-channel attacks [22, 39] leverage
the distinguishable cache physical symptoms, i.e., the cache access
latency in software program executions, to penetrate the confiden-
tiality of the victim system. On exploiting the vulnerable software
implementations, adversaries can extract the application secrets
[13, 28, 48, 52], infer the neural network structure [26, 32, 33, 60],
or even dump the kernel memory data [34, 38, 44, 56].
Generally, a timing side channel presents the intermediate carrier
through which private data could be disclosed to external observers
by elaborate measurements of the time on certain operations. One
particular instance is the cache timing side-channel that leaks data
from the variance of the cache visiting latency in software execu-
tions. State-of-the-art program repair method [58] mitigates cache
timing leaks by enforcing constant execution time for all secret
, ,
.
Symbolic
Sensitive Input
Leakage-free
Program P
Insensitive
Plain Input
Symbolic
Execution
Cache
State Modeling
Cache
Behavior Analysis
Speculative
Execution Modeling
New Timing
Leak Witnesses
1
2
3 4
Figure 1: Overall flow of Speculative Symbolic Execution.
relevant operations. However, this strong mitigation may still be
compromised by thread-level concurrency [30] or instruction-level
parallelism like speculative execution [36].
Speculative execution [36] is a vital optimization of modern pro-
cessors. Essentially, it increases the CPU instruction pipeline through-
put by beforehand scheduling instructions under predicted branches,
which prevents from stalling the pipeline. Despite its importance,
the side effects from prediction errors to cache state may engen-
der severe vulnerabilities through the cache timing side channel
[12, 35, 38, 56] in terms of the disorganized memory accesses.
Program analysis for speculative execution is by no means a
new approach. Literally, existing efforts mainly focused on safe and
efficient execution [18, 27, 50], worst case execution time [42, 43],
concurrency bug prediction [17, 41] and etc, while Wu et.al [59] re-
cently proposed static verification of timing-leakage-free property
under speculative execution. However, such abstract interpretation
based method [59] qualitatively answers the yes or no question — it
is incapable of generating input and the exact execution flow to en-
dorse the leaks in depth. Moreover, over-approximation inherently
incurs false positives, thus a more precise method is indispensable.
To this end, we propose a newmethod speculative symbolic execu-
tion, for the validation of cache timing leaks introduced by specula-
tive execution. Figure 1 shows the overall flow of our method. Given
a programP which is leakage-free under non-speculative execution,
the sensitive inputs represented in symbol, and insensitive inputs,
our method leverages symbolic execution to explores P’s state
space. In addition, it models speculative execution at conditional
branches during execution (cf. 1 ) and accumulates cache side effects
along with subsequent executions (cf. 2 ). Based on the memory
access history and the cache model, it conducts a constraint-solving
based cache behavior analysis (cf. 3 ) upon memory accesses, and
output the precise leak witnesses (cf. 4 ).
1
ar
X
iv
:1
91
1.
00
50
7v
1 
 [c
s.C
R]
  4
 N
ov
 20
19
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
Our method has three major challenges. The first challenge is
from the modeling of speculative behaviors. Classic symbolic execu-
tors [14, 49] neither support speculative execution nor are cache-
aware since they primarily focus on the functional correctness
rather than reasoning the implicit program properties. The sec-
ond challenge comes from the cache state maintenance. Due to the
symbolic nature, one symbolic memory address may correspond to
multiple concrete addresses. Updating the cache after each memory
access can lead to an explosive number of cache states. The last
challenge stems from the analysis cost. Processors may trigger mul-
tiple branch mis-predictions along a program path. Indiscriminately
covering all possibilities not only introduces tremendous constraint
solving overhead but also counts many redundant cases.
The first challenge motivates us to design a new modeling algo-
rithm which satisfies both feasibility and high-fidelity in symbolic
execution. In essence, it utilizes the stateful exploration to mimic
the speculative behaviors and isolates memory changes in spec-
ulative states from regular symbolic states. To tackle the second
challenge, we developed a lazy modeling strategy which tracks
memory accesses and lazily reasons about cache effects rather than
maintaining a complete cache state set. To address the last chal-
lenge, we filter the branches that are unlikely to cause harmful
speculative execution. Also, we develop several optimization to
shrink the constraint size for solving cost reduction.
We have implemented Speculative Symbolic Execution in a proto-
type named SpecuSym atop KLEE [14] and LLVM [40]. The evalua-
tion of SpecuSym has been performed on 15 open-source programs
which have 8,791 lines of C code in total. Experiments manifest
SpecuSym detects from 22 to 130 leaks in 6 programs under four
different set-associative caches.
To summarize, we have made the following contributions:
• We propose a new approach, Speculative Symbolic Execu-
tion, for modeling speculative execution and analyzing the
affected cache behaviors in symbolic execution.
• We address the aforementioned challenges and implement
our new method, in a software tool SpecuSym , to detect
cache timing leaks under speculative execution.
• We evaluate SpecuSym on 15 open-source benchmarks to
demonstrate its effectiveness through discovering from 22
to 130 leak witnesses under four different caches.
The remainder of this paper is organized as follows. Section 2 mo-
tivates our work and section 3 reviews the background knowledge.
Section 4 states our major contributions and optimizations. Next,
we present our experiments in Section 5 and discuss the related
work in Section 6. Finally, we conclude our work in Section 7.
2 MOTIVATION
In this section, we use an example to motivate our work. By study-
ing its timing-leakage-free cache behavior in a non-speculative
execution and the new leaks caused by speculative execution, we
position how SpecuSym facilities leakage diagnosis.
2.1 Program P and the Cache Mapping
Figure 2(a) shows a program snippet P whose execution time re-
mains stationary in non-speculative execution but varies w.r.t the
sensitive input when running under speculative execution.
Listed at line 2, P has 4 local variables S, x, v1, and v2. Operating
these variables leads to memory accesses. E.g., the implicit memory
read of x (line 6) and the explicit store to v1 (line 7). The remaining
1 // x: sensitive input
2 uint8_t S[254],x,v1,v2;
3 register uint8_t i=0;
4 while(i < 254)
5 load S[i++];
6 if(x > 128)
7 store v1, 1;
8 else
9 store v2, 1;
10 load S[x]; // x∈[0,254)
(a) The program snippet P
256
Lines
v1
x
S[253]
S[252]
......
S[2]
S[1]
S[0]
1 Byte
v2
Speculative
Non-
speculative
(b) The 256*1 cache C
Figure 2: A program with leak under speculative execution.
variable i (line 3) is a register variable which does not incur memory
access. Also, variable x is a sensitive input and any form of revealing
its value turns to be a leak.
To analyze P, we use a fully associative cache C, as shown in
Figure 2(b). It is an extreme case of the N-way associative cache
where a memory address in P may map to any cache line in C,
subjecting to the line availability and the replacement policy. Here
we assume C uses the Least Recently Used (LRU) policy which
always evicts the least used line once the cache is fully occupied.
Cache C consists of 256 cache lines and each line contains exact
one byte. Local variables are inserted to C according to their sizes
as well as the execution order. E.g., in Figure 2(b) array Smaps from
cache lines #1 to #254 because of the array traverse in the while
loop (lines 4-5) and each array item successively occupies a full line.
Then variable x maps to the 255th line. Next, v1 would use the last
available line (line #256) if x is greater than 128 and the execution
flow proceeds into the if branch. Otherwise, the execution takes
the else branch and writes v2, mapping v2 to line #256.
2.2 Leakage-free in Non-speculative Execution
Running P without speculative execution won’t leak any informa-
tion about x, and we analyze why this claim holds in this section.
There are two program paths in P in terms of the if-else branch.
Let’s name the path containing the if branch as p1 and the other
one as p2. The only difference between p1 and p2 is the memory
store operation which writes v1 on p1 but v2 on p2. As analyzed in
section 2.1, v1 would map to the last line of C. Similarly, without
speculative execution v2 also maps to the same line, as annotated
by the solid arrow in Figure 2(b). This is because normally either
p1 or p2 could be taken. Consequently, either the store to v1 or the
store to v2 may happen. In both cases, line #256 is untouched until
the store operates. Thereby, v1 or v2 takes that available line.
Relying on this fact, we observe similar cache behavior on both
p1 and p2 under non-speculative execution. The first 254 load op-
erations of array S, the next implicit memory read of x, and the
succeeded store to v1 on p1 or v2 on p2 all cause cold misses since
the cache is initially empty. However, the last memory load on S[x]
(line 10) must be a cache hit on both paths because S and x have
already been inserted in the cache C. In other words, P’s cache
behavior is independent of the sensitive input x hence P has no
cache timing leaks under non-speculative execution.
2
, ,
2.3 New Leak under Speculative Execution
Recall that in section 2.2 only one store operation could occur in
non-speculative execution. However, the situation changes and new
timing leak appears when running P with speculative execution.
Under speculative execution, the instructions guarded by a branch
br can be scheduled before the execution really proceeds into br in
case the processor predicts that br is likely to be taken. For example,
suppose we first run P with x∈[128,255] several times and flush
the cache after each run. Afterward, we run P again but setting x
to 127. Still, the store instruction under the if branch (line 7) would
be executed before P steers into the else branch due to the branch
mis-prediction. More importantly, though the CPU performs a roll-
back to discard the update to v1, the cache side effect from writing
v1 remains in C even after the remedy.
Going until line 9, array S and variable x map from line #1 to
line #255 and v1 still occupies the #256 line. At this point there is
no empty line available for v2. Following the LRU policy declared
in section 2.1, executing the store instruction (line 9) would evict
the oldest item S[0] from cache C and map v2 to the vacated line
#1, as shown by the red dotted arrow in Figure 2(b).
Next, the program execution continues to line 10, reaching the
last memory load of S[x]. The sensitive input x determines which
array cell would be accessed. And we examine the cache behavior
of this memory load w.r.t two cases x=0 and x!=0.
• x=0: P reads the array cell S[0]. Recall that x is still in cache
C but S[0] is no longer in C due to the replacement by v2.
So this memory load causes a conflicting cache miss.
• x!=0: Since the whole array S except S[0] is in C, the load
on S[x] must get a cache hit no matter what value x is.
Only if x=0 there is one more cache miss on path p2. This is
an unique leak that enables attackers to learn the value of x due
to a measurable timing variance. Note that the cold miss on spec-
ulatively writing v1 also causes an internal latency. However, it
is un-observable to the external users and we ignore it safely for
analysis purpose.
2.4 What SpecuSym Should Provide
The example shows that, though a program is carefully crafted to
avoid cache timing leaks, running it under speculative execution
may still exhibit new leaks. Since speculative execution is critical
to modern processors, a systematic analysis for exposing the leaks
would be of great importance. Specifically, we focus on two abilities
for our Speculative Symbolic Execution tool SpecuSym .
First, SpecuSym should be able to systematically explore possible
program executions under speculative execution to find program
paths and a minimum set of speculative flows that can cause po-
tential timing leaks. E.g., both p1 and p2 and the corresponding
speculations on the else and if branches, respectively.
Second, SpecuSym should be able to pinpoint the leaky sites by
cache analysis. It also requires to generate concrete inputs that
witness new cache behavior at the identified memory visits. E.g.,
the memory store events to v2 and v1 and the value zero of x.
3 PRELIMINARIES
In this section, we review the preliminary knowledge of symbolic
execution, cache timing leak, and speculative execution.
3.1 Symbolic Execution
Algorithm 1: Baseline Symbolic Execution.
Initially: The global state container Stack is empty (Stack⇐∅).
Start BaseSymExec (sini) on an initial state sini with in := {λ, t }.
1 BaseSymExec (SymbolicState s )
2 begin
3 Stack.push(s );
4 if s.e is branch event then
5 for c ∈ s.brs and s.pc ∧ c is satisfiable do
6 s.pc ← s.pc ∧ c;
7 BaseSymExec (SubsequentState(s)); // Theψ event
8 end
9 else if s.e is memory access event then
10 BaseSymExec (SubsequentState(s)); // The χ event
11 else if s.e is other interpretable event then
12 BaseSymExec (SubsequentState(s)); // The φ event
13 else
14 Terminate state s ;
15 end
16 Stack.pop();
17 end
18 SubsequentState (SymbolicState s)
19 begin
20 s′ ← symbolically execute e.inst in s;
21 s′ .e ← next available event;
22 return s ′;
23 end
Symbolic execution, a systematic program testing and analysis
technique, was first introduced in the 1970s [20, 37]. In this work we
assume that a program P consists of a finite set of instructions and
P defines the execution semantics in the program paths. Let inst
be an instruction then an event e:=(lb ≻ inst ≻ la ) represents the
interpretation of inst where lb and la denote the program locations
before and after inst , respectively. A program execution explores a
program path by interpreting a sequence of events. Close to [29, 30],
we abstract e into three categories in terms of the type of the inst
that e contains.
• ψ -event, which presents a branch decision. It models the
then branch by assume(c) and the else branch by assume(¬c),
respectively. Term c is the representative of a conditional
predicate expressed in symbolic expression.
• χ -event, which corresponds to a memory read instruction
of the form var = load addr, or a memory write instruction
like store addr, expr where addr is the memory address and
expr is a symbolic expression.
• φ-event, which represents other types of instructions in the
form var := expr. Here var is a variable and expr is a sym-
bolic expression computed from preceding operations like
arithmetic calculation, bit manipulation, and etc.
Despite symbolic executors always support a rich set of instruc-
tions, we use the above types of events to abstract away the internal
implementation details like memory allocation, function return,
and etc., to focus on the high-level flow of symbolic execution. We
present the baseline symbolic execution of a sensitive input related
program in Algorithm 1. Unlike prior works [29, 30], both global
and local memory accesses are grouped into one uniform form. The
data input, in := {λ, t}, determines a program execution consisting
of ordered events {e1, . . . , en } where λ is the sensitive input, e.g.,
privacy data or cipher keys, and t is the insensitive input.
The Stack is a global container for storing symbolic states during
dynamic path exploration. A symbolic state s exhibits the frontier
of a program execution. We define s as a tuple ⟨pc, e, brs,Ω⟩ where
pc is the path condition that leads to s, e is the event to execute at
3
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
s, brs contains the set of branch predicates if e is aψ event, and Ω
is the symbolic memory of s which maintains the mappings from
the program variables to their runtime values at s.
Initially, the global container Stack is empty, and we start the
recursive procedure BaseSymExecwith the initial state sini on input
in which steers the execution to a random path. During the explo-
ration, the procedure may perform a branch splitting (lines 4-8),
a memory operation (lines 9-10), an internal computation (lines
11-12) or a state termination (line 14), depending on the event type.
Note that at the entry of each recursion, BaseSymExec takes a
new symbolic state as the input, which is obtained from invoking a
secondary procedure SubsequentState. This procedure accepts the
current state s as the argument and outputs the new state s ′ from
symbolically executing the inst of e at s. For brevity here we omit
the details of the instruction interpretation.
3.2 Cache Timing Leak
Memory operations are prone to timing leaks because of the out-
standing visiting latency between the cache and the main memory.
For example, loading data from cache may cost 1-3 processor cycles
whereas reading data from memory could consume hundreds of
processor cycles. In this section, we first establish the threat model
in our work, and then define the leak we are interested at based on
the threat model.
3.2.1 The Threat Model. As shown in Figure 2, the sensitive
data involved in memory accesses is leaked from the traffic of a
memory write. To reason this kind of leaks in our analysis method,
we assume the attackers can perform strong external threats.
First, we assume the attackers share the same processor with
the victim process. Hence they are able to learn the shared cache
states by probe methods. Second, they are allowed to request the
execution of the victim process. Third, they can observe the latency
of the interested memory visits in the victim process. Our threat
model is close to those used in practical attacks like [23, 48, 61],
where the attackers can deduce the cache line states by measuring
the timing information of either the victim or the attacker process.
Moreover, this model also appears in leak detection approaches
like [11, 25, 55, 57]. Thereby, we believe it is a reasonable model for
analysis purpose.
3.2.2 The Leak Definition. Formally, we can abstract a sensi-
tive data related program P to be a function FP (in) ⇒ out who
processes the data input in := {λ, t} (as defined in section 3.1) and
computes the output out, e.g., assuming P is an encryption process,
λ is the private key, t is the content for encryption, and out is the
ciphertext, respectively. Let T (FP (in)) denotes the execution time
of P with input in under non-speculative execution. Different in-
puts may explore many different execution paths. However, since
we are only interested in leaks introduced by speculative execution,
we assume the time of those non-speculative program execution
remains similar or the same no matter what the sensitive inputs
are, which is,
∀t, λ, λ′ . T (FP (λ, t)) ≃ T (FP (λ′, t)) (1)
Symbols λ and λ′ denote any two sensitive values and t is still
the public input. Nevertheless, since in practice attackers may gain
information by observing several memory addresses or cache lines,
we restrict the leak granularity to the memory event regarding
our threat model. Specifically, let e be a memory event in P and
the time of executing e with and without speculative execution be
Ts(Pe(in)) and T (Pe(in)), we assume:
∀t, λ, λ′ . T (Pe(λ, t)) ≃ T (Pe(λ′, t)) (2)
Then the new cache timing leak ofP under speculative execution
can be checked by the following formula
∃t, λ, λ′ . (λ , λ′ ∧ Ts(Pe(λ, t)) , Ts(Pe(λ′, t)))∨
T (Pe (λ, t)) , Ts (Pe (λ′, t)) (3)
where a leak appears if (1) two different sensitive inputs can cause
significant timing differences on executing e under speculative
execution; or (2) two sensitive inputs cause significant timing dif-
ference on executing e with and without speculative execution.
In other words, P has a leak due to speculative execution if such
pair of λ and λ′ exists. Moreover, we transform formula (3) into
a dedicated leak constraint and simplify the constraint to a more
concise form in section 4. Also, as public input plays a minor role
in modeling cache timing leaks [53], we set t to a fixed value to
reduce the reasoning cost of formula (3).
3.3 Speculative Execution
The instruction pipeline [51] in processor allows overlapped exe-
cutions of proper instructions where each instruction execution
has a series of stages. This instruction-level parallelism benefits
hardware utilization since an instruction can start its stage prior
to the time its preceding instructions have finished all their stages.
However, a pipe-lined processor may get stalled once the program
control flow needs to divert but the destination remains unknown
(e.g., at a conditional branch). Accordingly, the pipeline has to await
until the flow decision is computed.
To alleviate the cost of this control hazard, modern processors
leverage branch prediction [45] and speculative execution [36] to
reduce the delay that could incur w.r.t conditional branch instruc-
tions. Generally, they predict the execution flow upon the history
of recently executed branches, and schedule instructions under pre-
dicted branches ahead of jumping into these branches. Specifically,
on approaching a control hazard the processors first predict which
branch to be taken. Then, they execute the selected branch and
maintain the temporary path state in a dedicated buffer. Finally,
they commit the buffered state to continue the program flow if
the prediction is correct. Otherwise, upon an incorrect prediction,
they have to discard the temporary state to revert the effects of the
executed instructions hence avoiding functional errors.
This rollback mechanism, unfortunately, withdraws no affected
cache state, which raises security risks. As shown in Figure 2(b),
variable v2 may map to cache line #256 due to speculative execu-
tion of the else branch. Moreover, this affect is not eliminated when
control flow is redirected to the if branch because of the mispredic-
tion. As a result, sensitive data x leaks over the altered cache state.
Abstracting away the hardware details, we can precisely model
the behavior of speculative execution in symbolic execution as a
three-step process and evaluate its side effects to the cache state
with a constraint-solving based approach.
Misprediction Modeling. As aforementioned, on reaching a
control hazard the processors predict the hazard result to select
a branch. Despite the experience-based hardware realization, we
can model this behavior by auxiliary symbolic state. To be specific,
before diverging the control flow into the if branch, our symbolic
executor would decide to duplicate a new state from the current
4
, ,
symbolic state and schedule it immediately into the else direction,
which represents the speculative execution of the else branch.
Speculative State Execution. Each duplicated state in mispre-
diction modeling has the same memory snapshot to its parent sym-
bolic state. For clarity, we use speculative state to name the new
state. A speculative state will be prioritized to the head of the state
queue in the symbolic executor, and executes uninterruptedly until
it meets a predefined threshold, such as the maximum instruction
number in the Reorder Buffer (ROB), the pipeline stage number,
the branch depth, and etc. Owing to the copy-on-write schema in
modern symbolic executors [14, 19], the speculative state runs inde-
pendently from their parent symbolic state. The memory updates
in a speculative state won’t taint its parent state who waits at the
state-forking point for the speculative state returns. For the sake of
cache analysis, we model the runtime cache state in each symbolic
state. A speculative state inherits this data from its parent and keeps
updating the cache during its execution.
Rollback andCacheMerging.Once a speculative state reaches
the threshold, it has to stop and quit the state queue. Right before
its termination, it notifies the awaiting parent state the finish of
the current speculative execution, as well as transfers the cache
status back to the parent. On receiving the notification, the parent
symbolic state merges the speculated cache into its own cache to
form the latest cache state. After that, the parent aborts waiting
and resumes the normal execution. This step models the processor
rollback mechanism in high fidelity and retains the changed cache
state from speculative execution. Terminating the speculative state
eliminates any further affects and the latest cache status has already
been absorbed into the parent state. This approach is natural to
symbolic execution, while the existing simulation [47] method
requires sophisticated instrumentations and specific instructions
to enforce CPU behaviors. More technical details will be presented
in section 4.1.
4 SPECULATIVE SYMBOLIC EXECUTION
In this section we present the core algorithm of SpecuSym , and
explain the technical contributions listed in Figure 1. Algorithm 2
shows the main algorithm of SpecuSym , where the major changes
from the baseline algorithm are at the state checkpoint (lines 3-5),
the branch point (line 9), and the memory access point (lines 14-15).
We highlight these changes in blue.
4.1 Speculative Modeling
On entering the SpecuSym procedure, our new algorithm first
checks if the current state s is a speculative state, and whether
s has reached the predefined threshold (line 3). If both conditions
are met, SpecuSym stops the recursive symbolic execution on s and
returns immediately (line 4). A state becomes a speculative state if
it is duplicated from a regular symbolic state (line 22) by invoking
SpeculativeExplore at a branch event (line 9).
Lines 19-28 in Algorithm 2 present the modeling procedure Spec-
ulativeExplore. Generally, at a conditional branch (line 8), we call
SpeculativeExplore (line 8) to start the speculative probe. That is, if
the branch predicate relies on a memory access (line 21), e.g., using
a static variable for the first time, we then duplicate a new state s ′
from state s (line 22) with a negated execution flow (line 23). This
assumption is based on the observation that the memory visiting
latency at a branch point may create a time window for speculative
execution to load data into cache before the rollback. Otherwise,
Algorithm 2: Symbolic Execution in SpecuSym .
Initially: The global state container Stack is empty (Stack⇐∅).;
Start SpecuSym (sini) on an initial symbolic state sini with in := {λ, t }.
1 SpecuSym (SymbolicState s )
2 begin
3 if s is a speculative state and s reaches the threshold then
4 return;
5 end
6 Stack.push(s );
7 if s.e is branch event then
8 for c ∈ s.brs and s.pc ∧ c is satisfiable do
9 SpeculativeExplore(s , c ); // Enter speculative modeling
10 ...... // Resume normal execution
11 end
12 else if s.e is memory access event then
13 SpecuSym (SubsequentState(s));
14 AnalyzeCache(s );
15 s.ϖ ← update cache state by interpreting s.e;
16 ......
17 end
18
19 SpeculativeExplore(SymbolicState s , Predicate c )
20 begin
21 if c relies on a memory visit then
22 s′ ← duplicate state s; // Fork speculative state
23 s′ ← redirect s′ to the ¬c control flow; // Redirect execution flow
24 SpecuSym (SubsequentState(s′));
25 s.ϖ ← s′ .ϖ ;
26 Terminate s′;
27 end
28 end
29
30 AnalyzeCache(SymbolicState s )
31 begin
32 if s is a regular symbolic state and s.e relates to secret input then
33 ξ ← build the leak constraint for s.e;
34 if s.pc ∧ ξ is satisfiable then
35 Generate witness;
36 end
37 end
38 end
despite a branch misprediction, the CPU only spends several cycles
on restoring before speculative execution takes effect on cache.
The new state s ′ becomes a speculative state afterwards, since it
is about to mimic the speculative execution of the mis-predicted
branch before resuming s . After state duplication, we let SpecuSym
execute s ′ (line 24) and evaluate the effects of the memory visits in
s ′ on the cache (line 15). Details of the evaluation will be presented
in section 4.2. Once the recursive exploration of s ′ finishes, we use
the accumulated cache state in s ′ to update that of s (line 25) and
terminate s ′ (line 26). The termination ends the lifetime of state s ′.
It also assures that the execution in s ′ only attributes to the cache
state changes but never affects the memory state of its parent state.
Next, when SpeculativeExplore returns, we resume the normal
execution on s (line 10), with an updated cache state. In this way,
we construct the speculative scenario and retain the latest cache.
Our approach leverages the stateful feature of symbolic execution.
It not only models the speculative behavior but also seamlessly
stitches the cache state with controllable flexibility.
Figure 3 shows the speculative modeling of the example P from
Figure 2. Figure 3(a) gives the control flow graph of P on which
we annotate the memory access related variables. For example,
S[0] means the first array read in the while loop and v1 means the
memory write in the if branch. The blue arrow line denotes the
flow of the symbolic state s which takes the if branch in regular
symbolic execution.
Then, in Figure 3(a), on reaching the branch we duplicate a
speculative state s ′ from s , and enforce a bounded execution (e.g.,
one memory access) into the else branch of s ′, as shown by the red
5
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
S[0]
......
S[253]
x
v1 v2
S[x]
symbolic
state s
symbolic
state s
speculative
state s′
(a) Stitched executions of s and s ′
256
lines
v2
x
S[253]
......
S[1]
S[0] v1
(b) The cache state from s ′
Figure 3: The speculative execution modeling of P.
dashed line. Once s ′ meets the threshold, we stop the execution
and turn back to its birth point where state s is awaiting the finish
of s ′. Also, we integrate the cache state of s ′ (cf. Figure 3(b)) into s
and terminate s ′ to resume s . Right now, the whole cache has been
filled since the memory write in s ′ mapped v2 into the line #256 .
Subsequently, the memory store to v1 in state s has to replace
S[0] following the LRU policy, as shown in Figure 3(b). Also, the
last memory load to S[x] might result in a cache miss or a cache
hit, depending on the value of x, which is consistent with the
situation in section 2.3. Hence, our proposed method succeeds in
modeling speculative execution and conforms to the three-step
process designed in section 3.3. Note that Figure 3(a) only shows
the modeling of the else branch while SpecuSym considers both
branches and misses no potential cases.
In this example, updating the cache state is straightforward –
by checking the in-cache addresses to find an available cache line
on a cache miss, or retain the current cache items in case of a
hit. For the undecided address, i.e., S[x], we can try 255 possible
cache mappings to test the difference. However, it is impractical
to eagerly enumerate all potentials since it can cause unbearable
overhead. Abstract interpretation based analysis [59] approximates
concrete possibilities whereas this approach is impractical in sym-
bolic execution. Also, many mappings are indeed redundant w.r.t
leak exposure, e.g., only 1 mapping reveals leak in the motivating
example.
Instead, SpecuSym models all possible branch mispredictions
along with an execution path to maintain a stitched trace of memory
events as the alternative of the cache state. Then it builds the leak
constraint by analyzing the trace, and lazily searches for solutions.
We detail this trace-based analysis in section 4.2 and section 4.3.
4.2 Cache State Modeling
This section explains how SpecuSym models the cache state. Since
each explored path in symbolic execution represents a unique pro-
gram run, we thereby extend the definition of a symbolic state s
(cf. section 3.1) to be a new tuple ⟨pc, e, brs,Ω,ϖ⟩. The newly intro-
duced symbol ϖ denotes the cache state on exploring s . Based on
this design, we establish notions as following:
− A program state in SpecuSym is either a normal symbolic
state or a speculative state, where from the former can the
latter be duplicated, but not vice versa.
− A stitchedmemory event trace, denoted asM = {m0 , ...,mn},
consists of executed memory events in the execution order.
− Each memory event mi in M , where index i ∈ [0,n], can be
from a symbolic state or a speculativestate.
− The cache state ϖ of a program state, is alternatively repre-
sented by M and the related computation.
To be specific, after executing a memory eventmi in a symbolic
state, we analyze ifmi may lead to timing leak under two scenarios,
namely new divergent behavior and new opposite behavior. To
formally explain these scenarios, we define the following notions.
− µin(mi) denotes the condition satisfyingwhichmi can trigger
a cache hit under speculative execution with input in.
− ai denotes the accessed memory address in mi .
− cs(ai) denotes the cache set that ai maps to.
− tag(ai) denotes the unique tag of ai .
− N denotes the cache associativity (i.e., N-way set associative
cache, where N∈[1, the total number of cache lines]).
4.2.1 New Opposite Behavior. It means executingmi under spec-
ulative execution causes a always-hit then the cache behavior in
non-speculative execution must be a always-miss, and vice versa.
Recall that we only target new leaks from speculative execution
and this scenario depicts the exactly opposite leak behavior. To
establish its definition, we introduce following new notions:
− ηin(mi) denotes the condition satisfying which mi always
triggers a cache hit under speculative execution.
− η′in(mi) denotes the condition satisfying which mi always
triggers a cache hit under non-speculative execution.
− Boolean variable org(mi) shows the origin of mi , where 0
means mi is from a symbolic state and 1 means mi is from a
speculative state.
Then we formalize ηin(mi) and η′in(mi) as follows.
ηin(mi) := ∃j ∈ [0, i)| ∧ aj = ai ∧ ∀x ∈ (j, i)
ax , ai︸                                                  ︷︷                                                  ︸
1 Find the nearest identical address aj
∧
i−1∑
y=j+1
cs(aj) = cs(ay) ∧ ∄z ∈ (j, y)|tag(az) = tag(ay)︸                                                       ︷︷                                                       ︸
2 Count the unique ay who and ai map to the same set
< N (4)
η′in(mi) := ηin(mi)∧org(aj) , 1 ∧ org(ax ) ,1 ∧ org(ay) ,1︸                                             ︷︷                                             ︸
3 Filter events from speculative execution
(5)
Given ami , we first searchM for an identical address aj (ai=aj ) who
was visited before mi . Also, aj has to be the nearest candidate that
no other addresses between aj and ai are qualified (cf. 1 ). Second,
we count the unique addresses that map to the same cache set to
mi and assure the sum is less than the set associativity (cf. 2 ). Note
that ηin(mi) is close to but not equivalent to µin(mi). E.g., for S[x]
read in Figure 3(a), µin(mi) can be satisfied but ηin(mi) cannot.
Based on ηin(mi) we define η′in(mi) who has an extra constraint
(cf. 3 ) over ηin(mi). The new constraint ensures that all involved
memory events must be from symbolic states hence filtering the
influences of memory events from speculative states.
4.2.2 New Divergent Behavior. It means executing mi under
speculative execution with two inputs in and in′ can cause a miss
and a hit, respectively. To analyze this behavior, we build µ(mi)
6
, ,
which returns the cache hit condition of mi in trace M as follows:
µin(mi) :=
∨
0≤j<i
(
tag(aj) = tag(ai) ∧ cs(aj) = cs(ai)︸                                      ︷︷                                      ︸
4 Identify the potential aj
∧
∀x ∈ (j, i) tag(ax ) , tag(ai) ∨ cs(ax ) , cs(ai )︸                                                       ︷︷                                                       ︸
5 Find the nearest aj
∧
i−1∑
y=j+1
cs(aj) = cs(ay) ∧ ∄z ∈ (j, y)|tag(az) = tag(ay)︸                                                       ︷︷                                                       ︸
6 Count the unique ay who and ai map to the same set
< N
)
(6)
Given a mi , we first seek a preceding mj from M who might
triggers a cache hit on executing mi . That is, their addresses aj and
ai have the same tag and set (cf. 4 ). Moreover, we have to check the
nearest mj because mi’s cache behavior directly relates to this mj .
This is accomplished by ensuring non-existence of a ax between aj
and ai who has the same tag and set values to ai (cf. 5 ).
Next, we consider the cache replacement policy. Without loss of
generality, SpecuSym models a N-way set-associative cache with
the LRU policy. Other policies can apply to equation (6) as well.
Intuitively, on finding a potential mj for mi , the executed events
betweenmj andmi should not evictmj from the cache, to promise a
cache hit formi . Under the LRU policy, we observe that iff satisfying
property 1 can this non-evict requirement be met.
Property 1. To avoid evicting the most recently used cache line
from a cache set Set, the total number of subsequent unqiue cache
mappings to Set must be less than the set associativity.
The sub-formula 6 checks whether an eventmy betweenmj and
mi can form a uniquely new mapping to the set that ai maps to.
We perform the check by first comparing the set values of ay and
ai . If this precondition satisfies, we check if address ay has never
been accessed before by an event mz — by confirming that the tag
value of az always differs from that of ay . If this check also satisfies,
then ay forms a uniquely new cache mapping. We count these new
mappings to embed Property 1 in equation (6).
Take a 9-event traceM= {m1,m2 ,m1,m3,m3,m4,m5 ,m4,m1} as
the example. For brevity we assume all the visited memory ad-
dresses associate with the same cache set and the set associativity
is four. Also, each memory event corresponds to one cache line.
And we want to check whether the last event, m1, can lead to a
cache hit. Here we use #n to index each event where n ∈[1,9].
Backtracking from the last m1, we first locate two preceding m1
events, #1 and #3, as the candidates that satisfy 4 . Then, according to
5 , we select the nearest event #3, to form a sub-trace ρ as underlined
in M . Note that after ρ’s head event m1, the cache line used by m1
becomes the most recently used line. We name this line as l. Then,
following 6 , along ρ we can identify three uniquely new cache
mappings to the same set, incurred by events #4 (m3), #6 (m4), and
#7 (m5 ), respectively. Other events, i.e., #5 (m3) and #8 (m4), cannot
form unique mappings since they do not satisfy 6 .
Therefore, we conclude that the target event, m1, must lead to
a cache hit because the identified three unique cache mappings at
most evict other three lines rather than the most recently used line
l. In other words, the number of uniquely new mappings is less
than the cache set associativity, which conforms to Property 1.
4.3 Cache Behavior Analysis
In this section we leverage µin(mi), ηin(mi) and η′in(mi) to analyze
the cache behavior of mi . In general, if mi has no cache behavior
variance in both speculative execution and non-speculative execu-
tion for any arbitrary inputs, then it leaks no data. Otherwise, at
the program location of mi there is a leak.
Procedure AnalyzeCache in Algorithm 2 constructs the leak con-
straint. SpecuSym invokes AnalyzeCache right after executing a
memory event (line 14). Inside the procedure, SpecuSym first exam-
ines whether the current state s is a symbolic state and the event
s .e relates to sensitive input. This is because the timing affects in-
side the speculative execution is externally invisible and we only
care about the sensitive data dependent memory accesses. Next,
SpecuSym builds the leak constraint ξ for event s .e , and solves for
solutions (lines 33-35). If such inputs do not exist, SpecuSym claims
leakage-free at s .e on the current program path.
To form ξ , we have to first build the constraint exposing new
cache behaviors at a given memory event mi as follows.
divi := ∃in, in′. (in , in′ ∧ µin(mi) , µin′(mi)) (7)
oppi := ∀in, in′. (ηin(mi) , η′in′(mi)) (8)
Term divi represents the existence ofNewDivergent Behavior and
term oppi checks New Opposite Behavior, respectively. We define
ξ := divi∨oppi as the leak constraint atmi . SpecuSym first computes
η′in′(mi) because of the lower cost of a must-be solving. Then, it
uses the concretized value to substitute η′in′(mi) in oppi for the
solving of in. If such targeted in exists then oppi must be satisfiable
and SpecuSym safely skips the solving of divi . Otherwise, it has to
continue reasoning divi . Finally, if the solver successfully returns
concrete solutions of ξ , SpecuSym generates a test case including
the inputs, the traceM , and the event as the leak witness.
For instance, after obtaining a trace {S[0],...,S[254], x,v2,v1,S[x]}
from the stitched execution in Figure 3(a), SpecuSym finds that
the sensitive data dependent address S[x] is from symbolic state s .
Also, in non-speculative execution visiting S[x] must get a cache
hit (η′in′(mi)=1). Thus, the sub-constraint ηin(mi) should be 0 in
terms of a New Opposite Behavior. Undoubtedly, SpecuSym solves
out the value 0 for x. Finally, SpecuSym outputs the value 0, the
trace including the speculative flow, and the read event of S[x].
It is worth noting that processors might mis-predict branches
more than once along a program path. As a result, we need to count
the cache side affects from multiple mispredictions. However, at-
tackers always expect the minimum effort to trigger mispredictions
for leak exposure. Meanwhile, manipulating multiple speculation
windows would be of great difficulties for external attackers. In
SpecuSym , we follow the adversary perspective to study whether
one misprediction could be enough to cause timing leaks and leave
the multiple speculation cases as our future work.
4.4 Optimizations
Speculative Assumption Checking. Recall that in Algorithm 2
we duplicate a new state s ′ from state s (line 22) if the branch
predicate involves a memory visit rather than a cache visit. This
assumption requires a heavy cache analysis whereas [59] over-
approximately treats such access as memory visit. To balance the
precision and efficiency, SpecuSym backwardly examines the mem-
ory accesses from last branch to the current branch. If the examina-
tion determines a cache hit, we know that speculative analysis at
7
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
this point is unnecessary. Otherwise, we record this branch predi-
cate and add the miss constraints to ξ for analysis.
Formula Simplification and Reduction. Formulas divi and
oppi captures the complete set of cache behavioral differences. How-
ever, we observe that if ηin(mi) satisfies then µin(mi) must satisfy.
Thereby we can further simplify ξ into ξ ′ as follows.
ξ ′ := ∃in.µin(mi) , η′in(mi) (9)
Since we assume a leakage-free program under non-speculative ex-
ecution, η′in(mi) must be 0 (miss) or 1 (miss). Meanwhile, if µin(mi)
(the may-hit condition) has a different solution to η′in(mi), then
there must be a new cache behavior, either Divergent or Oppo-
site. Thereby ξ ′ conforms to ξ . Also, since we repeatedly traverse
memory access trace in constraint construction, caching the inter-
mediate results helps avoid redundant computation. Therefore, we
bank the computed address-comparing formulas into a hash map so
that they can be quickly retrieved with tolerable storage overhead.
However, the size of equation (9) still increases quickly along
with the increase of i , which pressures the constraint solver. By in-
specting the formula structure, we seperate lengthy equations into
smaller pieces with following strategies. First, if a sub-constraint of
a conjunctive normal form (CNF) formula is determined as false, we
directly return false. E.g., in equation (6), if 4 is false, we skip query-
ing solver for 5 , and 6 . Second, if a sub-constraint in a disjunction
normal form (DNF) formula is determined as true, we discard all
other sub-constraints. As in equation (6), once we find the nearest
aj by 5 , we discard sub-formulas for indices before j. Third, if two
sub-formulas are in negated forms, we avoid a second solver query.
E.g., in equation 6, constraint 5 of mj is the negation of constraint
4 of mj+1, which implies we can save one constraint solving time.
5 EVALUATIONS
We have implemented SpecuSym based on the KLEE [14] symbolic
executor and the LLVM compiler [40]. We refit KLEE in three main
aspects. First, we made KLEE support bounded execution of the
auxiliary speculative states and schedule the parent symbolic state
afterwards, to mimic the mispredictions. Second, we made KLEE
stitch a sequence of memory events from both regular symbolic
state and speculative states, to represent the worst-case situation
of speculative behaviors. Third, we made KLEE analyze the cache
behaviors on memory events to generate concrete inputs for timing
leaks. Based on these new components, we built SpecuSym for the
cache timing leak analysis under speculative execution.
Specifically, after loading the LLVM bit-code of the target pro-
gram, SpecuSym executes it symbolically, explores speculative
states, stitches the memory events, and conducts cache analysis
following Algorithm 2. Each leak constraint is encoded in Z3-
compatible form. On solving the leak constraint, SpecuSym outputs
leak witness including the speculated event trace, the leakymemory
visit, and concrete inputs.
We design the following research questions for the experiments:
• Can SpecuSym identify cache timing leaks introduced by
speculative execution?
• Can SpecuSym complement the fast abstract interpretation
based method by providing more accurate results?
• Can the optimizations effectively boost the overall perfor-
mance?
Table 1: Benchmark Statistics: Name, Lines of C code (LoC), Source,
Sensitive Input Size in Bytes (S-In), and Number of Branches (Brs).
Name LoC Source S-In Brs
hash[2] 320 The hpn-ssh hash implementation 64 5
AES[4] 1,838 The LibTomcrypt AES cipher 16 17
blowfish[4] 467 The LibTomcrypt blowfish cipher 8 11
chacha20[4] 776 The LibTomcrypt chacha20 cipher 36 133
encoder[4] 134 The LibTomcrypt hex encoder 100 2
ocb[4] 377 The LibTomcrypt OCB implementation 28 23
DES[5] 1,100 The OpenSSL DES cipher 64 79
str2key[5] 371 The OpenSSL key prepare for DES 16 8
DES[1] 547 The glibc DES implementation 16 7
Camellia[7] 1,324 The NVIDIA Tegra Camellia cipher 16 16
Salsa[7] 279 The NVIDIA Tegra Salsa20 stream cipher 28 12
Seed[7] 487 The NVIDIA Tegra Seed cipher 16 2
DES[3] 337 The Libgcrypt DES cipher 8 3
Salsa[3] 344 The Libgcrypt Salsa20 stream cipher 40 22
Spectre[6] 90 The Spectre V1 application 4 1
5.1 Benchmark Programs
Table 1 shows the statistics of the benchmarks for evaluation. The
first three columns, Name, LoC and Source indicate the names,
the lines of code and the sources of these benchmarks. Column
S-In denotes the sensitive input size in bytes. The last column Brs
shows the number of conditional branches in each program.
Our benchmark suite consists of a diverse set of open-source C
programs. Specifically, the first program is from hpn-ssh [2]; the
second group has five programs from LibTomCrypt 1.18.1 [4]; the
third group uses two programs from glibc 2.29 [1]; the fourth group
includes three programs from the Tegra library [7]; the rest bench-
marks are from the Libgcrypt 1.8.4 [3] and the Spectre vulnerability
application [6]. Most benchmarks are computation intensive despite
the compact program sizes. The sensitive input of each benchmark
is initialized to a symbolic array whose size is shown in column
S-In. Also, each program has 1 to 133 conditional branches.
We evaluate the benchmarks on the N-way set-associative cache
and LRU policy with different cache settings. To be specific, we
design four caches as (1) 32KB cache size with N=4; (2) 32KB cache
size with N=8; (3) 64KB cache size with N=8; and (4) 32KB cache
size with N=512. Each cache line has 64 bytes among all caches. The
first three settings are close to the L1 data cache types in modern
processors like [8, 9]. The last setting forms a fully-associative cache
on which we compare SpecuSym with [59]. Besides, we evaluate
the effectiveness of optimizations using the third setting. All the
evaluations are conducted on a machine running Ubuntu 16.04 64-
bit Server Linux with Intel(R) Xeon(R) 2.20GHz CPUs 24 cores and
256GB RAM. Each benchmark is set to run at most 12 hours.
5.2 Experimental Results
5.2.1 Timing Leak Detection. We first design experiments for
the research question (1). Table 2 shows the leak detection results
under aforementioned three set-associative cache settings. Let’s
name them as C1, C2, and C3. C1 has 32KB size and each cache set
consists of 4 lines. As each line has 64 bytes,C1 has 128 sets in total.
C2 also owns 32KB size but its cache associativity increases to 8.
Hence it has 64 sets.C3 has 64KB size while its associativity remains
8, thereby it has 128 sets and 1024 cache lines. For each program, we
collect execution statistics under different cache settings, including
8
, ,
Table 2: Detection results on Set-associative Caches
Name C1: 32KB, 4-Way C2: 32KB, 8-Way C3: 64KB, 8-Way
Time (m) #.D/O Time (m) #.D/O Time (m) #.D/O
hash[2] 0.57 0/0 0.56 0/0 0.56 0/0
AES[4] 32.53 20/3 99.43 25/0 65.27 26/0
blowfish[4] 0.04 0/0 0.03 0/2 0.03 0/0
chacha20[4] 0.31 0/5 0.31 0/61 0.28 0/61
encoder[4] < 0.01 0/5 < 0.01 0/5 < 0.01 0/5
ocb[4] < 0.01 0/0 < 0.01 0/0 < 0.01 0/0
DES[5] 10.72 0/5 10.65 0/10 10.77 0/10
str2key[5] 0.01 0/0 < 0.01 0/0 < 0.01 0/0
DES[1] 51.98 16/6 384.57 26/1 393.48 24/3
Camellia[7] 0.13 0/0 0.12 0/0 0.13 0/0
Salsa[7] 0.03 0/0 0.03 0/0 0.04 0/0
Seed[7] 0.21 0/0 0.21 0/0 0.21 0/0
DES[3] 0.37 0/0 0.37 0/0 0.37 0/0
Salsa[3] < 0.01 0/0 < 0.01 0/0 < 0.01 0/0
Spectre[6] <0.01 0/0 < 0.01 0/0 < 0.01 0/0
the total execution time in minute (Time (m)) and the amount of
divergent/opposite leaks(#.D/O) .
Overall, SpecuSym identified that 6 out of 15 benchmarks have
timing leaks. Specifically, blowfish is leaky only under cache C2
while other 5 programs have leaks under all three caches. Among
these 5 programs, DES [1] has both D/O leaks in all caches; AES has
both D/O leaks in C1 but only opposite leaks in C2 and C3; and the
rest three programs (chacha20, encoder, and DES [5]) have only
opposite leaks under all the three caches.
Next, we compare the results of C1 and C2, to research how the
cache associativity could affect the leak occurrence. Intuitively, the
more lines per cache set, the less potential cache conflicts hence less
leaks. However, experiments show that the increased associativity
indeed triggers more leaks. First, SpecuSym detected 60 and 130
leaks under C1 and C2, respectively. Second, 5 out of the 6 leaky
programs have more leaks under C2. The only exception, encoder,
has 5 leaks in both C1 and C2. Third, the non-leaky program under
C1, blowfish, now turns to reveal 2 new leaks under C2. This
phenomenon is because the speculative memory visits raise more
cache hits — the cache misses under non-speculative execution now
have higher possibilities to be hits as memory data has been loaded
into cache sets earlier from speculative execution.
Moreover, we compare between C2 and C3, to research how
the cache size could affect leak detection. We find that despite the
different cache sizes, the detection results show no drastic variances.
First, SpecuSym detected exactly the same types and amounts of
leaks in 3 programs (chacha20, encoder, and DES [5]) in both C2
andC3. The analysis costs are also close. Second, another two leaky
programs, AES and DES [1], also show similar statistics. Third, the
major difference comes from blowfish, which has two leaks on
C2 but no leaks on C3. Though this unique case indicates smaller
cache might incur more leaks, it is not the majority situation.
We also observe drastically diverse results from different versions
of the same algorithm. E.g., in three DES implementations from
OpenSSL [5], glibc [1], and Libgcrpt [3], SpecuSym detected only
oppsite leaks in OpenSSL DES, both D/O leaks in glibc DES, and
no leaks in Libgcrypt DES. Also, OpenSSL DES consumes about 11
minutes in all caches. The glibc DES uses 52 minutes on C1 but
Table 3: Comparison betwee Wu et.al [59] and SpecuSym
Name Wu et.al [59] SpecuSym
Leak Detected Time (s) Leak Detected #.Leaks Time (s)
hash[2] ✔ 1.15 ✗ 0 33.61
AES[4] ✗ 2.13 ✗ 0 5.01
chacha20[4] ✔ 9.24 ✔ 9 17.84
encoder[4] ✔ 0.10 ✔ 5 0.13
ocb[4] ✔ 0.68 ✗ 0 0.05
DES[5] ✔ 14.20 ✔ 8 725.66
str2key[5] ✗ 0.01 ✗ 0 0.69
Camellia[7] ✗ 6.35 ✗ 0 7.59
Salsa[7] ✗ 0.06 ✗ 0 0.99
Seed[7] ✗ 0.07 ✗ 0 12.15
around 6.5 hours on C2 and C3. By constrast, the Libgcrypt DES
costs merely 1 minute in all experiments.
Therefore, we can answer the first research question: SpecuSym
is able to detect timing leaks introduced by speculative execution.
It also supports various caches for the effective leak detection.
5.2.2 ExistingMethod Comparison. We compare SpecuSymwith
the latest work [59] in Table 3, to answer the the second research
question. Column 1 lists all the benchmarks used in [59] for timing
leak evaluation. Columns 2-3 show the detection result and the
computation time of the abstract interpretation based method [59].
Columns 4-6 depict the result of SpecuSym while column 5 lists the
total amount of detected leaks. We set up the same cache setting
used in [59] (512-line fully-associative cache with LRU policy) to
assure a fair comparison. Let’s name it as C4.
Overall, [59] analyzed that 5 of the 10 benchmarks are leaky, as
marked with✔ in column 2. Consequently, the rest 5 programs are
free of timing leaks. For these non-leaky programs, SpecuSym also
detects no leaks, as shown in column 4. This means SpecuSym does
not introduce false positives on validating these robust programs.
In contrast, for those✔ results from [59], SpecuSym has different
results on two benchmarks, hash and ocb, as underlined in Table 3.
They are deemed to be leaky in [59] while SpecuSym found no leaks
in them. We manually inspect the two benchmarks and confirm
that SpecuSym gives the right answer — no leaks exist in the two
programs. The inaccurate results of [59] might root from its over-
approximation nature and they are indeed false positives.
For the remaining programs chacha20, encoder, and DES, both
SpecuSym and [59] have detected leaks. However, [59] only claims
the leaky situation while SpecuSym generates richer information.
E.g., SpecuSym pingpoints 9, 5, and 8 leaky memory operations in
these benchmarks, respectively. Moreover, SpecuSym is able to pro-
vide inputs and the speculative traces for leak diagnosis. Note that
SpecuSym performs generally faster on C4 than on set-associative
cachesC1,C2, andC3 since the extreme cache setting ofC4 promotes
cache utilization and cache hit rate in these benchmarks.
One drawback of SpecuSym is the computation cost. In Table 3
[59] finishes all benchmarks in 35 seconds whereas SpecuSym needs
725.7 seconds to analyze an OpenSSL DES. Worse, the analysis time
for the glibc DES [1] rises to about 6.5 hours (cf. Table 2). The over-
head mainly comes from the constraint-solving since SpecuSym rea-
sons individual memory accesses on each program path. However,
sacrificing the performance for the precision achieves reasonable
paybacks. First, the increased overhead of most benchmarks are still
tolerable. Next, SpecuSym eliminates false positives from [59] and
9
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
ha
shAE
S
blo
wfi
sh
cha
cha
20
en
cod
er ocbDE
S
str
2ke
y
DE
S
Ca
me
lliaSal
sa
See
d
DE
S
Sal
sa
Sp
ect
re
0
200
400
600
800
Ti
m
e
(m
in
)
Base
Opt
(a) (a) Benchmark analysis time
ha
shAE
S
blo
wfi
sh
cha
cha
20
en
cod
er ocbDE
S
str
2ke
y
DE
S
Ca
me
lliaSal
sa
See
d
DE
S
Sal
sa
Sp
ect
re
0
1000
2000
3000
4000
Si
ze
(#
of
co
ns
tru
ct
s)
Base
Opt
(b) (b) SMT constraint size
Figure 4: Breakdown of Optimization Performance. Bench-
marks are represented using their orders in table 1.
Table 4: Overall performance Increases from Optimization.
Optimization Time Constraints Size #.Div #.Opp
Base 100% 100% 12 76
Optimized 30.73% 78.89% 50 79
generates precise inputs. Moreover, if [59] could provide assisting
information, e.g., the suspicious locations on the control flow graph,
SpecuSym could dedicate its analysis on the problematic areas.
Therefore, we answer the second research question: SpecuSym
can complement the fast abstract interpretation based analysis [59]
on false positive elimination and concrete leak witness generation.
5.2.3 Optimization Performance. We study the performance of
our optimization strategies (cf. Section 4.4) in this section. As shown
in Table 4, after optimization (Optimized), the overall execution
time (Time) decreases to 30.75% of the non-optimization situation
(Base), which demonstrates the effectiveness of optimization.
Apart from time cost, our optimization reduces constraint size
by more than 20% to ease the solver cost. Moreover, we find that the
Base setting missed almost 2/3 (44) leaks within the time bound (12
hours). This highlights the necessity of optimization because it helps
detect as many leaks as possible under limited resources. In Figure 4,
we examine the impact of optimization on each benchmark in terms
of both time cost and constraint size. In the figure, we present each
case using their orders in table 1.
Clearly in Figure 4(a) that optimization largely decreases time
cost for 6 out of 15 cases from hundreds of minutes to less than one
hour. On the one hand, this is because the Base situation involves a
great many redundant computation while the intermediate results
cached in optimization can be re-used. On the other hand, the
size of constraint is reduced through formula simplification which
lowers the cost of solving. We show the detail in Figure 4(b) that
optimization reduces constraint size, especially for AES [4], glibc
DES [1], and seed [7].
For the remaining cases, the length of execution trace is typically
short which means the number of memory access to analyze is
limited. Thus, our optimization does not differ much from the base
computation.
5.3 Threat to Validity
Our approach considers nested speculative execution because branch
instruction may also exist in speculative states. Since the time win-
dow of speculative execution is typically short, we implement the
nest depth as configurable and set it to 2 in evaluation. Though
speculative execution may end at arbitrary points, we demonstrate
the effectiveness of our under-approximation in the experiments.
Another threat is from the impact of out-of-order execution.
Out-of-order execution also reschedules memory accesses, which
may affect the accuracy our analysis. However, considering both
speculative execution and out-of-order execution is challenging.
We leave it as our future work.
We do not consider the speculative execution that leverages
Branch Target Buffer (BTB) or Return Stack Buffer (RSB) to select
the destinations of indirect branches. Such vulnerabilities have been
effectively mitigated by Intel and AMD through Indirect Branch
Prediction Barrier (IBPB) settings.
SpecuSym analyzes LLVM IR to detect leaks caused by specu-
lative execution. However, the program runtime behavior can be
different due to back-end compiler optimization and address space
layout randomization (ASLR). Although we have simulated the ex-
ecution environment, more low-level details of benchmarks can
further facilitate us to improve analysis results.
6 RELATEDWORK
Regarding the security impact of processor speculative execution
[36], Kocher et al. [38] demonstrated that speculative execution
influences the cache state and leads to cache timing attacks, which
motivates the design of SpecuSym .
To estimate cache side channels, Doychev et al. [24] approximate
cache states through concrete state abstraction. Despite the upper
bound of information leakage, the estimation offers few guidance
on fixing the problems. Doychev et al. [25] also shows that compiler
optimization can remove side channels. However, it is undesirable
for critical libraries to make the security guarantee be compiler-
dependent.
Symbolic execution [37] has been applying to cache analysis
because of its precise reasoning and input generation natures. To
quantify the information leakage through cache side channel, Chat-
topadhyay et al. [15, 16] and Basu et al. [10] developed symbolic
execution methods to study dependencies between sensitive data
and cache behaviors. Wang et al. developed CacheD [55] which
aims at timing leaks through a trace-based symbolic execution.
Furthermore, Brotzman et al. [11] proposed CaSym, a symbolic
reasoning method which supports cache analysis over multiple
program paths. Considering the cache affects from thread interleav-
ings, Guo et al. [30] proposed SymSC to analyze cache timing leaks
due to multithreading. These methods, however, are all unaware of
cache state changes under speculative execution.
Abstract interpretation [21] has also been adopting to cache
reasoning in terms of its scalable analysis and sound approximation.
CacheS [54] proposes a secret-augmented abstract domain to track
program secrets and dependencies. It treats public data in a coarse-
grained fashion and secret data in a finer-grainedmanner to balance
the scalability and precision. However, CacheS is also unaware of
the impact from speculative execution on cache state. Though Wu
et.al [59] developed a dedicated abstract interpretation method for
worst case exectuion estimation and cache timing leak analysis
10
, ,
under speculative execution, they are unable to generate precise
inputs to diagnose the leaks in depth.
Likewise, grey-box fuzz testing has been used in detecting Spectre-
type [38] program vulnerabilities [47], exposing side channels [46],
and revealing timing leaks [31]. However, these methods are either
unaware of speculative exectution [31, 46] or relying on costful
instrumentations on control flow graph. Also, due to the testing
nature, these methods heavily count on the fuzz heuristics wheres
SpecuSym systematically solves for precise inputs.
To conclude, existing program analysis approaches either fail to
generate inputs or ignore cache affects from speculative execution.
To fill the gap, SpecuSym models speculative execution through
stateful symbolic execution so as to produce inputs that endorse
the leaks.
7 CONCLUSIONS
In this paper, we have presented a symbolic execution based method
SpecuSym for detecting cache timing leaks on running a sensitive
data related program under speculative execution. SpecuSym sys-
tematically explores the program paths and models speculative
execution at conditional branches. By cache state modeling as well
as cache behavior analysis, SpecuSym uses SMT-solving to search
for divergent and opposite cache behaviors at memory access events.
Experimental results show that SpecuSym can detect timing leaks
under various cache settings. Comparison between SpecuSym and
state-of-the-art abstract interpretation based leak detection method
shows SpecuSym not only successfully eliminates false positives
but also generates precise inputs for leak exposure.
11
, , Shengjian Guo, Yueqi Chen, Peng Li, Yueqiang Cheng, Huibo Wang, Meng Wu, and Zhiqiang Zuo
REFERENCES
[1] glibc-2.29.9000. https://www.gnu.org/software/libc/.
[2] High Performance SSH/SCP - HPN-SSH. https://www.psc.edu/hpn-ssh.
[3] Libgcrypt-1.8.4. https://gnupg.org/software/libgcrypt/index.html.
[4] LibTomCrypt. http://www.libtom.net/LibTomCrypt/.
[5] OpenSSL-1.1.1c. https://mta.openssl.org/pipermail/openssl-announce/2019-May/
000153.html.
[6] spectre-attach. https://github.com/Eugnis/spectre-attack.
[7] Tegra. https://android.googlesource.com/kernel/tegra/+/android-8.1.0_r0.113/
crypto.
[8] The Kaby Lake Microarchitecture. https://en.wikipedia.org/wiki/Kaby_Lake.
[9] The SkyLakeMicroarchitecture. https://www.intel.com/content/dam/www/public/
us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf.
[10] Tiyash Basu and Sudipta Chattopadhyay. 2017. Testing Cache Side-Channel
Leakage. In 2017 IEEE International Conference on Software Testing, Verification
and Validation Workshops, ICST Workshops 2017, Tokyo, Japan, March 13-17, 2017.
51–60.
[11] Robert L. Brotzman, Shen Liu, Danfeng Zhang, Gang Tan, and Mahmut T. Kan-
demir. 2019. CaSym: Cache Aware Symbolic Execution for Side Channel Detection
and Mitigation. In IEEE Symposium on Security and Privacy.
[12] Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank
Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx.
2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient
Out-of-Order Execution. In 27th USENIX Security Symposium, USENIX Security
2018, Baltimore, MD, USA, August 15-17, 2018. 991–1008.
[13] Ashokkumar C., Ravi Prakash Giri, and Bernard L. Menezes. 2016. Highly Efficient
Algorithms for AES Key Retrieval in Cache Access Attacks. In IEEE European
Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March
21-24, 2016. 261–275.
[14] Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and
Automatic Generation of High-Coverage Tests for Complex Systems Programs.
In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI
2008, December 8-10, 2008, San Diego, California, USA, Proceedings. 209–224.
[15] Sudipta Chattopadhyay. 2017. Directed Automated Memory Performance Testing.
In Tools and Algorithms for the Construction and Analysis of Systems - 23rd Inter-
national Conference, TACAS 2017, Held as Part of the European Joint Conferences
on Theory and Practice of Software, ETAPS. 38–55.
[16] Sudipta Chattopadhyay, Moritz Beck, Ahmed Rezine, and Andreas Zeller. 2017.
Quantifying the information leak in cache attacks via symbolic execution. In
Proceedings of the 15th ACM-IEEE International Conference on Formal Methods
and Models for System Design, MEMOCODE 2017, Vienna, Austria, September 29 -
October 02, 2017. 25–35.
[17] Qichang Chen, Liqiang Wang, Zijiang Yang, and Scott D. Stoller. 2009. HAVE:
Detecting Atomicity Violations via Integrated Dynamic and Static Analysis. In
Fundamental Approaches to Software Engineering, 12th International Conference,
FASE 2009, Held as Part of the Joint European Conferences on Theory and Practice
of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings. 425–439.
[18] Tong Chen, Jin Lin, Xiaoru Dai, Wei-Chung Hsu, and Pen-Chung Yew. 2004. Data
Dependence Profiling for Speculative Optimizations. In Compiler Construction,
13th International Conference, CC 2004, Held as Part of the Joint European Confer-
ences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29 -
April 2, 2004, Proceedings. 57–72.
[19] Liviu Ciortea, Cristian Zamfir, Stefan Bucur, Vitaly Chipounov, and George
Candea. 2009. Cloud9: a software testing service. Operating Systems Review 43, 4
(2009), 5–10.
[20] Lori A. Clarke. 1976. A program testing system. In Proceedings of the 1976 Annual
Conference, Houston, Texas, USA, October 20-22, 1976. 488–491.
[21] Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified
Lattice Model for Static Analysis of Programs by Construction or Approximation
of Fixpoints. In Conference Record of the Fourth ACM Symposium on Principles of
Programming Languages, Los Angeles, California, USA, January 1977. 238–252.
[22] Jean-François Dhem, François Koeune, Philippe-Alexandre Leroux, Patrick
Mestré, Jean-Jacques Quisquater, and Jean-Louis Willems. 1998. A Practical
Implementation of the Timing Attack. In Smart Card Research and Applications,
This International Conference, CARDIS ’98, Louvain-la-Neuve, Belgium, September
14-16, 1998, Proceedings. 167–182.
[23] Craig Disselkoen, David Kohlbrenner, Leo Porter, and Dean M. Tullsen. 2017.
Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX. In
26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada,
August 16-18, 2017. 51–67.
[24] Goran Doychev, Dominik Feld, Boris Köpf, Laurent Mauborgne, and Jan Reineke.
2013. CacheAudit: A Tool for the Static Analysis of Cache Side Channels. In
Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August
14-16, 2013. 431–446.
[25] Goran Doychev and Boris Köpf. 2017. Rigorous analysis of software countermea-
sures against cache attacks. In Proceedings of the 38th ACM SIGPLAN Conference
on Programming Language Design and Implementation, PLDI 2017, Barcelona,
Spain, June 18-23, 2017. 406–421.
[26] Vasisht Duddu, Debasis Samanta, D. Vijay Rao, and Valentina E. Balas. 2018.
Stealing Neural Networks via Timing Side Channels. CoRR abs/1812.11720 (2018).
arXiv:1812.11720 http://arxiv.org/abs/1812.11720
[27] Marco Guarnieri, Boris Köpf, José F. Morales, Jan Reineke, and Andrés Sánchez.
2018. Spectector: Principled Detection of Speculative Information Flows. CoRR
abs/1812.08639 (2018). arXiv:1812.08639 http://arxiv.org/abs/1812.08639
[28] David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache Games -
BringingAccess-Based CacheAttacks onAES to Practice. In 32nd IEEE Symposium
on Security and Privacy, S&P 2011, 22-25 May 2011, Berkeley, California, USA. 490–
505.
[29] Shengjian Guo, Markus Kusano, Chao Wang, Zijiang Yang, and Aarti Gupta.
2015. Assertion guided symbolic execution of multithreaded programs. In ACM
SIGSOFT Symposium on Foundations of Software Engineering. 854–865.
[30] Shengjian Guo, MengWu, and ChaoWang. 2018. Adversarial symbolic execution
for detecting concurrency-related cache timing leaks. In Proceedings of the 2018
ACM Joint Meeting on European Software Engineering Conference and Symposium
on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2018, Lake Buena
Vista, FL, USA, November 04-09, 2018. 377–388.
[31] Shaobo He, Michael Emmi, and Gabriela F. Ciocarlie. 2019. ct-fuzz: Fuzzing for
Timing Leaks. CoRR abs/1904.07280 (2019).
[32] Sanghyun Hong, Michael Davinroy, Yigitcan Kaya, Stuart Nevans Locke, Ian
Rackow, Kevin Kulda, Dana Dachman-Soled, and Tudor Dumitras. 2018. Security
Analysis of Deep Neural Networks Operating in the Presence of Cache Side-
Channel Attacks. CoRR abs/1810.03487 (2018). arXiv:1810.03487 http://arxiv.org/
abs/1810.03487
[33] Xing Hu, Ling Liang, Lei Deng, Shuangchen Li, Xinfeng Xie, Yu Ji, Yufei Ding,
Chang Liu, Timothy Sherwood, and Yuan Xie. 2019. Neural Network Model
Extraction Attacks in Edge Devices by Hearing Architectural Hints. CoRR
abs/1903.03916 (2019). arXiv:1903.03916 http://arxiv.org/abs/1903.03916
[34] Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side
Channel Attacks against Kernel Space ASLR. In 2013 IEEE Symposium on Security
and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. 191–205.
[35] Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gülmezoglu,
Thomas Eisenbarth, and Berk Sunar. 2019. SPOILER: Speculative Load Haz-
ards Boost Rowhammer and Cache Attacks. CoRR abs/1903.00446 (2019).
arXiv:1903.00446 http://arxiv.org/abs/1903.00446
[36] Kozo Kimura, Kosuki Yoshioka, and Tokuzo Kiyohara. 1996. Speculative execution
processor. (April 23 1996). US Patent 5,511,172.
[37] James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM
19, 7 (1976), 385–394.
[38] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas,
Mike Hamburg, Moritz Lipp, StefanMangard, Thomas Prescher, Michael Schwarz,
and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In
40th IEEE Symposium on Security and Privacy (S&P’19).
[39] Paul C. Kocher. 1996. Timing Attacks on Implementations of Diffie-Hellman, RSA,
DSS, and Other Systems. In Advances in Cryptology - CRYPTO ’96, 16th Annual
International Cryptology Conference, Santa Barbara, California, USA, August 18-22,
1996, Proceedings. 104–113.
[40] Chris Lattner and Vikram S. Adve. 2004. LLVM: A Compilation Framework for
Lifelong Program Analysis & Transformation. In 2nd IEEE/ACM International
Symposium on Code Generation and Optimization, 20-24 March 2004, San Jose, CA,
USA. 75–88.
[41] Tong Li, Carla Schlatter Ellis, Alvin R. Lebeck, and Daniel J. Sorin. 2005. Pulse:
A Dynamic Deadlock Detection Mechanism Using Speculative Execution. In
Proceedings of the 2005 USENIX Annual Technical Conference, April 10-15, 2005,
Anaheim, CA, USA. 31–44.
[42] Xianfeng Li, Tulika Mitra, and Abhik Roychoudhury. 2003. Accurate timing
analysis by modeling caches, speculation and their interaction. In Proceedings of
the 40th Design Automation Conference, DAC 2003, Anaheim, CA, USA, June 2-6,
2003. 466–471.
[43] Xianfeng Li, Tulika Mitra, and Abhik Roychoudhury. 2005. Modeling Control
Speculation for Timing Analysis. Real-Time Systems 29, 1 (2005), 27–58.
[44] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas,
Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval
Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User
Space. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD,
USA, August 15-17, 2018. 973–990.
[45] Sparsh Mittal. 2019. A survey of techniques for dynamic branch prediction.
Concurrency and Computation: Practice and Experience 31, 1 (2019).
[46] Shirin Nilizadeh, Yannic Noller, and Corina S. Pasareanu. 2019. DifFuzz: differ-
ential fuzzing for side-channel analysis. In Proceedings of the 41st International
Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31,
2019. 176–187.
[47] Oleksii Oleksenko, Bohdan Trach, Mark Silberstein, and Christof Fetzer.
2019. SpecFuzz: Bringing Spectre-type vulnerabilities to the surface. CoRR
abs/1905.10311 (2019). arXiv:1905.10311 http://arxiv.org/abs/1905.10311
[48] Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Coun-
termeasures: The Case of AES. In Topics in Cryptology - CT-RSA 2006, The Cryp-
tographers’ Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17,
2006, Proceedings. 1–20.
[49] Corina S. Pasareanu and Neha Rungta. 2010. Symbolic PathFinder: symbolic
execution of Java bytecode. In ASE 2010, 25th IEEE/ACM International Conference
on Automated Software Engineering, Antwerp, Belgium, September 20-24, 2010.
12
, ,
179–180.
[50] Prakash Prabhu, Ganesan Ramalingam, and Kapil Vaswani. 2010. Safe pro-
grammable speculative parallelism. In PLDI. 50–61.
[51] C. V. Ramamoorthy and Hon Fung Li. 1977. Pipeline Architecture. ACM Comput.
Surv. 9, 1 (1977), 61–102.
[52] Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Efficient Cache Attacks on
AES, and Countermeasures. J. Cryptology 23, 1 (2010), 37–71.
[53] Shuai Wang, Yuyan Bao, Xiao Liu, Pei Wang, Danfeng Zhang, and Dinghao
Wu. 2019. Identifying Cache-Based Side Channels through Secret-Augmented
Abstract Interpretation. CoRR abs/1905.13332 (2019).
[54] Shuai Wang, Yuyan Bao, Xiao Liu, Pei Wang, Danfeng Zhang, and Dinghao
Wu. 2019. Identifying Cache-Based Side Channels through Secret-Augmented
Abstract Interpretation. In 28th USENIX Security Symposium (USENIX Security
19). 657–674.
[55] Shuai Wang, Pei Wang, Xiao Liu, Danfeng Zhang, and Dinghao Wu. 2017.
CacheD: Identifying Cache-Based Timing Channels in Production Software. In
26th USENIX Security Symposium (USENIX Security 17). 235–252.
[56] Ofir Weisse, Jo Van Bulck, Marina Minkin, Daniel Genkin, Baris Kasikci, Frank
Piessens, Mark Silberstein, Raoul Strackx, Thomas F. Wenisch, and Yuval Yarom.
2018. Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient
Out-of-Order Execution. Technical report (2018).
[57] Jan Wichelmann, Ahmad Moghimi, Thomas Eisenbarth, and Berk Sunar. 2018.
MicroWalk: A Framework for Finding Side Channels in Binaries. In Proceedings
of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San
Juan, PR, USA, December 03-07, 2018. 161–173.
[58] MengWu, Shengjian Guo, Patrick Schaumont, and ChaoWang. 2018. Eliminating
timing side-channel leaks using program repair. In Proceedings of the 27th ACM
SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018,
Amsterdam, The Netherlands, July 16-21, 2018. 15–26.
[59] Meng Wu and Chao Wang. 2019. Abstract Interpretation under Speculative
Execution. In ACM SIGPLAN Conference on Programming Language Design and
Implementation. 57–69.
[60] Mengjia Yan, Christopher W. Fletcher, and Josep Torrellas. 2018. Cache Telepa-
thy: Leveraging Shared Resource Attacks to Learn DNN Architectures. CoRR
abs/1808.04761 (2018). arXiv:1808.04761 http://arxiv.org/abs/1808.04761
[61] Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution,
Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX
Security Symposium, San Diego, CA, USA, August 20-22, 2014. 719–732.
13
