Symbolic Verification of Cache Side-channel Freedom by Chattopadhyay, Sudipta & Roychoudhury, Abhik
Symbolic Verification of Cache Side-channel Freedom
Sudipta Chattopadhyay
Singapore University of Technology and Design
Abhik Roychoudhury
National University of Singapore
ABSTRACT
Cache timing attacks allow third-party observers to retrieve sen-
sitive information from program executions. But, is it possible to
automatically check the vulnerability of a program against cache
timing attacks and then, automatically shield program executions
against these attacks? For a given program, a cache configuration
and an attack model, our CACHEFIX framework either verifies the
cache side-channel freedom of the program or synthesizes a se-
ries of patches to ensure cache side-channel freedom during pro-
gram execution. At the core of our framework is a novel symbolic
verification technique based on automated abstraction refinement
of cache semantics. The power of such a framework is to allow
symbolic reasoning over counterexample traces and to combine it
with runtime monitoring for eliminating cache side channels during
program execution. Our evaluation with routines from OpenSSL,
libfixedtimefixedpoint, GDK and FourQlib libraries re-
veals that our CACHEFIX approach (dis)proves cache side-channel
freedom within an average of 75 seconds. Besides, in all except
one case, CACHEFIX synthesizes all patches within 20 minutes to
ensure cache side-channel freedom of the respective routines during
execution.
1 INTRODUCTION
Cache timing attacks [23, 24] are among the most critical side-
channel attacks [25] that retrieve sensitive information from pro-
gram executions. Recent cache attacks [31] further show that cache
side-channel attacks are practical even in commodity embedded
processors, such as in ARM-based embedded platforms [31]. The
basic idea of a cache timing attack is to observe the timing of cache
hits and misses for a program execution. Subsequently, the attacker
use such timing to guess the sensitive input via which the respective
program was activated.
Given the practical relevance, it is crucial to verify whether a given
program (e.g. an encryption routine) satisfies cache side-channel
freedom, meaning the program is not vulnerable to cache timing
attacks. However, verification of such a property is challenging for
several reasons. Firstly, the verification of cache side-channel free-
dom requires a systematic integration of cache semantics within the
program semantics. This, in turn, is based on the derivation of a
suitable abstraction of cache semantics. Our proposed CACHEFIX
approach automatically builds such an abstraction and systematically
refines it until a proof of cache side-channel freedom is obtained or a
real (i.e. non-spurious) counterexample is produced. Secondly, prov-
ing cache side-channel freedom of a program requires reasoning over
multiple execution traces. To this end, we propose a symbolic verifi-
cation technique within our CACHEFIX framework. Concretely, we
capture the cache behaviour of a program via symbolic constraints
over program inputs. Then, we leverage recent advances on satisfia-
bility modulo theory (SMT) and constraint solving to (dis)prove the
cache side-channel freedom of a program.
An appealing feature of our CACHEFIX approach is to employ
symbolic reasoning over the real counterexample traces. To this end,
we systematically explore real counterexample traces and apply such
symbolic reasoning to synthesize patches. Each synthesized patch
captures a symbolic condition ν on input variables and a sequence of
actions that needs to be applied when the program is processed with
inputs satisfying ν . The application of a patch is guaranteed to reduce
the channel capacity of the program under inspection. Moreover, if
our checker terminates, then our CACHEFIX approach guarantees to
synthesize all patches that completely shields the program against
cache timing attacks [8, 14]. Intuitively, our CACHEFIX approach
can start with a program P vulnerable to cache timing attack. Then,
it leverages a systematic combination of symbolic verification and
runtime monitoring to execute P with cache side-channel freedom.
It is the precision and the novel mechanism implemented within
CACHEFIX that set us apart from the state of the art. Existing works
on analyzing cache side channels [15, 22, 30] are incapable to au-
tomatically build and refine abstractions for cache semantics. Be-
sides, these works are not directly applicable when the underlying
program does not satisfy cache side-channel freedom. Given an ar-
bitrary program, our CACHEFIX approach generates proofs of its
cache side-channel freedom or generates input(s) that manifest the
violation of cache side-channel freedom. Moreover, our symbolic
reasoning framework provides capabilities to systematically synthe-
size patches and completely eliminate cache side channels during
program execution.
We organize the remainder of the paper as follows. After provid-
ing an overview of CACHEFIX (Section 2), we make the following
contributions:
(1) We present CACHEFIX, a novel symbolic verification frame-
work to check the cache side-channel freedom of an arbitrary
program. To the best of our knowledge, this is the first ap-
plication of automated abstraction refinement and symbolic
verification to check the cache behaviour of a program.
(2) We instantiate our CACHEFIX approach with direct-mapped
caches, as well as with set-associative caches with least re-
cently used (LRU) and first-in-first-out (FIFO) policy (Sec-
tion 4.3). In Section 4.4, we show the generalization of our
CACHEFIX approach over timing-based attacks [14] and
trace-based attacks [8].
(3) We discuss a systematic exploration of counterexamples to
synthesize patches and to shield program executions against
cache timing attacks (Section 5). We provide theoretical guar-
antees that such patch synthesis converges towards completely
eliminating cache side channels during execution.
(4) We provide an implementation of CACHEFIX and evaluate
it with 25 routines from OpenSSL, GDK, FourQlib and
libfixedtimefixedpoint libraries. Our evaluation re-
veals that CACHEFIX can establish proof or generate non-
spurious counterexamples within 75 seconds on average. Be-
sides, in most cases, CACHEFIX generated all patches within
ar
X
iv
:1
80
7.
04
70
1v
1 
 [c
s.S
E]
  1
2 J
ul 
20
18
20 minutes to ensure cache side-channel freedom during ex-
ecution. Our implementation and all experimental data are
publicly available.
2 OVERVIEW
In this section, we demonstrate the general insight behind our ap-
proach through examples. We consider the simple code fragments in
Figure 1(a)-(b) where key is a sensitive input. In this example, we
will assume a direct-mapped cache having a size of 512 bytes. For
the sake of brevity, we also assume that key is stored in a register and
accessing key does not involve the cache. The mapping of different
program variables into the cache appears in Figure 1(c). Finally, we
assume the presence of an attacker who observes the number of
cache misses in the victim program. For such an attacker, examples
in Figure 1(a)-(b) satisfy cache side-channel freedom if and only if
the number of cache misses suffered is independent of key.
Why symbolic verification? Cache side-channel freedom of a
program critically depends on how it interacts with the cache. We
make an observation that the program cache behaviour can be formu-
lated via a well-defined set of predicates. To this end, let us assume
set(ri ) captures the cache set accessed by instruction ri and taд(ri )
captures the accessed cache tag by the same instruction. Consider the
instruction r3 in Figure 1(a). We introduce a symbolic variablemiss3,
which we intend to set to one if r3 suffers a cache miss and to set
to zero otherwise. We observe that miss3 depends on the following
logical condition:
Γ(r3) ≡ ¬
(
0 ≤ key ≤ 127 ∧ ρset13 ∧ ¬ρtaд13
)
∧¬
(
key ≥ 128 ∧ ρset23 ∧ ¬ρtaд23
) (1)
where ρtaдji ≡
(
taд(r j ) , taд(ri )
)
and ρsetji ≡
(
set(r j ) = set(ri )
)
.
Intuitively, Γ(r3) checks whether both r1 and r2, if executed, load
different memory blocks than the one accessed by r3. Therefore,
if Γ(r3) is evaluated to true, then miss3 = 1 (i.e. r3 suffers a cache
miss) and miss3 = 0 (i.e. r3 is a cache hit), otherwise. Formally, we
set the cache behaviour of r3 as follows:
Γ(r3) ⇔ (miss3 = 1) ; ¬Γ(r3) ⇔ (miss3 = 0) (2)
The style of encoding, as shown in Equation 2, facilitates the usage
of state-of-the-art solvers for verifying cache side-channel freedom.
In general, we note that the cache behaviour of the program in
Figure 1(a), i.e., the cache behaviours of r1, . . . , r4; can be formu-
lated accurately via the following set of predicates related to cache
semantics:
Predcache = {ρsetji ∪ ρtaдji | 1 ≤ j < i ≤ 4} (3)
The size of Predcache depends on the number of memory-related
instructions. However, |Predcache | does not vary with the cache size.
Key insight in abstraction refinement. If the attacker observes
the number of cache misses, then the cache side-channel freedom
holds for the program in Figure 1(a) when all feasible traces exhibit
the same number of cache misses. Hence, such a property φ can be
formulated as the non-existence of two traces tr1 and tr2 as follows:
φ ≡ ∄tr1,∄tr2 s .t .
( 4∑
i=1
miss
(tr1)
i ,
4∑
i=1
miss
(tr2)
i
)
(4)
where miss(tr )i captures the valuation of missi in trace tr .
Our key insight is that to establish a proof of φ (or its lack thereof),
it is not necessary to accurately track the values of all predicates in
Predcache (cf. Equation 3). In other words, even if some predicates
in Predcache have unknown values, it might be possible to (dis)prove
φ. This phenomenon occurs due to the inherent design principle of
caches and we exploit this in our abstraction refinement process.
To realize our hypothesis, we first start with an initial set of
predicates (possibly empty) whose values are accurately tracked
during verification. In this example, let us assume that we start with
an initial set of predicates Predinit = {ρset13 , ρ
taд
13 , ρ
set
23 , ρ
taд
23 }. The
rest of the predicates in Predcache \Predinit are set to unknown value.
With this configuration at hand, CACHEFIX returns counterexample
traces tr1 and tr2 (cf. Equation 4) to reflect that φ does not hold for
the program in Figure 1(a). In particular, the following traces are
returned:
tr1 ≡ ⟨miss1 =miss3 = 1,miss2 =miss4 = 0⟩
tr2 ≡ ⟨miss1 = 0,miss2 =miss3 =miss4 = 1⟩
Given tr1 and tr2, we check whether any of them are spurious.
To this end, we reconstruct the logical condition (cf. Equation 2)
that led to the specific valuations of missi variables in a trace. For
instance in trace tr2, such a logical condition is captured via ¬Γ(r1)∧∧
i ∈[2,4] Γ(ri ). It turns out that ¬Γ(r1)∧
∧
i ∈[2,4] Γ(ri ) is unsatisfiable,
making tr2 spurious. This happened due to the incompleteness in
tracking the predicates Predcache .
To systematically augment the set of predicates and rerun our
verification process, we extract the unsatisfiable core from ¬Γ(r1) ∧∧
i ∈[2,4] Γ(ri ). Specifically, we get the following unsatisfiable core:
U ≡ ¬ρset34 ∨ ρtaд34 (5)
Intuitively, with the initial abstraction Predinit , our checker CACHE-
FIX failed to observe that r3 and r4 access the same memory block,
hence, U is unsatisfiable. We then augment our initial set of predi-
cates with the predicates in U and therefore, refining the abstraction
as follows:
Predcur = {ρset13 , ρtaд13 , ρset23 , ρ
taд
23 , ρ
set
34 , ρ
taд
34 }
CACHEFIX successfully verifies the cache side-channel freedom
of the program in Figure 1(a) with the set of predicates Predcur . We
note that the predicates in Predcache \Predcur , ϕ. In particular, we
still have unknown values assigned to the following set of predicates:
Predunknown = {ρset12 , ρtaд12 , ρset14 , ρ
taд
14 , ρ
set
24 , ρ
taд
24 }
Therefore, it was possible to verify φ by tracking only half of the
predicates in Predcache . Intuitively, ρset12 and ρ
taд
12 were not needed
to be tracked as r1 and r2 cannot appear in a single trace, as captured
via the program semantics. In contrast, the rest of the predicates
in Predunknown were not required for the verification process, as
neither r1 nor r2 influences the cache behaviour of r4 – it is influenced
completely by r3.
Key insight in fixing. In general, the state-of-the-art in fixing
cache side-channel is to revert to constant-time programming style [9].
Constant-time programming style imposes heavy burden on a pro-
grammer to follow certain programming patterns, such as to en-
sure the absence of input-dependent branches and input-dependent
memory accesses. Yet, most programs do not exhibit constant-time
2
/* key is sensitive input */ 
char a[256]; 
unsigned char key;   
char b[256]; 
if (key <= 127) 
r1: load  reg2, b[255] 
else 
r2: load  reg2, b[128] 
r3: load  reg1, a[key] 
c1: add   reg1, reg2 
r4: store reg1, a[key]
/* key is sensitive input */ 
char a[256]; 
unsigned char key;   
char b[256]; 
if (key <= 127) 
r1: load  reg2, b[255] 
else 
r2: load  reg2, a[255] 
r3: load  reg1, a[key] 
c1: add   reg1, reg2 
r4: store reg1, a[key]
a[0], b[255]
a[1]
key
b[0]
b[1]
b[254] Cache
256 bytes
256 bytes
a[255]
/* key=255 */ 
/* inject cache miss */ 
=> load reg’, fresh[0] 
r2 -> r3 -> c1 -> r4 
/* 128<=key<=254 */ 
/* do nothing */ 
r2 -> r3 -> c1 -> r4 
/* 0<=key<=127 */ 
/* do nothing */ 
r1 -> r3 -> c1 -> r4 
(a) (b) (c) (d)
Figure 1: A code fragment (a) satisfying cache side-channel freedom, (b) violating cache side-channel freedom. (c) Mapping of vari-
ables into the cache. (d) Runtime actions and the execution order for the program in Figure 1(b) to ensure cache side-channel freedom.
behaviour. Besides, the example in Figure 1(a) shows that an appli-
cation can still have constant cache-timing, despite not following the
constant-time programming style. Using our CACHEFIX approach,
we observe that it is not necessary to always write constant-time pro-
grams. Instead, the executions of such programs can be manipulated
to exhibit constant time behaviour. We accomplish this by leveraging
our verification results.
We consider the example in Figure 1(b) and let us assume that we
start with the initial abstraction Predinit = {ρset13 , ρ
taд
13 , ρ
set
23 , ρ
taд
23 }.
CACHEFIX returns the following counterexample while verifying φ
(cf. Equation 4):
tr1 ≡ ⟨miss1 =miss3 = 1,miss2 =miss4 = 0⟩
tr2 ≡ ⟨miss2 = 1,miss1 =miss3 =miss4 = 0⟩
If we reconstruct the logical condition that led to the specific
valuations of miss1, . . . ,miss4 in tr1 and tr2, then we get the sym-
bolic formulas Γ(r1) ∧ ¬Γ(r2) ∧ Γ(r3) ∧ ¬Γ(r4) and ¬Γ(r1) ∧ Γ(r2) ∧
¬Γ(r3) ∧ ¬Γ(r4), respectively. Both the formulas are satisfiable for
the example in Figure 1(b). Intuitively, this happens due to r2, which
loads the same memory block as accessed by r3 only if key = 255.
We observe that tr2 will be equivalent to tr1 if a cache miss
is inserted in the beginning of tr2. To this end, we need to know
all inputs that lead to tr2. Thanks to the symbolic nature of our
analysis, we obtain the exact symbolic condition, i.e., ¬Γ(r1) ∧
Γ(r2) ∧ ¬Γ(r3) ∧ ¬Γ(r4) that manifests the trace tr2. Therefore, if
the program in Figure 1(b) is executed with any input satisfying
¬Γ(r1) ∧ Γ(r2) ∧ ¬Γ(r3) ∧ ¬Γ(r4), then a cache miss is injected as
shown in Figure 1(d). This ensures the cache side-channel freedom
during program execution, as all traces exhibit the same number of
cache misses.
Our proposed fixing mechanism is novel that it does not rely on
any specific programming style. Moreover, as we generate the fixes
by directly leveraging the verification results, we can provide strong
security guarantees during program execution.
Overall workflow of CacheFix. Figure 2 outlines the overall
workflow of CACHEFIX. The abstraction refinement process is guar-
anteed to converge towards the most precise abstraction of cache
semantics to (dis)prove the cache side-channel freedom. Moreover,
as observed in Figure 2, our cache side channel fixing is guided by
program verification output, enabling us to give cache side channel
freedom guarantees about the fixed program.
Program (P) 
Cache (C) 
Initial Abstraction 
(Predinit) Verify
Attack Model (O) 
Spurious 
Counterexample
Refine Abstraction 
(Predcur)
Real 
Counterexample
Extract Monitor 
+ 
Synthesize Patch 
Side-channel  
Freedom✅
♽
♽
Figure 2: Workflow of our symbolic verification and patching
3 THREAT AND SYSTEM MODEL
Threat Model. We assume that an attacker makes observations
on the execution traces of victim program P and the implementation
of P is known to the attacker. Besides, there does not exist any error
in the observations made by the attacker. We also assume that an
attacker can execute arbitrary user-level code on the processor that
runs the victim program. This, in turn, allows the attacker to flush
the cache (e.g. via accessing a large array) before the victim routine
starts execution. We, however, do not assume that the attacker can
access the address space of the victim program P. We believe the
aforementioned assumptions on the attacker are justified, as we aim
to verify the cache side-channel freedom of programs against strong
attacker models.
We capture an execution trace via a sequence of hits (h) and
misses (m). Hence, formally we model an attacker as the mapping
O : {h,m}∗ → X, where X is a countable set. For tr1, tr2 ∈ {h,m}∗,
an attacker can distinguish tr1 from tr2 if and only if O(tr1) ,
O(tr2). In this paper, we instantiate our checker for the following
realistic attack models:
• Ot ime : {h,m}∗ → N. Ot ime maps each execution trace to
the number of cache misses suffered by the same. This attack
model imitates cache timing attacks [14].
• Otrace : {h,m}∗ → {0, 1}∗. Otrace maps each execution
trace to a bitvector (h is mapped to 0 andm is mapped to 1).
This attack model imitates trace-based attacks [8].
Processor model. We assume an ARM-style processor with one
or more cache levels. However, we consider timing attacks only
3
due to first-level instruction or data caches [8, 14]. We currently do
not handle more advanced attacks on shared caches [32]. First-level
caches can either be partitioned (instruction vs. data) or unified. We
assume that set-associative caches have either LRU or FIFO replace-
ment policy. Other deterministic replacement policies can easily be
integrated within CACHEFIX via additional symbolic constraints.
Finally, our timing model only takes into account the effect of caches.
Timing effects due to other micro-architectural features (e.g. pipeline
and branch prediction) are currently not handled. For the sake of
brevity, we discuss the timing effects due to memory-related in-
structions. It is straightforward to integrate the timing effects of
computation instructions (e.g. add) into CACHEFIX.
4 ABSTRACTION REFINEMENT
Notations. We represent cache via a triple ⟨2S , 2B ,A⟩ where
2S , 2B and A capture the number of cache sets, cache line size
and cache associativity, respectively. We use set(ri ) and taд(ri )
to capture the cache set and cache tag, respectively, accessed by
instruction ri . Additionally, we introduce a symbolic variable missi
to capture whether ri was a miss (missi = 1) or a hit (missi = 0).
For instructions ri and r j , we have j < i if and only if r j was
(symbolically) executed before ri .
4.1 Initial abstract domain
We assume that a routine may start execution with any initial cache
state, but it does not access memory blocks within the initial state
during execution [22]. Hence, for a given instruction ri , its cache
behaviour might be affected by all instructions executing prior to ri .
Concretely, the cache behaviour of ri can be accurately predicted
based on the set of logical predicates Predset and Predtaд as follows:
Prediset = {set(r j ) = set(ri ) | 1 ≤ j < i}
Preditaд = {taд(r j ) , taд(ri ) | 1 ≤ j < i}
(6)
Intuitively, Prediset captures the set of predicates checking whether
any instruction prior to ri accesses the same cache set as ri . Similarly,
Preditaд checks whether any instruction prior to ri has a different
cache tag than taд(ri ). Based on this intuition, the following set
of predicates are sufficient to predict the cache behaviours of N
memory-related instructions.
Predset =
N⋃
i=1
Prediset ; Predtaд =
N⋃
i=1
Preditaд (7)
For the sake of efficiency, however, we launch verification with a
smaller set of predicates Predinit ⊆ Predtaд ∪ Predset as follows:
Predinit =
N⋃
i=1
{
p | p ∈ Predtaд ∪ Predset ∧ |σ (ri )| = 1 ∧
∀k ∈ [1, i). |σ (rk )| = 1 ∧ дuardk ⇒ true}
(8)
σ (ri ) captures the set of memory blocks accessed by instruction ri
and дuardk captures the control condition under which rk is exe-
cuted. In general, our CACHEFIX approach works even if Predinit =
ϕ. However, to accelerate the convergence of CACHEFIX, we start
with the predicates whose values can be statically determined (i.e.
independent of inputs). Intuitively, we take this approach for two
reasons: firstly, the set Predinit can be computed efficiently during
Algorithm 1 Abstraction Refinement Algorithm
Input: Program P, cache configuration C, attack model O
Output: Successful verification or a concrete counterexample
1: /* Ψ is a formula representation of P */
2: /* Pred is cache-semantics-related predicates */
3: /* Γ determines cache behaviour of all instructions */
4: (Ψ, Pred, Γ) := EXECUTESYMBOLIC(P , C)
5: /* Formulate initial abstraction (cf. Equation 8) */
6: Predcur :=Predinit := GETINITIALABSTRACTION(Pred)
7: /* Rewrite Ψ with initial abstraction */
8: REWRITE(Ψ, Predinit )
9: /* Formulate cache side-channel freedom property */
10: φ := GETPROPERTY(O)
11: /* Invoke symbolic verification to check Ψ ∧ ¬φ */
12: (res, tr1, tr2) := VERIFY(Ψ,φ)
13: while (res=f alse) ∧ (tr1 or tr2 is spurious) do
14: /* Extract unsatisfiable core from tr1 and/or tr2 */
15: U := UNSATCORE(tr1, tr2, Γ)
16: /* Refine abstractions and repeat verification */
17: Predcur := REFINE(Predinit , U, Pred)
18: REWRITE(Ψ, Predcur )
19: (res, tr1, tr2) := VERIFY(Ψ,φ)
20: Predinit := Predcur
21: end while
22: return res
symbolic execution. Secondly, as the predicates in Predinit have con-
stant valuation, they reduce the size of the formula to be discharged
to the SMT solver. We note that дuardk depends on the program
semantics. The abstraction of program semantics is an orthogonal
problem and for the sake of brevity, we skip its discussion here.
4.2 Abstract domain refinement
We use the mapping Γ : {r1, r2, . . . , rN } → {true, f alse} to capture
the conditions under which ri was a cache hit (i.e. missi = 0) or a
cache miss (i.e. missi = 1). In particular, the following holds:
Γ(ri ) ⇔ (missi = 1) ; ¬Γ(ri ) ⇔ (missi = 0) (9)
Γ(ri ) depends on predicates in Prediset ∪ Preditaд and the cache
configuration. We show the formulation of Γ(ri ) in Section 4.3.
ExecuteSymbolic. Algorithm 1 captures the overall verification
process based on our systematic abstraction refinement. The sym-
bolic verification engine computes a formula representation Ψ of
the program P. This is accomplished via a symbolic execution on
program P (cf. procedure EXECUTESYMBOLIC) and systematically
translating the cache and program semantics of each instruction into
a set of constraints (cf. procedure CONVERT).
Convert. During the symbolic execution, a set of symbolic states,
each capturing a unique execution path reaching an instruction ri ,
is maintained. This set of symbolic states can be viewed as a dis-
junction Ψ(ri ) ≡ ψ1 ∨ψ2 ∨ . . . ∨ψj−1 ∨ψj , where Ψ(ri ) ⇒ Ψ and
each ψi symbolically captures a unique execution path leading to
instruction ri . At each instruction ri , the procedure CONVERT trans-
lates Ψ(ri ) in such a fashion that Ψ(ri ) integrates both the cache
semantics (cf. lines 13-14) and program semantics (cf. lines 18) of
4
Procedure 2 Symbolically Tracking Program and Cache States
1: /* symbolically execute P with cache configuration C*/
2: procedure EXECUTESYMBOLIC(P, C)
3: i := 1; Ψ := true; Predset := Predtaд := ϕ
4: ri := GETNEXTINSTRUCTION(P)
5: while ri , exit do
6: if ri is memory-related instruction then
7: /* Collect predicates for cache semantics */
8: Predset ∪ = Prediset ; Predtaд ∪ = Preditaд
9: /* Γ(ri ) determines cache behaviour of ri */
10: Formulate Γ(ri ) /* see Section 4.3 */
11: Γ ∪ = {Γ(ri )}
12: /* Integrate cache semantics within Ψ */
13: Ψ := CONVERT(Ψ, Γ(ri ) ⇔ (missi = 1))
14: Ψ := CONVERT(Ψ,¬Γ(ri ) ⇔ (missi = 0))
15: end if
16: /* Integrate program semantics of ri within Ψ */
17: /* φ(ri ) is a predicate capturing ri semantics */
18: Ψ := CONVERT(Ψ,φ(ri ))
19: i := i + 1
20: ri := GETNEXTINSTRUCTION(P)
21: end while
22: return (Ψ, Predset ∪ Predtaд , Γ)
23: end procedure
ri . For instance, to integrate cache semantics of a memory-related
instruction ri , Ψ(ri ) is converted to Ψ(ri ) ∧ (Γ(ri ) ⇔ (missi = 1)) ∧
(¬Γ(ri ) ⇔ (missi = 0)). Similarly, the program semantics of instruc-
tion ri , as captured via φ(ri ), is integrated within Ψ(ri ) as Ψ(ri ) ∧
φ(ri ). Translating the program semantics of each instruction to a
set of constraints is a standard technique in any symbolic model
checking [19]. Moreover, such a translation is typically carried out
on a program in static single assignment (SSA) form and takes into
account both data and control flow. Unlike classic symbolic anal-
ysis, however, we consider both the cache semantics and program
semantics of an execution path, as explained in the preceding.
GetInitialAbstraction. We start our verification with an initial
abstraction of cache semantics (cf. Equation 8). Such an initial
abstraction contains a partial set of logical predicates Predinit ⊆
Predset∪Predtaд . Based on Predinit , we rewrite Ψ via the procedure
REWRITE as follows: We walk through Ψ and look for occurrences
of any predicate p− ∈ (Predset ∪ Predtaд ) \ Predinit . For any p−
discovered in Ψ, we replace p− with a fresh symbolic variable Vp− .
Intuitively, this means that during the verification process, we assume
any truth value for the predicates in
(
Predset ∪ Predtaд
) \ Predinit .
This, in turn, substantially reduces the size of the symbolic formula
Ψ and simplifies the verification process.
Verify and GetProperty. The procedure VERIFY invokes the
solver to check the cache side-channel freedom of P with respect to
attack model O. The property φ, capturing the cache side-channel
freedom, is computed via GETPROPERTY. For example, in timing-
based attacks, φ is captured via the non-existence of any two traces
tr1 and tr2 that have different number of cache misses (cf. Equa-
tion 4). In other words, if the following formula is satisfied with
more than one valuations for
∑N
i=1missi , then side-channel freedom
is violated:
Ψ ∧
(( N∑
i=1
missi
)
≥ 0
)
(10)
Here N captures the total number of memory-related instructions
encountered during the symbolic execution of P.
Refine and Rewrite. When our verification process fails, we
check the feasibility of a counterexample trace trace ∈ {tr1, tr2}.
Recall from Equation 9 that ri is a cache miss if and only if Γ(ri )
holds true. We leverage this relation to construct the following for-
mula Γtrace for feasibility checking:
Γtrace =
N∧
i=1
{
Γ(ri ), if miss(trace)i = 1;
¬Γ(ri ), if miss(trace)i = 0;
(11)
In Equation 11, miss(trace)i captures the valuation of symbolic vari-
ablemissi in the counterexample trace. We note that trace is not a
spurious counterexample if and only if Γtrace is satisfiable, hence,
highlighting the violation of cache side-channel freedom.
If Γtrace is unsatisfiable, then our initial abstraction Predinit was
insufficient to (dis)prove the cache side-channel freedom. In order
to refine this abstraction, we extract the unsatisfiable core from the
symbolic formula Γtrace via the procedure UNSATCORE. Such an
unsatisfiable core contains a set of CNF clauses ∈ ⋃k ∈[1,N ] Γ(rk ).
We note each Γ(rk ) is a function of the set of predicates Predtaд ∪
Predset . Finally, we refine the abstraction (cf. procedure REFINE in
Algorithm 1) to Predcur by including all predicates in the unsatisfi-
able core as follows:
Predcur := Predinit ∪ {p+ | p+ ∈ UnsatCore(Γtrace ) \ Predinit }
(12)
With the refined abstraction Predcur , we rewrite the symbolic
formula Ψ (cf. procedure REWRITE). In particular, we identify the
placeholder symbolic variables for predicates in the set Predcur \
Predinit . We rewrite Ψ by replacing these placeholder symbolic
variables with the respective predicates in the set Predcur \ Predinit .
It is worthwhile to note that the placeholder symbolic variables in(
Predtaд ∪ Predset
) \ Predcur remain unchanged.
4.3 Modeling Cache Semantics
For each memory-related instruction ri , the formulation of Γ(ri ) is
critical to prove the cache side-channel freedom. The formulation
of Γ(ri ) depends on the configuration of caches. Due to space con-
straints, we will only discuss the symbolic model for direct-mapped
caches (symbolic models for LRU and FIFO caches are provided in
the appendix). To simplify the formulation, we will use the following
abbreviations for the rest of the section:
ρseti j ≡
(
set(ri ) = set(r j )
)
; ρtaдi j ≡
(
taд(ri ) , taд(r j )
)
(13)
We also distinguish between the following variants of misses:
(1) Cold misses: Cold misses occur when a memory block is
accessed for the first time.
(2) Conflict misses: All cache misses that are not cold misses
are referred to as conflict misses.
5
Formulating conditions for cold misses. Cold cache misses oc-
cur when a memory block is accessed for the first time during pro-
gram execution. In order to check whether ri suffers a cold miss,
we check whether all instructions r ∈ {r1, r2, . . . , ri−1} access dif-
ferent memory blocks than the memory block accessed by ri . This
is captured as follows:
Θcoldi ≡
∧
j ∈[1,i)
(
¬ρsetji ∨ ρtaдji ∨ ¬дuardj
)
(14)
Recall that дuardj captures the control condition under which r j
is executed. Hence, if дuardj is evaluated false for a trace, then r j
does not appear in the respective trace. If Θcoldi is satisfied, then ri
inevitably suffers a cold cache miss.
Formulating conditions for conflict cache misses. For direct-
mapped caches, an instruction ri suffers a conflict miss due to an
instruction r j if all of the following conditions are satisfied:
ϕcnf,dirji : If r j accesses the same cache set as ri , however, r j
accesses a different cache tag as compared to ri . This is formally
captured as follows:
ϕ
cnf ,dir
ji ≡ ρ
taд
ji ∧ ρsetji (15)
ϕrel,dirji : No instruction between r j and ri accesses the same
memory block as ri . For instance, consider the memory-block access
sequence (r1 : m1) → (r2 : m2) → (r3 : m2), where both m1
and m2 are mapped to the same cache set and r1...3 captures the
respective memory-related instructions. It is not possible for r1 to
inflict a conflict miss for r3, as the memory block m2 is reloaded by
instruction r2. ϕ
r el,dir
ji is formally captured as follows:
ϕr el,dirji ≡
∧
j<k<i
(
ρ
taд
ki ∨ ¬ρsetki ∨ ¬дuardk
)
(16)
Intuitively, ϕr el,dirji captures that all instructions between r j and ri
either access a different memory block than ri (hence, satisfying
ρ
taд
ki ∨ ¬ρsetki ) or does not appear in the execution trace (hence,
satisfying ¬дuardk ).
Given the intuition mentioned in the preceding paragraphs, we
conclude that ri suffers a conflict miss if both ϕ
cnf ,dir
ji and ϕ
r el,dir
ji
are satisfied for any instruction executing prior to ri . This is captured
in the symbolic condition Θcnf ,diri as follows:
Θ
cnf ,dir
i ≡
∨
j ∈[1,i)
(
ϕ
cnf ,dir
ji ∧ ϕr el,dirji ∧ дuardj
)
(17)
Computing Γ(ri ). For direct-mapped caches, ri can be a cache
miss if it is either a cold cache miss or a conflict miss. Hence, Γ(ri )
is captured symbolically as follows:
Γ(ri ) ≡ дuardi ∧
(
Θcoldi ∨ Θcnf ,diri
)
(18)
4.4 Property for cache side-channel freedom
In this paper, we instantiate our checker for timing-based attacks [14]
and trace-based attacks [8] as follows.
Timing-based attacks. In timing-based attacks, an attacker aims
to distinguish traces based on their timing. In our framework, we
verify the following property to ensure cache side-channel freedom:Ψ ∧
(( N∑
i=1
missi
)
≥ 0
)
sol
(∑N
i=1missi
) ≤ 1 (19)
N captures the number of symbolically executed, memory-related
instructions. sol(∑Ni=1missi ) captures the number of valuations of∑N
i=1missi . Intuitively, Equation 19 aims to check that the underly-
ing program has exactly one cache behaviour, in terms of the total
number of cache misses.
Trace-based attacks. In trace-based attacks, an attacker monitors
the cache behaviour of each memory access. We define a partial
function ξ : {r1, . . . , rN } ↛ {0, 1} as follows:
ξ (ri ) =
{
1, if дuardi ∧ (missi = 1) holds;
0, if дuardi ∧ (missi = 0) holds;
(20)
The following verification goal ensures side-channel freedom:Ψ ∧ |dom(ξ )| ≥ 0 ∧ (∥ri ∈dom(ξ ) ξ (ri )) ≥ 0sol (X ) ≤ 1 (21)
where dom(ξ ) captures the domain of ξ , ∥ captures the ordered
(with respect to the indexes of ri ) concatenation operation and X =
⟨|dom(ξ )| , ∥ri ∈dom(ξ ) ξ (ri )⟩. Intuitively, we check whether there
exists exactly one cache behaviour sequence.
5 RUNTIME MONITORING
CACHEFIX produces the first real counterexample when it discovers
two traces with different observations (w.r.t. attack model O). These
traces are then analyzed to compute a set of runtime actions that
are guaranteed to reduce the uncertainty to guess sensitive inputs.
Overall, our runtime monitoring involves the following crucial steps:
• We analyze a counterexample trace tr and extract the sym-
bolic condition for which the same trace would be generated,
• We systematically explore unique counterexamples with the
objective to reduce the uncertainty to guess sensitive inputs,
• We compute a set of runtime actions that need to be applied
for improving the cache side-channel freedom.
In the following, we discuss these three steps in more detail.
Analyzing a counterexample trace. Given a real counterexample
trace, we extract a symbolic condition that captures all the inputs
for which the same counterexample trace can be obtained. Thanks
to the symbolic nature of our analysis, CACHEFIX already includes
capabilities to extract these monitors as follows.
ν ≡
∧
ri ∈trace
{
Γ(ri ), if miss(trace)i = 1;
¬Γ(ri ), if miss(trace)i = 0;
(22)
where miss(trace)i is the valuation of symbolic variable missi in
trace. We note that ν ⇒ ¬Γ(r j ) for any r j that does not appear in
trace (i.e. r j < trace). Hence, to formulate ν , it was sufficient to
consider only the instructions that appear in trace.
6
Once we extract a monitor ν from counterexample trace, the
symbolic system Ψ is refined to Ψ ∧ ¬ν . This is to ensure that we
only explore unique counterexample traces.
Systematic exploration of counterexamples. The order of ex-
ploring counterexamples is crucial to satisfy monotonicity, i.e., to
reduce the channel capacity (a standard metric to quantify the infor-
mation flow from sensitive input to attacker observation) of P with
each round of patch generation. To this end, CACHEFIX employs a
strategy that can be visualized as an exploration of the equivalence
classes of observations (e.g. #cache misses), i.e., we explore all
counterexamples in the same equivalence class in one shot. In order
to find another counterexample exhibiting the same observation as
observation o, we modify the verification goal as follows, for timing
and trace-based attacks, respectively (cf. Equation 20 for ξ ):
Ψ ∧ ¬
(( N∑
i=1
missi
)
, o
)
;
Ψ ∧ ¬ ©­­«
|dom(ξ )| , [|dom(ξ )|]o
∨ ∥ri ∈dom(ξ ) ξ (ri ) ,
[
∥ri ∈dom(ξ ) ξ (ri )
]
o
ª®®¬
(23)
where [X ]o captures the valuation of X with respect to observation o
and N is the total number of symbolically executed, memory-related
instructions. If Equation 23 is unsatisfiable, then it captures the ab-
sence of any more counterexample with observation o. We note that
Ψ is automatically refined to avoid discovering duplicate or spurious
counterexamples. If Equation 23 is satisfiable, our checker provides
another real counterexample with the observation o. We repeat the
process until no more real counterexample with the observation o is
found, at which point Equation 23 becomes unsatisfiable.
To explore a different equivalence class of observation than that of
observation o, CACHEFIX negates the verification goal. For Ot ime ,
as an example, the verification goal is changed as follows:
Ψ ∧ ¬
(( N∑
i=1
missi
)
= o
)
(24)
We note that Equation 24 is satisfiable if and only if there exists an
execution trace with observation differing from o.
Runtime actions to improve side-channel freedom. Our checker
maintains the record of all explored observations and the symbolic
conditions capturing the equivalence classes of respective observa-
tions. At each round of patch (i.e. runtime action) synthesis, we walk
through this record and compute the necessary runtime actions for
improving cache side-channel freedom.
Otime. Assume Ω = {⟨ν1,o1⟩, ⟨ν2,o2⟩, . . . , ⟨νk ,ok ⟩} where each
oi captures a unique number of observed cache misses and νi sym-
bolically captures all inputs that lead to observation oi . Our goal is
to manipulate executions so that they lead to the same number of
cache misses. To this end, the patch synthesis stage determines the
amount of cache misses that needs to be added for each element in
Ω. Concretely, the set of runtime actions generated are as follows:〈
ν1,
(
max
i ∈[1,k ]
oi − o1
)〉
, . . . ,
〈
νk ,
(
max
i ∈[1,k]
oi − ok
)〉
(25)
In practice, when a program is run with input I , we check whether
I ∈ νx for some x ∈ [1,k]. Subsequently,
(
maxi ∈[1,k ] oi − ox
)
cache
misses were injected before the program starts executing.
Otrace. During trace-based attacks, the attacker makes an obser-
vation on the sequence of cache hits and misses in an execution trace.
Therefore, our goal is to manipulate executions in such a fashion
that all execution traces lead to the same sequence of cache hits
and misses. To accomplish this, each runtime action involves the
injection of cache misses or hits before execution, after execution
or at an arbitrary point of execution. It also involves invalidating an
address in cache. Concretely, this is formalized as follows:
⟨νi , ⟨(c1,a1), (c2,a2), . . . , (ck ,ak )⟩⟩ (26)
where νi captures the symbolic input condition where the runtime
actions are employed. For any input satisfying νi , we count the num-
ber of instructions executed. If the number of executed instructions
reaches c j , then we perform the action aj (e.g. injecting hits/misses
or invalidating an address in cache), for any j ∈ [1,k].
As an example, consider a trace-based attack in the example of
Figure 1(b). Our checker will manipulate counterexample traces by
injecting cache misses and hits as follows (injected cache hits and
misses are highlighted in bold):
tr ′′1 ≡ ⟨miss,miss,hit ,hit⟩; tr ′′2 ≡ ⟨miss,miss,hit , hit⟩
Therefore, the following actions are generated to ensure cache side-
channel freedom against trace-based attacks:
⟨key = 255, ⟨(0,miss)⟩⟩ , ⟨0 ≤ key ≤ 254, ⟨(3,hit)⟩⟩
We use string alignment algorithm [6] to make two traces equivalent
(via insertion of cache hits/misses or substitution of hits to misses).
Practical consideration. In practice, the injection of a cache miss
can be performed via accessing a fresh memory block (cf. Fig-
ure 1(d)). However, unless the injection of a cache miss happens to
be in the beginning or at the end of execution, the cache needs to be
disabled before and enabled after such a cache miss. Consequently,
our injection of misses does not affect cache states. In ARM-based
processor, this is accomplished via manipulating the C bit of CP15
register. The injection of a cache hit can be performed via tracking
the last accessed memory address and re-accessing the same address.
To change a cache hit to a cache miss, the accessed memory ad-
dress needs to be invalidated in the cache. CACHEFIX symbolically
tracks the memory address accessed at each memory-related instruc-
tion. When the program is run with input I ∈ νi , we concretize all
memory addresses with respect to I . Hence, while applying an action
that involves cache invalidation, we know the exact memory address
that needs to be invalidated. In ARM-based processor, the instruction
MCR provides capabilities to invalidate an address in the cache.
We note the preceding manipulations on an execution requires
additional registers. We believe this is possible by using some system
register or using a locked portion in the cache.
Properties guaranteed by CacheFix. CACHEFIX satisfies the
following crucial properties (proofs are included in the appendix)
on channel capacity, shannon entropy and min entropy; which are
standard metrics to quantify the information flow from sensitive
inputs to the attacker observation.
7
PROPERTY 1. (Monotonicity) Consider a victim program P with
sensitive input K. Given attack models Ot ime or Otrace , assume
that the channel capacity to quantify the uncertainty of guessingK is
GPcap . CacheFix guarantees that GPcap monotonically decreases with
each synthesized patch (cf. Equation 25-26) employed at runtime.
PROPERTY 2. (Convergence) Consider a victim program P with
sensitive input K. In the absence of any attacker, assume that the
uncertainty to guess K is Ginitcap , Ginitshn and Ginitmin , via channel ca-
pacity, Shannon entropy and Min entropy, respectively. If CacheFix
terminates and all synthesized patches are applied at runtime, then
the channel capacity (respectively, Shannon entropy and Min en-
tropy) will remain Ginitcap (respectively, Ginitshn and Ginitmin ) even in the
presence of attacks captured via Ot ime and Otrace .
6 IMPLEMENTATION AND EVALUATION
Implementation setup. The input to CACHEFIX is the target pro-
gram and a cache configuration. We have implemented CACHEFIX
on top of CBMC bounded model checker [1]. It first builds a formula
representation of the input program via symbolic execution. Then, it
checks the (un)satisfiability of this formula against a specification
property. Despite being a bounded model checker, CBMC is used
as a classic verification tool in our experiments. In particular for
program loops, CBMC first attempts to derive loop bounds automat-
ically. If CBMC fails to derive certain loop bounds, then the respec-
tive loop bounds need to be provided manually. Nevertheless, during
the verification process, CBMC checks all manually provided loop
bounds and the verification fails if any such bound was erroneous.
In our experiments, all loop bounds were automatically derived by
CBMC. In short, if CACHEFIX successfully verifies a program, then
the respective program exhibits cache side-channel freedom for the
given cache configuration and targeted attack models.
The implementation of our checker impacts the entire workflow
of CBMC. We first modify the symbolic execution engine of CBMC to
insert the predicates related to cache semantics. As a result, upon the
termination of symbolic execution, the formula representation of the
program encodes both the cache semantics and the program seman-
tics. Secondly, we systematically rewrite this formula based on our
abstraction refinement, with the aim of verifying cache side-channel
freedom. Finally, we modify the verification engine of CBMC to sys-
tematically explore different counterexamples, instrument patches
and refining the side-channel freedom properties on-the-fly. To ma-
nipulate and solve symbolic formulas, we leverage Z3 theorem
prover. All reported experiments were performed on an Intel I7
machine, having 8GB RAM and running OSX.
Subject programs and cache. We have chosen security-critical
subjects from OpenSSL [5], GDK [3], arithmetic routines from
libfixedtimefixedpoint [4] and elliptic curve routines from
FourQlib [2] to evaluate CACHEFIX (cf. Table 1). We include
representative routines exhibiting constant cache-timing, as well as
routines exhibiting variable cache timing. We set the default cache
to be 1KB direct-mapped, with a line size of 32 bytes.
Efficiency of checking. Table 1 captures a summary of our eval-
uation for CACHEFIX. The outcome of this evaluation is either a
successful verification (✓) or a non-spurious counterexample (✗).
CACHEFIX accomplished the verification tasks for all subjects only
within a few minutes. The maximum time taken by our checker was
390 seconds for the routine fix_pow – a constant time implementa-
tion of powers (xy ). fix_pow has complex memory access patterns,
however, its flat structure ensures cache side-channel freedom.
To check the effectiveness of our abstraction refinement process,
we compare CACHEFIX with a variant of our checker where all
predicates in Predset ∪ Predtaд are considered. Therefore, such
a variant does not employ any abstraction refinement, as the set
of predicates Predset ∪ Predtaд is sufficient to determine the cache
behaviour of all instructions in the program. We compare CACHEFIX
with this variant in terms of the number of predicates, as well as the
verification time. We record the set of predicates Predcur considered
in CACHEFIX when it terminates with a successful verification
(✓) or a real counterexample (✗). Table 1 clearly demonstrates the
effectiveness of our abstraction refinement process. Specifically, for
AES, DES and fix_pow, the checker does not terminate in ten
minutes when all predicates in Predset ∪ Predtaд are considered
during the verification process. In general, the refinement process
reduces the number of considered predicates by a factor of 1.81x on
average. This leads to a substantial improvement in verification time,
as observed from Table 1.
The routines chosen from OpenSSL library are single path pro-
grams. However, AES and DES exhibit input-dependent memory
accesses, hence, violating side-channel freedom. The other routines
violate cache side-channel freedom due to input-dependent loop
trip counts. For example, routines chosen from the GDK library em-
ploy a binary search of the input keystroke over a large table. We
note that both libfixedtimefixedpoint and FourQlib li-
braries include comments involving the security risks in fix_frac
and ecc_point_validate (cf. validate in Table 1).
CacheFix verifies or generates real counterexamples at an av-
erage within 70.38 secs w.r.t. attack model Ot ime and at an
average within 74.12 secs w.r.t. Otrace . Moreover, the abstrac-
tion refinement process embodied within CacheFix substantially
reduces the verification time as opposed to when no refinement
process was employed.
Overhead from monitors. We evaluated the time taken by CACHE-
FIX for counterexample exploration and patch generation (cf. Sec-
tion 5). For each generated patch, we have also evaluated the over-
head induced by the same at runtime (cf. Table 2).
Table 2 captures the maximum and average overhead induced by
CACHEFIX at runtime. We compute the overhead via the number of
additional runtime actions (i.e. cache misses, hits or invalidations)
introduced solely via CACHEFIX. In absolute terms, the maximum
(average) overhead captures the maximum (average) number of
runtime actions induced over all equivalence classes. The maximum
overhead was introduced in case of DES – 300 actions for Ot ime
and 371 actions for Otrace . This is primarily due to the difficulty in
making a large number of traces equivalent in terms of the number
of cache misses and the sequence of hit/miss, respectively. Although
the number of actions introduced by CACHEFIX is non-negligible,
we note that their effect is minimal on the overall execution. To
this end, we execute the program for 100 different inputs in each
explored equivalence class and measure the overhead introduced
by CACHEFIX (cf. “% actions" in Table 2) with respect to the total
8
Table 1: Summary of CACHEFIX Evaluation. Timeout is set to ten minutes. Time captures the time taken by CACHEFIX (i.e. #
predicates |Predcur |), whereas Timeall captures the time taken when all predicates (i.e. # predicates
Predset ∪ Predtaд ) are considered.
Library Routine Size Otime Otrace
(LOC)
Predset ∪ Predtaд  |Predcur | Result Time Timeall |Predcur | Result Time Timeall
(secs) (secs) (secs) (secs)
AES128 740 231959 115537 ✗ 148.73 timeout 115545 ✗ 175.34 timeout
OpenSSL DES 2124 205567 95529 ✗ 105.87 timeout 95639 ✗ 110.32 timeout
[5] RC5 1613 50836 25277 ✓ 26.88 541.35 26277 ✓ 34.84 585.32
GDK keyname 712 20827 18178 ✗ 21.75 120.21 18178 ✗ 24.32 125.11
[3] unicode 862 21917 19178 ✗ 27.49 117.78 19178 ✗ 32.09 119.56
fix_eq 334 71 32 ✓ 1.70 5.70 32 ✓ 4.31 6.08
fix_cmp 400 957 474 ✓ 2.09 6.12 476 ✓ 2.08 6.15
fix_mul 930 33330 16651 ✓ 22.44 100.32 17016 ✓ 20.19 121.37
fix_conv_64 350 211 102 ✓ 1.69 1.81 102 ✓ 1.78 1.98
fix_sqrt 2480 150127 74961 ✓ 60.54 359.94 87834 ✓ 67.90 581.45
fixedt fix_exp 1128 101418 50655 ✓ 53.47 400.11 56194 ✓ 55.12 416.21
[4] fix_ln 1140 92113 46025 ✓ 58.89 114.89 47065 ✓ 61.11 127.21
fix_pow 2890 643961 321885 ✓ 389.97 timeout 323787 ✓ 377.55 timeout
fix_ceil 390 266 128 ✓ 1.70 1.70 128 ✓ 4.65 4.70
fix_conv_double 650 1921 953 ✓ 2.70 2.75 945 ✓ 4.16 4.20
fix_frac 370 60172 53638 ✗ 22.14 23.18 51432 ✗ 22.15 24.58
eccmadd 1550 324661 162058 ✓ 220.59 437.77 165453 ✓ 214.16 502.94
eccnorm 1303 165291 82464 ✓ 105.97 198.90 83100 ✓ 114.93 219.09
pt_setup 1345 3850 1866 ✓ 10.45 11.66 1901 ✓ 14.90 14.95
eccdouble 1364 531085 265219 ✓ 285.70 558.78 267889 ✓ 312.31 597.18
R1_to_R2 1352 85750 42731 ✓ 73.07 249.12 41014 ✓ 84.11 398.77
FourQ R1_to_R3 1328 25246 12538 ✓ 26.95 53.21 12555 ✓ 24.89 54.45
[2] R2_to_R4 1322 28415 14105 ✓ 32.29 55.11 17001 ✓ 31.12 61.88
R5_to_R1 1387 12531 5255 ✓ 22.07 34.05 5278 ✓ 24.32 52.88
eccpt_validate 1406 57129 38012 ✗ 34.48 61.91 37948 ✗ 34.31 71.54
Table 2: Overhead in generating monitors and due to the applied runtime actions. Time captures the time to generate all patches. The
overhead (maximum and average) captures the number of extra cache misses, hits and invalidations introduced by CACHEFIX in
absolute term (i.e. # actions) and with respect to the total number of instructions (i.e. % actions).
Routine Otime Otrace
#Equivalence Time Max. overhead Avg. overhead #Equivalence Time Max. overhead Avg. overhead
class (secs) (# actions) (% actions) (# actions) (% actions) class (secs) (# actions) (% actions) (# actions) (% actions)
AES128 3 5 117 0.1% 60 0.05% 38 1271 120 0.1% 90 0.07%
DES 333 444 300 0.3% 150 0.15% 982 12601 371 0.6% 231 0.4%
fix_frac 82 521 80 1.2% 40 0.6% 82 956 119 1.5% 62 1.1%
eccpt_validate 20 22 18 0.09% 9 0.05% 20 234 21 1.1% 11 0.04%
keyname 41 1119 39 2.6% 19 1.2% 41 1324 45 3.2% 28 2.1%
unicode 43 197 41 2.4% 20 1.2% 43 229 49 2.4% 28 1.8%
number of instructions executed. We observe that the maximum
overhead reaches up to 3.2% and the average overhead is up to
2.1%. We believe this overhead is acceptable in the light of cache
side-channel freedom guarantees provided by CACHEFIX.
Except AES and DES, the cache behaviour of a single program
path is independent of program inputs. For the respective subjects,
exactly the same number of equivalence classes were explored for
both attack models (cf. Table 2). Each explored equivalence class
was primarily attributed to a unique program path. Nevertheless,
due to more involved computations (cf. Section 5), the overhead of
CACHEFIX in attack model Otrace is higher than the overhead in at-
tack model Ot ime . As observed from Table 2, CACHEFIX discovers
significantly more equivalence classes w.r.t. attack model Otrace as
compared to the number of equivalence classes w.r.t. attack model
Ot ime . This implies AES is more vulnerable to Otrace as compared
to Ot ime . Excluding DES subject to Otrace , our exploration termi-
nates in all scenarios within 20 mins.
To explore counterexample and generate patches, CacheFix
takes 2.27x more time with Otrace , as compared to Ot ime .
Moreover, excluding DES, CacheFix explores all equivalence
classes of observations within 20 minutes in all scenarios. Fi-
nally, the runtime overhead induced by CacheFix is only up to
3.2% with respect to the number of executed instructions.
Sensitivity w.r.t. cache configuration. We evaluated CACHEFIX
for a variety of cache associativity (1-way, 2-way and 4-way), cache
size (from 1KB to 8KB) and with LRU as well as FIFO replacement
policies (detailed experiments are included in the appendix). We
observed that the verification time increases marginally (about 7%)
when set-associative caches were used instead of direct-mapped
caches and does not vary significantly with respect to replacement
policy. Finally, we observed changes in the number of equivalence
classes of observations for both AES and DES while running these
subjects with different replacement policies. However, neither AES
nor DES satisfied cache side-channel freedom for any of the cache
size and replacement policies tested in our evaluation. The relatively
low verification time results from the fact that the total number of
predicates (i.e. Predset ∪ Predtaд) is independent of cache size and
replacement policy. Nevertheless, the symbolic encoding for set-
associative caches is more involved than direct-mapped caches. This
results in an average increase to the number of predicates considered
for verification (i.e. Predcur ) by a factor of 1.5x . However, such
9
an increased number of predicates does not translate to significant
verification timing for set-associative caches.
7 REVIEW OF PRIOR WORKS
Earlier works on cache analysis are based on abstract interpreta-
tion [35] and its combination with model checking [18], to estimate
the worst-case execution time (WCET) of a program. In contrast
to these approaches, CACHEFIX automatically builds and refine
the abstraction of cache semantics for verifying side-channel free-
dom. Cache attacks are one of the most critical side-channel at-
tacks [8, 14, 25–28, 32, 37, 38]. In contrast to the literature on
side-channel attacks, we do not engineer new cache attacks in this
paper. Based on a configurable attack model, CACHEFIX verifies
and reinstates the cache side-channel freedom of arbitrary programs.
Orthogonal to approaches proposing countermeasures [21, 36],
the fixes generated by CACHEFIX is guided by program verification
output. Thus, CACHEFIX can provide cache side-channel freedom
guarantees about the fixed program. Moreover, CACHEFIX can be
leveraged to formally verify whether existing countermeasures are
capable to ensure side-channel freedom.
In contrast to recent approaches on statically analyzing cache
side channels [15, 22, 29, 30], our CACHEFIX approach automati-
cally constructs and refines the abstractions for verifying cache side-
channel freedom. Moreover, contrary to CACHEFIX, approaches
based on static analysis are not directly applicable when the underly-
ing program does not satisfy cache side-channel freedom. CACHE-
FIX targets verification of arbitrary software programs, over and
above constant-time implementations [9, 12]. Existing works based
on symbolic execution [11, 34], taint analysis [20, 33] and verifying
timing-channel freedom [10] ignore cache attacks. Moreover, these
works do not provide capabilities for automatic abstraction refine-
ment and patch synthesis for ensuring side-channel freedom. Finally,
in contrast to these works, we show that our CACHEFIX approach
scales with routines from real cryptographic libraries.
Finally, recent approaches on testing and quantifying cache side-
channel leakage [13, 16, 17] are complementary to CACHEFIX.
These works have the flavour of testing and and they do not provide
capabilities to ensure cache side-channel freedom.
8 DISCUSSION
In this paper, we propose CACHEFIX, a novel approach to automat-
ically verify and restore cache side-channel freedom of arbitrary
programs. The key novelty in our approach is two fold. Firstly, our
CACHEFIX approach automatically builds and refines abstraction of
cache semantics. Although targeted to verify cache side-channel free-
dom, we believe CACHEFIX is applicable to verify other cache tim-
ing properties, such as WCET. Secondly, the core symbolic engine
of CACHEFIX systematically combines its reasoning power with
runtime monitoring to ensure cache side-channel freedom during
program execution. Our evaluation reveals promising results, for 25
routines from several cryptographic libraries, CACHEFIX (dis)proves
cache side-channel freedom within an average 75 seconds. Moreover,
in most scenarios, CACHEFIX generated patches within 20 minutes
to ensure cache side-channel freedom during program execution.
Despite this result, we believe that CACHEFIX is only an initial step
for the automated verification of cache side-channel freedom. In
particular, we do not account cache attacks that are more powerful
than timing or trace-based attacks. Besides, we do not implement
the synthesized patches in a commodity embedded system to check
their performance impact. We hope that the community will take
this effort forward and push the adoption of formal tools for the
evaluation of cache side-channel. For reproducibility and research,
our tool and all experimental data are publicly available: (blinded)
REFERENCES
[1] [n. d.]. CBMC: Bounded Model Checking for Software. ([n. d.]). http://www.
cprover.org/cbmc/ (Date last accessed 23-October-2017).
[2] [n. d.]. FourQLib Library. ([n. d.]). https://github.com/Microsoft/FourQlib/ (Date
last accessed 20-October-2017).
[3] [n. d.]. GDK Library. ([n. d.]). https://developer.gnome.org/gdk3/3.22/ (Date last
accessed 20-October-2017).
[4] [n. d.]. A library for doing constant-time fixed-point numeric operations. ([n.
d.]). https://github.com/kmowery/libfixedtimefixedpoint/ (Date last accessed
20-October-2017).
[5] [n. d.]. OpenSSL Library. ([n. d.]). https://github.com/openssl/openssl/ (Date
last accessed 20-October-2017).
[6] [n. d.]. SSW Library. ([n. d.]). https://github.com/mengyao/
Complete-Striped-Smith-Waterman-Library (Date last accessed 23-October-
2017).
[7] [n. d.]. Symbolic Verification of Cache Side-channel Freedom. ([n. d.]). https:
//github.com/esweek2018/emsoft2018/blob/master/cachefix_supplement.pdf.
[8] Onur Acıiçmez and Çetin Kaya Koç. 2006. Trace-driven cache attacks on AES.
In Information and Communications Security. Springer.
[9] José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and
Michael Emmi. 2016. Verifying Constant-Time Implementations. In USENIX.
53–70.
[10] Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Ter-
auchi, and Shiyi Wei. 2017. Decomposition instead of self-composition for proving
the absence of timing channels. In PLDI. 362–375.
[11] Michael Backes, Boris Köpf, and Andrey Rybalchenko. 2009. Automatic Discov-
ery and Quantification of Information Leaks. In IEEE S&P. 141–153.
[12] Gilles Barthe, Gustavo Betarte, Juan Diego Campo, Carlos Daniel Luna, and David
Pichardie. 2014. System-level Non-interference for Constant-time Cryptography.
In CCS. 1267–1279.
[13] Tiyash Basu and Sudipta Chattopadhyay. 2017. Testing Cache Side-Channel
Leakage. In ICST Workshops. 51–60.
[14] Daniel J Bernstein. 2005. Cache-timing attacks on AES. (2005).
[15] Pablo Cañones, Boris Köpf, and Jan Reineke. 2017. Security Analysis of Cache
Replacement Policies. In POST. 189–209.
[16] Sudipta Chattopadhyay. 2017. Directed Automated Memory Performance Testing.
In TACAS. 38–55.
[17] Sudipta Chattopadhyay, Moritz Beck, Ahmed Rezine, and Andreas Zeller. 2017.
Quantifying the information leak in cache attacks via symbolic execution. In
MEMOCODE. 25–35.
[18] Sudipta Chattopadhyay and Abhik Roychoudhury. 2013. Scalable and precise
refinement of cache timing analysis via path-sensitive verification. Real-Time
Systems 49, 4 (2013), 517–562.
[19] Edmund M. Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu. 2001.
Bounded Model Checking Using Satisfiability Solving. Formal Methods in System
Design 19, 1 (2001), 7–34.
[20] James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic
taint analysis framework. In ISSTA. 196–206.
[21] Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael
Franz. 2015. Thwarting Cache Side-Channel Attacks Through Dynamic Software
Diversity.. In NDSS.
[22] Goran Doychev, Boris Köpf, Laurent Mauborgne, and Jan Reineke. 2015.
CacheAudit: a tool for the static analysis of cache side channels. TISSEC 18, 1
(2015), 4.
[23] Moritz Lipp et al. 2018. Meltdown. ArXiv e-prints (2018). arXiv:1801.01207
[24] Paul Kocher et al. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv
e-prints (2018). arXiv:1801.01203
[25] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. 2016. A Survey of Mi-
croarchitectural Timing Attacks and Countermeasures on Contemporary Hardware.
In Cryptology ePrint Archive. https://eprint.iacr.org/2016/613.pdf/.
[26] Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. Cache Template At-
tacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security.
[27] Roberto Guanciale, Hamed Nemati, Christoph Baumann, and Mads Dam. 2016.
Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures. In
IEEE Symposium on Security and Privacy. 38–55.
10
[28] David Gullasch, Endre Bangerter, and Stephan Krenn. 2011. Cache games–
bringing access-based cache attacks on AES to practice. In IEEE Symposium on
Security and Privacy. IEEE.
[29] Boris Köpf and David A. Basin. 2007. An information-theoretic model for adaptive
side-channel attacks. In CCS. 286–296.
[30] Boris Köpf, Laurent Mauborgne, and Martín Ochoa. 2012. Automatic quantifica-
tion of cache side-channels. In CAV. Springer.
[31] Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan
Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In USENIX
Security Symposium. 549–564.
[32] Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-
Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security
and Privacy. 605–622.
[33] James Newsome, Stephen McCamant, and Dawn Song. 2009. Measuring channel
capacity to distinguish undue influence. In PLAS. 73–85.
[34] Corina S. Pasareanu, Quoc-Sang Phan, and Pasquale Malacaria. 2016. Multi-run
side-channel analysis using Symbolic Execution and Max-SMT. In CSF.
[35] Henrik Theiling, Christian Ferdinand, and Reinhard Wilhelm. 2000. Fast and
precise WCET prediction by separated cache and path analyses. Real-Time Systems
18, 2-3 (2000).
[36] Zhenghong Wang and Ruby B. Lee. 2007. New Cache Designs for Thwarting
Software Cache-based Side Channel Attacks. In ISCA. 494–505.
[37] Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution,
Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium.
719–732.
[38] Yuval Yarom, Daniel Genkin, and Nadia Heninger. 2017. CacheBleed: a timing
attack on OpenSSL constant-time RSA. J. Cryptographic Engineering 7, 2 (2017),
99–112.
APPENDIX
The appendix includes additional cache models (e.g. LRU and FIFO)
incorporated within CACHEFIX, the theoretical guarantees and addi-
tional experimental results.
Theoretical Guarantees
In this section, we include the detailed proof of the properties satis-
fied by CACHEFIX.
PROPERTY 3. (Monotonicity) Consider a victim program P with
sensitive input K. Given attack models Ot ime or Otrace , assume
that the channel capacity to quantify the uncertainty of guessingK is
GPcap . CacheFix guarantees that GPcap monotonically decreases with
each synthesized patch (cf. Equation 25-26) employed at runtime.
PROOF. Consider the generic attack model O : {h,m}∗ → X that
maps each trace to an element in the countable set X. For a victim
program P, assume TR ⊆ {h,m}∗ is the set of all execution traces.
After one round of patch synthesis, assume TR′ ⊆ {h,m}∗ is the
set of all execution traces in P when the synthesized patches are
applied at runtime. By construction, each round of patch synthesis
merges two equivalence classes of observations (cf. Algorithm 3),
hence, making them indistinguishable by the attacker O. As a result,
the following relationship holds:
|O(TR)| = O(TR′) + 1 (27)
Channel capacity GPcap equals to log |O(TR)| for the original pro-
gram P, but it reduces to log |O (TR′) | when the synthesized patches
are applied. We conclude the proof as the same argument holds for
any round of patch synthesis. □
PROPERTY 4. (Convergence) Let us assume a victim program P
with sensitive input K. In the absence of any attacker, assume that
the uncertainty to guessK is Ginitcap , Ginitshn and Ginitmin , via channel ca-
pacity, Shannon entropy and Min entropy, respectively. If our checker
terminates and all synthesized patches are applied at runtime, then
our framework guarantees that the channel capacity (respectively,
Shannon entropy and Min entropy) will remain Ginitcap (respectively,
Ginitshn and Ginitmin ) even in the presence of attacks captured via Ot ime
and Otrace .
PROOF. Consider the generic attack model O : {h,m}∗ → X,
mapping each execution trace to an element in the countable set X.
We assume a victim program P that exhibits a set of execution traces
TR ⊆ {h,m}∗. From Equation 27, we know that |O(TR)| decreases
with each round of patch synthesis. Given that our checker termi-
nates, we obtain the program P, together with a set of synthesized
patches that are applied when P executes. Assume TRf ∈ {h,m}∗
is the set of execution traces obtained from P when all patches are
systematically applied. Clearly,
O (TRf ) = 1.
The channel capacity of P, upon the termination of our checker, is
log
(O (TRf )) = log 1 = 0. This concludes that the channel capacity
does not change even in the presence of attacks Ot ime and Otrace .
For a given distribution λ of sensitive input K, Shannon entropy
Ginitshn is computed as follows:
Ginitshn (λ) = −
∑
K∈K
λ(K) log2 λ(K) (28)
where K captures the domain of sensitive input K . For a given equiv-
alence class of observation o ∈ O
(
TRf
)
, the remaining uncertainty
is computed as follows:
Gf inalshn (λo ) = −
∑
K∈K
λo (K) log2 λo (K) (29)
λo (K) captures the probability that the sensitive input is K, given
the observation o is made by the attacker. Finally, to evaluate the
remaining uncertainty of the patched program version, Gf inalshn (λo )
is averaged over all equivalence class of observations as follows:
Gf inalshn
(
λO
(
TRf
) ) = ∑
o∈O
(
TRf
) pr (o) Gf inalshn (λo ) (30)
where pr (o) captures the probability of the observation o ∈ O
(
TRf
)
.
However, we have
O (TRf ) = 1. Hence, for any o ∈ O (TRf ) , we
get pr (o) = 1 and λo (K) = λ(K). Plugging these observations into
Equation 30 and Equation 29, we get the following:
Gf inalshn
(
λO
(
TRf
) ) = ∑
o∈O
(
TRf
) Gf inalshn (λo )
= −
∑
K∈K
λ(K) log2 λ(K)
= Ginitshn (λ)
(31)
Finally, for a given distribution λ of sensitive input K, the min
entropy Ginitmin is computed as follows:
Ginitmin (λ) = − log2 maxK∈K λ(K) (32)
Therefore, min entropy captures the best strategy of an attacker, that
is, to choose the most probable secret.
11
Similar to Shannon entropy, for a given equivalence class of
observation o ∈ O
(
TRf
)
, the remaining uncertainty is computed as
follows:
Ginitmin (λo ) = − log2 maxK∈K λo (K) (33)
λo (K) captures the probability that the sensitive input is K, given
the observation o is made by the attacker.
Finally, we obtain the min entropy of the patched program version
via the following relation:
Gf inalmin
(
λO
(
TRf
) ) = − log2 ∑
o∈O
(
TRf
) pr (o) maxK∈K λo (K) (34)
Since pr (o) = 1 and λo (K) = λ(K) for any o ∈ O
(
TRf
)
, we get
the following from Equation 34 and Equation 33:
Gf inalmin
(
λO
(
TRf
) ) = − log2 ∑
o∈O
(
TRf
) maxK∈K λo (K)
= − log2 maxK∈K λ(K)
= Ginitmin (λ)
(35)
Equation 31 and Equation 35 conclude this proof.
□
Modeling LRU and FIFO cache semantics
To formulate the conditions for conflict misses in set-associative
caches, it is necessary to understand the notion of cache conflict. We
use the following definition of cache conflict to formulate Γ(ri ):
DEFINITION 1. (Cache conflict) r j generates a cache conflict
to ri if and only if 1 ≤ j < i, σ (r j ) , σ (ri ) and the execution of
r j can change the relative position of σ (ri ) within the set(ri )-state
immediately before instruction ri .
Recall that σ (ri ) captures the memory block accessed at ri and
set(ri ) captures the cache set accessed by ri . The state of a cache set
is an ordered A-tuple – capturing the relative positions of all mem-
ory blocks within the respective cache set. For instance, ⟨m1,m2⟩
captures the state of a two-associative cache set. The rightmost mem-
ory block (i.e. m2) captures the first memory block to be evicted
from the cache set if a block m < {m1,m2} is accessed and mapped
to the same cache set.
Challenges with LRU policy. To illustrate the unique chal-
lenges related to set-associative caches, let us consider the following
sequence of memory accesses in a two-way associative cache and
with LRU replacement policy: (r1 :m1) → (r2 :m2) → (r3 :m2) →
(r4 : m1). We assume both m1 and m2 are mapped to the same
cache set. If the cache is empty before r1, r4 will still incur a cache
hit. This is because, r4 suffers cache conflict only once, from the
memory block m2. To incorporate the aforementioned phenomenon
into our cache semantics, we only count cache conflicts from the
closest access to a given memory block. Therefore, in our example,
we count cache conflicts to r4 from r3 and discard the cache conflict
from r2. Formally, we introduce the following additional condition
for instruction r j to inflict a cache conflict to instruction ri .
ϕ
eqv, lru
ji : No instruction between r j and ri accesses the same
memory block as r j . This is to ensure that r j is the closest to ri in
terms of accessing the memory block σ (r j ). We capture ϕeqv,lruji
formally as follows:
ϕ
eqv,lru
ji ≡
∧
j<k<i
(
ρ
taд
jk ∨ ¬ρsetjk ∨ ¬дuardk
)
(36)
Hence, r j inflicts a unique cache conflict to ri only if ϕ
eqv,lru
ji ,
ϕ
cnf ,lru
ji ≡ ϕ
cnf ,dir
ji , ϕ
r el,lru
ji ≡ ϕr el,dirji are all satisfiable.
Challenges with FIFO policy. Unlike LRU replacement pol-
icy, the cache state does not change for a cache hit in FIFO re-
placement policy. For example, consider the following sequence of
memory accesses in a two-way associative FIFO cache: (r1 :m1) →
(r2 :m2) → (r3 :m1) → (r4 :m1). Let us assumem1,m2 map to the
same cache set and the cache is empty before r1. In this example, r2
generates a cache conflict to r4 even though m1 is accessed between
r2 and r4. This is because r3 is a cache hit and it does not change
cache states.
In general, to formulate Γ(ri ), we need to know whether any
instruction r j , prior to ri , was a cache miss. This, in turn, is captured
via Γ(r j ). Concretely, r j generates a unique cache conflict to ri if all
the following conditions are satisfied.
ϕcnf,fifoji : If r j accesses the same cache set as ri , but accesses a
different cache-tag as compared to ri and r j suffers a cache miss.
This is formalized as follows:
ϕ
cnf ,f if o
ji ≡ ρ
taд
ji ∧ ρsetji ∧ Γ(r j ) (37)
ϕrel,fifoji : No cache miss between r j and ri access the same mem-
ory block as ri . ϕ
r el,f if o
ji ensures that the relative position of the
memory block σ (ri ) within set(ri ) was not reset between r j and ri .
ϕ
r el,f if o
ji is formalized as follows:
ϕ
r el,f if o
ji ≡
∧
j<k<i
(
ρ
taд
ki ∨ ¬ρsetki ∨ ¬дuardk ∨ ¬Γ(rk )
)
(38)
ϕ
eqv,fifo
ji : No cache miss between r j and ri access the same
memory block as r j . We note that ϕ
eqv,f if o
ji ensures that r j is the
closest cache miss to ri accessing the memory block σ (r j ). This, in
turn, ensures that we count the cache conflict from memory block
σ (r j ) to instruction ri only once. We formulate ϕeqv,f if oji as follows:
ϕ
eqv,f if o
ji ≡
∧
j<k<i
(
ρ
taд
jk ∨ ¬ρsetjk ∨ ¬дuardk ∨ ¬Γ(rk )
)
(39)
Formulating cache conflict in set-associative caches.
With the intuition mentioned in the preceding paragraphs, we formal-
ize the unique cache conflict from r j to ri via the following logical
conditions:
Θ+,xj,i ≡
(
ϕ
cnf ,x
ji ∧ ϕr el,xji ∧ ϕ
eqv,x
ji ∧ дuardj
)
⇒ (ηji = 1) (40)
12
Θ−,xj,i ≡
(
¬ϕcnf ,xji ∨ ¬ϕr el,xji ∨ ¬ϕ
eqv,x
ji ∨ ¬дuardj
)
⇒ (ηji = 0) (41)
where x = {lru, f i f o}. Concretely, ηji is set to 1 if r j creates a
unique cache conflict to ri and ηji is set to 0 otherwise.
Computing Γ(ri ) for Set-associative Caches. To formu-
late Γ(ri ) for set-associative caches, we need to check whether the
number of unique cache conflicts to ri exceeds the associativity
(A) of the cache. Based on this intuition, we formalize Γ(ri ) for
set-associative caches as follows:
Γ(ri ) ≡ дuardi ∧ ©­«Θcoldi ∨ ©­«©­«
∑
j ∈[1,i)
ηji
ª®¬ ≥ Aª®¬ª®¬ (42)
We note that
∑
j ∈[1,i) ηji accurately counts the number of unique
cache conflicts to the instruction ri (cf. Equation 40-Equation 41).
Hence, the condition
(∑
j ∈[1,i) ηji ≥ A
)
precisely captures whether
σ (ri ) is replaced from the cache before ri is executed. If ri does not
suffer a cold miss and
(∑
j ∈[1,i) ηji < A
)
, then ri will be a cache
hit when executed, as captured by the condition ¬Γ(ri ).
Detailed Runtime Monitoring
Algorithm 3 outlines the overall process. The procedure MONITOR-
ING takes the following inputs:
• Ψ: A symbolic representation of program and cache semantics
with the current level of abstraction,
• O and φ: The model of the attacker (O) and a property φ
initially capturing cache side-channel freedom w.r.t. O,
• Pred and Predcur : Cache semantics related predicates (Pred)
and the current level of abstraction (Predcur ), and
• Γ: Symbolic conditions to determine the cache behaviour.
Additional Experimental Results
Sensitivity w.r.t. cache. Figure 4 outlines the evaluation for
routines that violate side-channel freedom and for attack model
Ot ime . Nevertheless, the conclusion holds for all routines and at-
tack models. Figure 4 captures the number of equivalence classes
explored (hence, the number of patches generated cf. Algorithm 3)
with respect to time. We make the following crucial observations
from Figure 4. Firstly, the scalability of our checker is stable across a
variety of cache configurations. This is because we encode cache se-
mantics within a program via symbolic constraints on cache conflict.
The size of these constraints depends on the number of memory-
related instructions, but its size is not heavily influenced by the size
of the cache. Secondly, the number of equivalence classes of ob-
servations does not vary significantly across cache configurations.
Indeed, the number of equivalence classes may even increase (hence,
increased channel capacity) with a bigger cache size (e.g. in DES and
AES). However, for all cache configurations, CACHEFIX generated
all the patches that need to be applied for making the respective
programs cache side-channel free.
The scalability of CacheFix is stable across a variety of cache
configurations. Moreover, in all cache configurations, CacheFix
generated all required patches to ensure the cache side-channel
freedom w.r.t. Ot ime .
Algorithm 3 Monitor extraction and instrumentation
1: procedure MONITORING(Ψ, O, φ, Pred, Predcur , Γ)
2: /* If φ captures side-channel freedom, then trace is
3: any of the two traces constituting the counterexample */
4: (res, trace) := VERIFY(Ψ,φ)
5: while (res=f alse) ∧ (trace , spurious) do
6: /* Extract observation from trace */
7: o := GETOBSERVATION(trace)
8: /* Extract monitor from trace */
9: νo := ν := EXTRACTMONITOR(trace)
10: /* Refine Ψ to find unique counterexamples */
11: Ψ := Ψ ∧ ¬ν
12: /* Refine φ to find all traces exhibiting o */
13: φ := REFINEOBJECTIVE(φ, o)
14: /* Check the unsatisfiability of Ψ ∧ ¬φ */
15: (res ′, trace ′) := VERIFY(Ψ,φ)
16: while (res ′=f alse) do
17: if (trace ′ , spurious) then
18: ν := EXTRACTMONITOR(trace ′)
19: /* Combine monitors with observation o */
20: νo := νo ∨ ν
21: /* Refine Ψ for unique counterexamples */
22: Ψ := Ψ ∧ ¬ν
23: /* Check the unsatisfiability of Ψ ∧ ¬φ */
24: (res ′, trace ′) := VERIFY(Ψ,φ)
25: else
26: /* Refine abstraction to repeat verification */
27: ABSREFINE(Ψ, Pred, Predcur , trace ′, Γ)
28: (res ′, trace ′) := VERIFY(Ψ,φ)
29: end if
30: end while
31: Let Ω holds the set of monitor, observation pairs
32: Ω ∪:= {⟨νo ,o⟩}
33: /* Instrument patches for monitor νo */
34: INSTRUMENTPATCH(Ω, O)
35: /* Refine objective to find new observations */
36: φ := ¬φ
37: /* Check the unsatisfiability of Ψ ∧ ¬φ */
38: (res, trace) := VERIFY(Ψ,φ)
39: end while
40: /* Program is still not side-channel free */
41: /* Refine abstraction to repeat verification loop */
42: if (res=f alse) then
43: ABSREFINE(Ψ, Pred, Predcur , trace, Γ)
44: MONITORING(Ψ,O,φ, Pred, Predcur , Γ)
45: end if
46: end procedure
47: procedure ABSREFINE(Ψ, Pred, Predcur , trace, Γ)
48: /* Extract unsatisfiable core */
49: U := UNSATCORE(trace, Γ)
50: /* Refine abstractions (see Section 4) */
51: Predcur := REFINE(Predcur , U, Pred)
52: /* Rewrite Ψ with the refined abstraction */
53: REWRITE(Ψ, Predcur )
54: end procedure
13
 0
 2
 4
 6
 8
 10
 12
 14
 16
 18
 20
 22
 24
 26
 28
 30
 32
 34
 36
 38
 100  1000  10000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
timing-based attacks trace-based attacks
 0
 50
 100
 150
 200
 250
 300
 350
 100  1000  10000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
timing-based attacks trace-based attacks
 0
 10
 20
 30
 40
 50
 60
 70
 80
 90
 10  100  1000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
timing-based attacks trace-based attacks
(a) AES128 (b) DES (c) fix_frac
 0
 2
 4
 6
 8
 10
 12
 14
 16
 18
 20
 10  100  1000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
 0
 5
 10
 15
 20
 25
 30
 35
 40
 45
 10  100  1000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
 0
 5
 10
 15
 20
 25
 30
 35
 40
 10  100  1000  10000
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
(d) eccpoint_validate (e) gdk_unicode_to_keyval (f) gdk_keyval_name
Figure 3: Overhead of counterexample exploration and patch synthesis
 0
 2
 4
 150  152  154  156  158  160  162  164
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
1-way, 1KB
2-way, 1KB (LRU)
2-way, 1KB (FIFO)
1-way, 2KB
2-way, 2KB (LRU)
2-way, 2KB (FIFO)
1-way, 4KB
4-way, 4KB (LRU)
4-way, 4KB (FIFO)
1-way, 8KB
4-way, 8KB (LRU)
4-way, 8KB (FIFO)
 0
 50
 100
 150
 200
 250
 300
 350
 100  150  200  250  300  350  400  450  500  550  600
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
1-way, 1KB
2-way, 1KB (LRU)
2-way, 1KB (FIFO)
1-way, 2KB
2-way, 2KB (LRU)
2-way, 2KB (FIFO)
1-way, 4KB
4-way, 4KB (LRU)
4-way, 4KB (FIFO)
1-way, 8KB
4-way, 8KB (LRU)
4-way, 8KB (FIFO)
 0
 10
 20
 30
 40
 50
 60
 70
 80
 90
 0  100  200  300  400  500  600  700
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
1-way, 1KB
2-way, 1KB (LRU)
2-way, 1KB (FIFO)
1-way, 2KB
2-way, 2KB (LRU)
2-way, 2KB (FIFO)
1-way, 4KB
4-way, 4KB (LRU)
4-way, 4KB (FIFO)
1-way, 8KB
4-way, 8KB (LRU)
4-way, 8KB (FIFO)
(a) AES128 (b) DES (c) fix_frac
 0
 10
 20
 20  25  30  35  40  45
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
 0
 5
 10
 15
 20
 25
 30
 35
 40
 45
 0  50  100  150  200  250  300
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
 0
 5
 10
 15
 20
 25
 30
 35
 40
 0  200  400  600  800  1000  1200
# o
b s
e r
v a
t i o
n  
e q
u i
v a
l e
n c
e  
c l a
s s
Time (seconds)
(d) eccpoint_validate (e) gdk_unicode_to_keyval (f) gdk_keyval_name
Figure 4: CACHEFIX sensitivity w.r.t. cache
14
