Identifying Cache-Based Side Channels through Secret-Augmented Abstract
  Interpretation by Wang, Shuai et al.
Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation
Shuai Wang∗1, Yuyan Bao2, Xiao Liu2, Pei Wang2, Danfeng Zhang2, and Dinghao Wu2
1The Hong Kong University of Science and Technology
2The Pennsylvania State University
shuaiw@cse.ust.hk, {yxb88, xvl5190, pxw172}@ist.psu.edu, zhang@cse.psu.edu, dwu@ist.psu.edu
Abstract
Cache-based side channels enable a dedicated attacker to re-
veal program secrets by measuring the cache access patterns.
Practical attacks have been shown against real-world crypto
algorithm implementations such as RSA, AES, and ElGa-
mal. By far, identifying information leaks due to cache-
based side channels, either in a static or dynamic manner, re-
mains a challenge: the existing approaches fail to offer high
precision, full coverage, and good scalability simultaneously,
thus impeding their practical use in real-world scenarios.
In this paper, we propose a novel static analysis method on
binaries to detect cache-based side channels. We use abstract
interpretation to reason on program states with respect to ab-
stract values at each program point. To make such abstract
interpretation scalable to real-world cryptosystems while of-
fering high precision and full coverage, we propose a novel
abstract domain called the Secret-Augmented Symbolic do-
main (SAS). SAS tracks program secrets and dependencies
on them for precision, while it tracks only coarse-grained
public information for scalability.
We have implemented the proposed technique into a prac-
tical tool named CacheS and evaluated it on the imple-
mentations of widely-used cryptographic algorithms in real-
world crypto libraries, including Libgcrypt, OpenSSL, and
mbedTLS. CacheS successfully confirmed a total of 154 in-
formation leaks reported by previous research and 54 leaks
that were previously unknown. We have reported our find-
ings to the developers. And they confirmed that many of
those unknown information leaks do lead to potential side
channels.
1 Introduction
Cache-based timing channels enable attackers to reveal se-
cret program information, such as private keys, by measur-
ing the runtime cache behavior of the victim program. Prac-
tical attacks have been executed with different attack scenar-
ios, such as time-based [16, 50], access-based [41, 67, 69],
and trace-based [5], each of which exploits a victim program
through either coarse-grained or fine-grained monitoring of
∗Most of this work is done while Shuai Wang was working at PSU.
cache behavior. Additionally, previous research has success-
fully launched attacks on commonly used cryptographic al-
gorithm implementations, for example, AES [41, 67, 83, 16],
RSA [23, 50, 7, 69, 94], and ElGamal [98].
Pinpointing cache-based side channels from production
cryptosystems remains a challenge. Existing research em-
ploys either static or dynamic methods to detect underlying
issues [85, 35, 36, 46, 90, 22, 89]. However, the methods are
limited to low detection coverage, low precision, and poor
scalability, which impede their usage in analyzing real-world
cryptosystems in the wild.
Abstract interpretation is a well-established framework
that can be tuned to balance precision and scalability for
static analysis. It models program execution within one
or several carefully-designed abstract domains, which ab-
stract program concrete semantics by tracking certain pro-
gram states of interest in a concise representation. Usually,
the elements in an abstract domain form a complete lattice of
finite height, and the operations of the program concrete se-
mantics are mapped to the abstract transfer functions over
the abstract domain. A well-designed abstract interpreta-
tion framework can correctly approximate program execu-
tion and usually yields a terminating analysis within a fi-
nite step of computations. Nevertheless, the art is to care-
fully design an abstraction domain that fits the problem un-
der consideration, while over-approximating others to bound
the analysis to a controllable size; this enables the analysis
of non-trivial cases.
We propose a novel abstract domain named the Secret-
Augmented Symbolic domain (SAS), which is specifically
designed to perform abstract interpretation on large-scale
secret-aware software, such as real-world cryptosystems.
SAS is designed to perform fine-grained tracking of program
secrets (e.g., private keys) and dependencies on them, while
coarsely approximating non-secret information to speed up
the convergence of the analysis.
We implement the proposed technique as a practical tool
named CacheS, which models program execution within
the SAS and pinpoints cache-based side channels with con-
straint solving techniques. Like many bug finding tech-
ar
X
iv
:1
90
5.
13
33
2v
1 
 [c
s.C
R]
  3
0 M
ay
 20
19
niques [62, 92, 61], CacheS is soundy [60]; the implemen-
tation is unsound for speeding up analysis and optimizing
memory usage, due to its lightweight but unsound treat-
ment of memory. However, in contrast to previous studies
that analyze only small-size programs, single procedure or
single execution trace [35, 36, 85, 22, 89], CacheS is scal-
able enough to deliver whole program static analysis of real-
world cryptosystems without sacrificing much accuracy. We
have evaluated CacheS on multiple popular crypto libraries.
Although most libraries have been checked by many previ-
ous tools, CacheS is able to detect 54 unknown information
leakage sites from the implementations of RSA/ElGamal al-
gorithms in three real-world cryptosystems: Libgcrypt (ver.
1.6.3), OpenSSL (ver. 1.0.2k and 1.0.2f), and mbedTLS
(ver. 2.5.1). We show that CacheS has good scalability as
it largely outperforms previous research regarding coverage;
it is able to complete context-sensitive interprocedural anal-
ysis of over 295 K lines of instructions within 0.5 CPU hour.
In summary, we make the following contributions:
• We propose a novel abstract interpretation-based anal-
ysis to pinpoint information leakage sites that may lead
to cache-based side channels. We propose a novel ab-
stract domain named SAS, which performs fine-grained
tracking of program secrets and dependencies, while
over-approximating non-secret values to enable precise
reasoning in a scalable way.
• Enabled by the “symbolic” representation of abstract
values in SAS, we facilitate information leak check-
ing in this research with constraint solving techniques.
Compared with previous abstract interpretation-based
methods, which only reason on the information leak-
age upper-bound, our technique adequately simplifies
the process of debugging and fixing side channels.
• We implement the proposed technique into a practical
tool named CacheS and apply it to detect cache-based
side channels in real-world cryptosystems. From five
popular crypto library implementations, CacheS suc-
cessfully identified 208 information leakage sites (with
only one false positive), among which 54 are unknown
to previous research, to the best of our knowledge.
2 Background
Abstract Interpretation. Abstract interpretation is a well-
established framework to perform sound approximation of
program semantics [29]. Considering that program concrete
semantics forms a value domain C, abstract interpretation
maps C to an abstract (and usually more concise) represen-
tation, namely, an abstract domain A. The design of the ab-
straction is usually based on certain program properties of in-
terest, and (possibly infinite) sets of concrete program states
are usually represented by one abstract state in A. To ensure
termination, abstract states could form a lattice with a finite
height, and computations of program concrete semantics are
mapped into operators over the abstract elements in A.
The abstract function (α) and concretization function (γ)
need to be defined jointly with an abstract domain A. Func-
tion α lifts the elements in C to their corresponding abstract
elements in A, while γ casts an abstract value to a set of
values in C. To establish the correctness of an abstract inter-
pretation, the abstract domain and the concrete domain need
to form a Galois connection, and operators defined upon el-
ements in an abstract domain are required to form the local
and global soundness notions [29].
Cache Structure and Cache-Based Timing Channels. A
cache is a fast on-CPU data storage unit with a very limited
capacity compared to the main memory. Caches are usu-
ally organized to be set-associative, meaning that the storage
is partitioned into several disjoint sets while each set exclu-
sively stores data of a particular part of the memory space.
Each cache set can be further divided into smaller storage
units of equal size, namely cache lines. Given the size of
each cache line as 2L bytes, usually the upper N−L bits of
a N-bit memory address uniquely locate a cache line where
the data from that address will be temporally held.
When the requested data is not found in the cache, the
CPU will have to fetch them from the main memory. This
is called a cache miss and causes a significant delay in exe-
cution, compared with fetching data directly from the cache.
Therefore, an attacker may utilize the timing difference to
reveal the cache access pattern and further infer any infor-
mation on which this pattern may depend.
Threat Model. As mentioned above, some bits of a mem-
ory address can be directly mapped to cache lines being
visited, which potentially enables information leakage via
secret-dependent memory traffic. In this research, attack-
ers are assumed to share the same hardware platform with
the victim program, and therefore are able to “probe” the
shared cache state and infer cache lines being accessed by
the victim. As illustrated in Fig. 2, our threat model assumes
that the attacker can observe the address of every memory
access, expect for the low bits of addresses that distinguish
locations in the same cache line. Overall, by tracking the
secret-dependent cache access of the victim, several bits of
program secrets (w.r.t. entropy) could be leaked to the at-
tacker.
We note that this threat model indeed captures most in-
famous and practical side channel attacks [44], including
prime-and-probe [67], flush-and-reload [94], and prime-and-
abort [34], which are designed to infer the cache line access
by measuring the latency of the victim program or attacker’s
program at different scales and for different attack scenarios.
Additionally, while this threat model is aligned with many
existing side channel detection works [85, 36, 46, 90, 22],
novel techniques proposed in this work enable us to perform
scalable static analysis and reveal much more information
leaks of real-world cryptosystems.1 In addition, while this
1Consistent with this line of research, CacheS pinpoints information
leaks in cryptosystems where cache access depends on secrets. Cryptosys-
tem developers can fix the code with information provided by CacheS. Con-
trarily, the exploitability of the leaks (e.g., reconstruct the entire key by
recovering half bits of the RSA private key [19]) is beyond the scope of this
work.
1 foo:
2 mov eax, ebx
3 add eax, 0x1
4 load ecx , esi
5 add ecx , 0x12
6 mov edx , edi
7 add eax, ecx
(a) Sample Code.
1 {ebx = {k1}}
2 {ebx = {k1}, eax = {k1}}
3 {ebx = {k1}, eax = {k1+1}}
4 {ebx = {k1}, eax = {k1+1}, ecx = {m1}}
5 {ebx = {k1}, eax = {k1+1}, ecx = {m1+12}}
6 {ebx = {k1}, eax = {k1+1}, ecx = {m1+12}, edx = {edi0}}
7 {ebx = {k1}, eax = {k1+m1+13}, ecx = {m1+12}, edx = {edi0}}
(b) Modeling program states with logic formulas l ∈ L.
1 {ebx = {s1}}
2 {ebx = {s1}, eax = {s1}}
3 {ebx = {s1}, eax = {s1 +1}}
4 {ebx = {s1}, eax = {s1 +1}, ecx = {p}}
5 {ebx = {s1}, eax = {s1 +1}, ecx = {p}}
6 {ebx = {s1}, eax = {s1 +1}, ecx = {p}, edx = {p}}
7 {ebx = {s1}, eax = {>}, ecx = {p}, edx = {p}}
(c) Modeling program states with SAS.
Figure 1: Execute assembly code with different program representations. Program secrets and all the affected registers are
marked as red in Fig. 1a. Program states at line 1 of Fig. 1b and Fig. 1c represent the initial state. Here k1 is a symbol
exhibiting one piece of program secrets (e.g., the first element in a key array), and m1 is a free symbol representing non-secret
content of unknown memory cells. edi0 is a symbol representing the initial value of register edi. Symbol s1, p, and > defined
in SAS stand for one piece of secret, entire non-secret information and all the program information, respectively (see Sec. 4).
x = A[key]
key	=	10 key	=	50
key	should	be	10 key	should	be	50
Memory cells
Cache lines
Figure 2: The threat model. Different secrets lead to the ac-
cess of different cache lines at one particular program point,
which may leak secret information to the attackers by indi-
rectly observing cache line access variants. At least one bit
information (w.r.t. entropy) could be leaked in this example.
model is relatively stronger than those based on cache sta-
tus [35], cache status at any point can be determined by ana-
lyzing the accessed cache units in execution.
3 Motivation
In general, capturing cache-based side channels requires
modeling program secret-dependent semantics (we will dis-
cuss the connection between program semantics and cache
access in Sec. 5). In this section we begin by discussing
two baseline approaches to modeling program semantics; the
limitations of both approaches naturally motivate the design
of our novel abstract domain.
Modeling Program Semantics with Logic Formulas. An
intuitive way is to represent program concrete semantics
with logic formulas (as in a typical symbolic execution ap-
proach [85]), and perform whole-program static reasoning
until a fixed point is reached. The overall workflow exhibits
a typical dataflow analysis procedure, and upon termination,
each program point maintains a program state that maps vari-
ables (i.e., registers, CPU flags, and memory cells) to sets of
formulas representing the possible values each variable may
hold regarding any execution paths and inputs. For ease of
presentation, we name the value domain formed by logic for-
mulas l as logic domain L.
An example is given in Fig. 1, where we model the execu-
tion of instructions with logic formulas (Fig. 1b). While the
overall approach will precisely model program semantics,
some tentative studies indicate its low scalability. Indeed, we
implement this approach and evaluate it with two real-world
cases: the AES and RSA implementations of OpenSSL. We
report that both tests are unable to terminate (evaluation re-
sults are given in Sec. 8). In summary, the analysis is im-
peded for the following reasons:
• Typically, more and more memory cells would be mod-
eled throughout the analysis, and for each variable, its
value set (i.e., set of formulas) would also continue to
increase. Therefore, the memory usage could become
significant to even unrealistic for real-world cases.
• Program states could be continuously updated within
loop iterations. In addition, “loops” on the call graph
(e.g., recursive calls) could exist in cryptosystems as
well and complicate the analysis.
We implement algorithms to detect loop induction vari-
ables [11] considering both registers and stack memories.
Identified induction variables are lifted into a linear function
of symbolic loop iterators; operations on induction variables
are “merged” into the linear function, thereby leading to a
stable stage. While the simpler AES case terminated when
we re-ran the test, the RSA case still yielded a “timeout” due
to the practical challenges mentioned above (see results in
Sec. 8.1).
Modeling Program Semantics with Free Symbols. An-
other “baseline” approach is to model program semantics in a
permissive way. That is, we introduce two free symbols: one
for any public information and the other for secrets. Any
secret-related computation outputs the same secret symbol,
while others preserve the same public symbol. Note that this
is comparable to static taint tracking, where each value is
either “tainted” or “untainted”. Despite its simplicity, our
tentative study reveals new hurdles as follows:
• Memory tracking becomes pointless. Every memory
address becomes (syntactically) identical because it
holds the same public or secret symbol. Therefore, a
memory store could overturn the entire memory space.
• Even if memory addresses are tracked in a more pre-
cise way, representing any secret value and their de-
pendencies coarsely as one free secret symbol yields
many false positives (since secret-dependent memory
accesses do not necessarily lead to vulnerable cache ac-
cesses; see our cache modeling in Sec. 5). Tentative
tests of the AES case report a false positive rate of 20%
(8 out of 40) due to such modeling. In contrast, our
novel program modeling yields no false positive when
testing this case (see Sec. 8).
Motivation of Our Approach. This paper presents a novel
abstract domain that enables abstract interpretation of large-
scale cryptosystems in the wild. Our observation is that im-
precise tracking of secrets impedes the accurate modeling
of cache behaviors (cache access modeling is discussed in
Sec. 5). Nevertheless, tracking too much information, such
as modeling whole-program semantics with logic formulas,
could face scalability issues when analyzing real-world cryp-
tosystems due to various practical challenges.
Our study of real-world cryptosystems actually reveals an
interesting and intuitive finding. That is, program secrets
and their dependencies usually exhibit at a very small por-
tion of program points, and even in such secret-carrying
points, most variables maintain only public information. It
should be noted that in common scenarios non-secret in-
formation is not critical for modeling cache-based timing
channels. Hence, based on our observation, we promote a
novel abstract domain that is particularly designed to model
the secret-dependent semantics of real-world crypto systems.
Our abstract domain delivers fine-grained tracking of pro-
gram secrets and their dependencies with different identi-
fiers for each piece of secret information, while performing
coarse-grained tracking of other public values to effectively
enhance scalability.
4 Secret-Augmented Symbolic Domain
This section presents the definition of our abstract domain
SAS. We formally define each component following conven-
tion, including the concrete semantics, the abstract domain,
and the abstract transfer functions. We also prove that the
computations specified in SAS correctly over-approximate
concrete semantics. Due to space limitations, we highlight
only certain necessary components in this section. Please
refer to Appendix E for a complete formulation.
4.1 Abstract Values
We start by defining abstract values f ∈ AV (soon we will
show that SAS is defined as the powerset of AV). Compa-
rable to “symbolic formulas” in symbolic execution, f com-
bines symbols and constants via operators. Elementary sym-
bols in each abstract value are defined as follows:
• p: a unique symbol representing all the program public
information.
• si: a symbol representing a piece of program secrets;
for instance, the i-th element of a secret array.
Literal n ∈ Z
OP1 ⊕ ::= + | −
OP2 ⊗ ::= × | ÷ |% | AND | OR | XOR | SHIFT
Atom t ::= > | p | si | n
Expression exp ::= t | t⊕ exp | t⊗ exp
Formula f ::= e | exp | e⊕ exp
Figure 3: Syntax of abstract value.
• e: a unique symbol representing the initial value of the
x86 stack register esp.
While only one free symbol p is used to represent any and
all unknown non-secret information (e.g., initial value edi0
of register edi in Fig. 1b), we retain finer-grained informa-
tion about program secrets. Multiple si are generated, and
are mapped to different pieces of program secrets (e.g., a
symbol s1 representing k1 in Fig. 1c). Therefore, different
si symbols are semantically different, meaning each of them
stands for different secrets.
Syntax. The syntax of a core of abstract values f ∈ AV is
defined in Fig. 3. Literal specifies that concrete data is pre-
served in AV. OP1 and OP2 explain typical operators in
AV. Atom includes symbols and literals, among which >
(top) is the abstraction of any concrete value. Expression
and Formula additionally define expressions and formulas.
Note that stack memory expands linearly in the process ad-
dress space, and stack register esp at any program point shall
hold a value which adds or subtracts an offset from the initial
value of esp (i.e., e). In the syntax definition, stack memory
offsets could be a constant or an exp.
Since the symbol {si} represents the secrets, which our
analysis intends to keep track of, the formulas that con-
tain these symbols usually need to be specially treated. We
denote this infinite set of special formulas by AVs, where
AVs = { f ∈ AV | ∃s ∈ {si} s.t. s occurs in f}.
Reduction of Abstract Formulas. We now define the oper-
ator semantics of abstract value f ∈ AV. For any operator
∈ {⊕}∪{⊗}, we define a reduction rule T : AV×AV→
AV such that Ja1a2K= T(Ja1K,Ja2K) for any a1,a2 ∈AV,
where J·K denotes the semantics. We then define T(a1,a2)
as follows:
T(a1,a2) =

> if a1 => or a2 =>
> else if a1 = p∧a2 ∈ AVs or
a2 = p∧a1 ∈ AVs
p else if a1 = p∧a2 /∈ AVs or
a2 = p∧a1 /∈ AVs
a1a2 otherwise
Essentially, the first three cases perform reasonable over-
approximation on f ∈ AV with different degrees of abstrac-
tion. The last case would apply if no other case can be
matched; indeed similar to symbolic execution, most oper-
ations on f ∈ AV “concatenates” abstract values via abstract
operators following this rule. For the implementation, we
also implement “constant folding” rules for operands of con-
crete data; such rules help the reduction of stack increment
and decrement operations.
Since abstract interpretation typically needs to process
sets of facts, we extend T so that it can be applied to pairs
of subsets of abstract values f ∈ AV, where
∀X ,Y ∈P(AV),∀ ∈ {⊕}∪{⊗},
T(X ,Y ) = {T(a,b) | a ∈ X ,b ∈ Y}
4.2 Abstract Domain
Naturally, each element in SAS represents the possible val-
ues that a program variable may hold; therefore each element
in SAS forms a set of abstract values. That is,
Definition 1. Let AV be the set of abstract values. Then
SAS =P(AV)
forms a domain whose elements are subsets of all valid ab-
stract values.
Claim 1. SAS forms a lattice, with the top element >SAS,
bottom element ⊥SAS and a join operator unionsq defined over
SAS.
For further discussion and definition of SAS, please refer
to Appendix E.
Example. Fig. 1 explains typical computations within
SAS. We present a set of abstract values for each register
in Fig. 1c. While the computations over secret symbol si are
precisely tracked (line 3 in Fig. 1c), the computations over
p preserve this symbol (line 5 in Fig. 1c), and the computa-
tions between abstract value a ∈ AVs and p lead to > (line 7
in Fig. 1c).
5 Pinpointing Information Leakage Sites
Upon the termination of static analysis, we check abstract
memory addresses of each memory load and store instruc-
tion. When a secret-dependent address a ∈ AVs is identi-
fied, its corresponding memory access instruction is consid-
ered to be “secret-dependent.” We then translate each secret-
dependent address a into an SMT formula f for constraint
checking (this translation is discussed in Sec. 6.4).
In this research, we adopt a cache model proposed by the
existing work to check each secret-dependent memory ac-
cess [85]. Given an SMT formula f translated from a ∈ AVs
that represents a memory address, CacheS checks potential
cache line access variants by solving the satisfiability of the
following predicate:
f  L 6= f [s′i/si] L (1)
As discussed in Sec. 2, assuming the cache has the line
size of 2L bytes, for a memory address of N bits, the up-
per N − L bits map a memory access to its corresponding
cache line access. In other words, the upper N−L bits decide
which cache line the upcoming memory access would visit.
Therefore, for an SMT formula f derived from a ∈ AVs, we
right shift f by L bits, and the result f  L indicates the
cache line being accessed. Furthermore, by replacing each si
with a fresh secret symbol s′i, we obtain f [s′i/si] L. As a
standard setting, the cache line size is assumed to be 64 (26)
in this work; therefore, we set L as 6.
The constructed constraint checks whether different se-
crets (si and s′i) can lead to the access of different cache lines
at this memory access. Recall the threat model shown in
Fig. 2, the existence of at least one satisfiable solution re-
veals potential side channels at this point. From an attacker’s
perspective, by (indirectly) observing the access of different
cache lines, a certain number of secrets could be leaked to
adversaries. In addition, while this constraint assumes that
accesses to different offsets within cache lines are indistin-
guishable, Constraint 1 can be extended to detect related is-
sues. For example, information leaks which enable cache
bank attacks can be detected by changing L from 6 to 2 [95].
6 Design of CacheS
We now present CacheS, a tool that uses precise and scal-
able static analysis to detect cache-based timing channels
in real-world cryptosystems. Fig. 4 presents the workflow
of CacheS. Given a binary as the input, CacheS first lever-
ages a reverse engineering tool to recover the assembly code
and the control flow structures from the input. The assem-
bly instructions are further lifted into platform-independent
representations before analysis. Technical details on reverse
engineering are discussed in Sec. 7.
Given all the recovered program information, we initialize
the abstract program state at each program point. In particu-
lar, we update the initial state of certain program points with
one or several “secret” symbols to represent program secrets
(e.g., a sequence of memory cells) when the analysis starts.
We then perform abstract interpretation on the whole pro-
gram until the fixed point in SAS is reached.
Abstract interpretation reasons the program execution
within SAS (Sec. 6.1), and as mentioned, the proposed ab-
stract domain performs fine-grained tracking of program
secret-related semantics while maintaining only coarse-
grained public information for scalability. The entire anal-
ysis framework forms a standard worklist algorithm, where
each program point maintains its own program state mapping
variables to sets of abstract values (Sec. 6.1.2).
We define information flow rules to propagate secret in-
formation (Sec. 6.2) in our context-sensitive and interproce-
dural analysis (Sec. 6.3). Upon the termination of analyz-
ing one function, we identify secret-dependent memory ac-
cesses and translate corresponding memory addressing for-
mulas into SMT formulas (Sec. 6.4) and check for side chan-
nels (Sec. 5).
Application Scope. In this research we design our abstract
domain SAS to analyze assembly code: program memory
access can be accurately uncovered by analyzing assembly
code, thus supporting a “down-to-earth” modeling of cache
behavior (see Sec. 5).
Abstract values of 
secret-dependent 
memory access
Secret-augmented 
abstract intrepretation
Secret-dependent 
memory access
Corresponding 
SMT formulas
Constraint solving 
w.r.t. cache line 
access model
Yes
Potential side 
channel issue Safe
No
CFG
Program 
Binary
Reverse 
Engieering
eax = {0, 2, 4}
ecx = {s1}
!(ebx+4) = {4, 12}
…
Program state
Capture information 
flow
Figure 4: The overall workflow of CacheS.
To assist the analysis of off-the-shelf cryptosystems and
capture information leaks in the wild, we designed CacheS to
directly process binary executables, including stripped exe-
cutables with no debug or relocation information. We rely on
reverse engineering tools to recover program control struc-
tures from the input binary, and further build our analysis
framework on top of that (see Sec. 7).
6.1 Abstract Interpretation
In this section, we discuss how the proposed abstract do-
main SAS is adopted in our tool, and elaborate on several
key points to deliver a practical and scalable analysis.
6.1.1 Initialization
Before the analysis, we first initialize certain program points
with {si} to represent the initial secret program information;
for the rest their corresponding initial states are naturally de-
fined as {}, or {e} for the stack register esp.
Program secrets are maintained in registers or memory
cells (e.g., on the stack) during execution. Since CacheS is
designed to directly analyze binary code, we must first rec-
ognize the location of program secrets. We reverse-engineer
the input binary and mark the location of secrets manually.
Once the locations of secrets are flagged, we update the ini-
tial value set of corresponding variables (i.e., registers or
memory cells) with a secret symbol si. Additionally, while
“manual reverse engineering” is sufficient for studies in this
research, it is always feasible to leverage automatic tech-
niques [26] to search for secrets directly from executables or
secret-aware compilers to track secret locations when source
code is available. We leave this to future work.
In addition, since program secrets may be stored in a re-
gion of sequential memory cells (e.g., in an array), we create
another identifier named u to represent the base address of
the secret memory region. While u itself is treated as pub-
lic information, we specify that memory loading from u will
obtain program secrets; that is, we introduce one si for each
memory loading via u.
6.1.2 Program State
At each program point, CacheS maintains a lookup table that
maps variables to value sets; each value set S ∈ SAS consists
of abstract values f ∈ AV representing possible values of a
variable at the current program point. While the “lookup
table” is an essential piece of any non-trivial analysis frame-
work, our study has shown that naively-designed program
state representations in CacheS could consume significant
amounts of computing resources and impede the analysis of
non-trivial programs. Thus, at this step we seek to design a
{ 12 }
{8+k2*4}
{14+esi0*4}
 {eax0+4}
{ 14 }
{ k2 }
{ 33 }
{ p }
{ 14 }
{ s2}
{ 33 }
value
{esp0 -120} {e-120}
{ 12 }
{ p }
new value
{8+s2*4}
ebx
ecx
eax
esp
!(14+esi0*4)
!(8)
!(8+k2*4)
!(esp0-120)
new key
ebx
ecx
eax
esp
!(ebx)
!(ecx-4)
!(eax)
!(e-120)
key
Program State Lookup Table
Figure 5: A sample program state lookup table. esp0, eax0
and esi0 in the “key” and “value” entries are symbols repre-
senting the register initial values. Symbol ! means pointer
dereference, for example !(eax) means memory loading
from address stored in eax. Lookup tables at each program
point are the major factor for memory usage, and we op-
timize the design by replacing “key” and “value” columns
with “new key” and “new value” columns, respectively (see
Sec. 6.1.2). Hence, shaded boxes are eliminated in CacheS.
concise and practical representation of program states. For
the rest of this section, we first explain a “baseline” imple-
mentation of the lookup table, and further discuss two refine-
ments.
The “Baseline” Approach. A sample lookup table is shown
in Fig. 5 (the “key” and “value” columns), where each table
maps registers and memory addressing formulas to their cor-
responding sets for logic formulas l ∈L. When it encounters
a memory access instruction, CacheS computes the mem-
ory addressing formula and searches for its existence in the
lookup table. (This requires some “equivalence checking”;
the details will be explained in Sec. 6.1.4). If the search
identifies an entry in the table, CacheS extracts or updates
the content of that entry accordingly. Consider the example
in Listing 1, where we first store concrete data 14 into mem-
ory via address stored in eax, and further load it out into
ebx.
Listing 1: Sample instructions.
store eax , 14
load ebx , eax
Knowing that value set of eax is 8+k2*4 (third entry in
Fig. 5), the first instruction creates an entry from address
8+k2*4 to 14 (Fig. 5 shows program states after executing
the first instruction). Further memory loading would acquire
the value set in eax, and then reset the entry of ebx with 14
in the state lookup table of the second instruction.
Reading from unknown registers and memory locations
would introduce symbols of different credentials regarding
our information flow policy (see Sec. 6.2 for details).
Optimization of Table Values. While the precisely tracked
logic formulas l ∈ L result in notable computing resource
usage (Sec. 3), the proposed abstract domain SAS (Sec. 4)
enables succinct representation of abstract values. As shown
in Fig. 5, the “value” column of the lookup table is now re-
placed by the “new value” column. Consequently, memory
consumption is considerably reduced (details are reported in
our evaluation section).
Optimization of Table Keys. Since only abstract values are
traced in SAS, the “key” column can be updated into a com-
pact representation as well. However, using symbols such as
p as the key will result in an imprecise modeling of memory
addresses.
CacheS optimizes the “key” column in the following way.
For most memory related entries, instead of using abstract
memory addressing formulas, memory access expressions
(expressions of registers and constant offsets) are used as
keys. For example, the first instruction in Listing 1 uses
memory access expression (i.e., “eax”) instead of its abstract
value 8+ s2 ∗4 for memory lookup. Hence, when analyzing
the store instruction, CacheS creates (or updates) an entry in
the lookup table, which uses !(eax) as the key (here symbol
“!” means pointer dereference). Likewise, for memory load,
!(eax) will be used to look up the program state table. To
safely preserve lookup entries via expressions, whenever the
value set of a register is reset in the analysis, entries in the
table are deleted if their keys are memory access expressions
via the newly-updated register.
Nevertheless, since stack register esp is frequently manip-
ulated to access stack memory, we preserve abstract address-
ing formulas via e to keep track of stack memory access pre-
cisely (e.g., the last entry in the “new key” column of Fig. 5).
6.1.3 Order of Program State
When multiple program states are possible for a program
point, it is important to define the “merge” operation in ab-
stract interpretation. Such an operation can be defined based
on the least upper bound operation unionsq of SAS (recall that SAS
forms a lattice (Sec. 4.2)).
Given lookup tables T1 and T2 representing two program
states, T1unionsqT2 is defined as the following table, say T3:
• T3’s key set is the union of the key sets of T1 and T2;
• For each key k in T3, T3[k] = T1[k]unionsq T2[k] (assuming
T1[k] or T2[k] is an empty set if k is not in the table).
Moreover, the least upper bound of program states entails
the partial order of any two program states: T1 unionsqT2 = T1↔
T2 ⊆ T1.
6.1.4 Memory Model
When encountering a memory load and store operation, we
must decide which memory cell is accessed by tracing the
memory address. However, considering CacheS models pro-
gram semantics with abstract values, a memory address can
usually contain one or several symbols instead of only con-
crete data. Therefore, policies (i.e., a “memory model”) are
usually required to determine the location of an accessed
memory cell given a symbolic pointer.
When defining the abstract semantics within SAS (see Ap-
pendix E), we assume the assistance of a sound points-to
analysis module as pre-knowledge. Nevertheless, finding
such a convenient tool for assembly code of large-scale cryp-
tosystems is quite difficult in practice. We have tried several
popular “end-to-end” binary analysis platforms that take an
executable as the input and perform various reverse engineer-
ing campaigns including points-to analysis; nevertheless, so
far we cannot find a practical and robust solution to our sce-
nario.
Therefore, we aim to implement a rigorous memory model
by solving the equality constraints of two abstract formu-
las. However, tentative tests show that such a memory model
may lose considerable precision in terms of reasoning sym-
bolic pointers and may also not be scalable enough. On the
other hand, since keys in the memory lookup table are for-
mulas of e (for stack pointers; recall that e represents the ini-
tial value of esp) or memory access expressions (for other
pointers), the current implementation of CacheS rigorously
reasons on the equality constraints if abstract values are com-
posed of e and concrete offsets, which is indeed often the
case in analyzing assembly code. For the rest (e.g., e and
symbolic offsets), we reason on the syntactical equivalence
of memory access expressions. This design tradeoff may
incorrectly deem equivalent symbolic pointers inequivalent
(due to the symbolic “alias” issue) but not vice versa. Ex-
periments show that this memory model is efficient enough
to handle real-world cryptosystems while being promisingly
accurate.
6.2 Information Flow
Considering that information leaks detected in this research
are derived from secret-dependent memory accesses, CacheS
keeps track of the secret program information flow through-
out the analysis. In this section we elaborate on cases where
the secret information can be propagated.
Variable-Level Information Flow. The explicit information
flow is modeled in a straightforward way. Since variables
(i.e., registers, memory cells, and CPU flags) are modeled
as abstract formulas, high credential information (exhibited
as abstract value f ∈ AVs) would naturally “flow” among
variables during the computations. Moreover, reading from
unknown variables (those with empty value sets) generates a
symbol p as a proper over-approximation.
Information Flow via Memory Loading. By knowing the
underlying memory layout, it could be feasible to infer ta-
ble lookup indexes by observing the memory load outputs,
hence leaking table indexes of secrets to attackers. It should
be noted that such cases are not rare in real-world cryptosys-
tems, where many precomputed data structures are deployed
in the memory to speed up computations. Thus, we define
policies to capture information flow through memory load-
ing. To do so, for a load operation, whenever the value sets of
its base address or memory offset include formula f ∈ AVs,
CacheS assigns the memory content to a fresh si, indicating
secret information could have potentially propagated to the
value being read. In contrast, when loading from unknown
memory cells (memory cells of empty value sets) via non-
secret addresses, we create a p to update the memory reader.
While most memory addressing formulas refer to specific
locations in the memory, symbols p and> represent any pro-
gram (public) information. To safely approximate memory
read access via p and >, CacheS assigns > to the mem-
ory reader. In case a memory storing is via symbol p or >,
we terminate the analysis since this would rewrite the whole
memory space. Additionally, we note that memory loading
and storing via > are considered to be information leaks as
well since > implies that a variable has certain residual se-
crets (see Sec. 6.4).
6.3 Interprocedural Analysis
Our interprocedural analysis is context-sensitive. We build
a classic function summary-based interprocedural analysis
framework, where a summary (〈 f ′, i〉,o) of a function call
towards f maps the calling context 〈 f ′, i〉 ( f ′ is the caller
name and i is the input) to the function call output o. CacheS
maintains a set of summaries for each function f , and for
an upcoming call of f , its calling context is first checked
regarding the existing summaries of f . In case the context is
a subset of any recorded entries (the partial order of calling
context is derived from the order of program states defined
in Sec. 6.1.2), the analysis will be skipped and we directly
return the corresponding output.
To recover the function inputs, we inquire the employed
reverse engineering platform (details are given in Sec. 7) to
obtain the number of parameters the approaching function
has. According to the calling convention of 32-bit x86 plat-
forms, a memory stack is used to store function parameters;
thus, we construct stack memory addresses of function pa-
rameters and acquire the value set of each parameter from
the program state lookup table at the call site. If some mem-
ory cells of function parameters are absent, symbol p is used
as an over-approximation. To compute the output informa-
tion of a function, we join program states at every return in-
struction when the analysis of the target function terminates,
which over-approximates the function return states.
6.4 Translating Abstract Values into SMT
Formulas
As noted earlier (Sec. 5), cache-access side channels are
summarized into SMT constraints. Upon the termination of
analyzing each function, we identify secret-dependent mem-
ory addresses a∈AVs and build the side channel constraints.
SMT solvers are used to solve the constraint and check
whether different secrets can lead to cache line access vari-
ants. Nevertheless, while many works to date leverage sym-
bolic execution to construct SMT formulas, here we reason
on program states within SAS. Therefore, before constraint
checking, we first translate abstract formulas into SMT for-
mulas.
Each abstract formula is maintained as a symbolic “tree”
in CacheS, where tree leaves are symbols and concrete data
while other nodes are operators. At this step, we translate
each leaf on the tree into a bit vector implemented by a
widely-used SMT solver—Z3 [31]; a bit vector would be in-
stantialized with a numeric value if it was derived from a
constant. In addition, we translate abstract operators on the
tree into bit vector operations in Z3. Hence, an abstract for-
mula tree would be reduced bottom-up into an SMT formula.
Translate Secret Symbols into Unique Bit Vectors. As
noted earlier, si symbols are semantically different, each of
which represents different pieces of secrets. For the imple-
mentation, we assign a unique id for each newly-created si
symbol, which further leads to the creation of unique bit vec-
tors at this step. In contrast, p (and e) symbols are trans-
formed into identical bit vectors.
Memory Access via>. It is easy to see that> implies that a
variable has some residual secrets along with possibly public
information. Hence, in addition to checking the constructed
SMT constraints with Z3, memory accesses are flagged as
vulnerable whenever their corresponding addressing formu-
las are >.
7 Implementation
CacheS is mainly written in Scala (in 6,764 LOC; counted
by CLOC [30]). The tentative implementation (in 7,163
LOC), which models program semantics with logic formu-
las (Sec. 3), is maintained as a separate “branch” of the code
base.
Starting from an input binary code, the first step is to re-
cover the assembly program as well as control flow and call
graphs. Here we employ a popular reverse engineering tool,
IDA-Pro (version 6.9) for the reverse engineering task [1].
We use the default configurations of IDA-Pro to recover as-
sembly code and program control structures from the input
executables.
Assembly Lifting. Many existing binary analysis infrastruc-
tures have provided facilities to lift x86 assembly code into a
high-level intermediate representation. Without reinventing
the wheel, here we employ a well-developed binary analysis
platform BINNAVI [38] to transform x86 assembly code into
a platform-independent intermediate language, REIL [81].
Our analysis procedures are built on top of the recovered rep-
resentations. In addition, for a formal definition of program
concrete semantics in terms of the REIL language, please
refer to Appendix E.
The current implementation of CacheS analyzes ELF bi-
naries on the x86 platform. Nevertheless, since REIL lan-
guage is designed as platform-independent, there is no fun-
damental limitation for CacheS to analyze binaries of other
Table 1: Cryptosystems analyzed by CacheS.
Implementation Versions Analysis ImplementStarting Function Which Algorithm
Libgcrypt [54] 1.6.1, 1.7.3 gcry mpi powm RSA/ElGamalOpenSSL [66] 1.0.2f, 1.0.2k BN mod exp mont consttime
mbedTLS [64] 2.5.1 mbedtls mpi exp mod RSA
OpenSSL [66] 1.0.2f, 1.0.2k x86 AES decrypt compact AESmbedTLS [64] 2.5.1 mbedtls internal aes decrypt
formats or from other platforms (e.g., PE binaries on Win-
dows) as long as the assembly instructions can be translated
into REIL statements. As aforementioned, our current proto-
type focuses on 32-bit ELF binaries since the state-of-the-art
REIL lifter (BinNavi [38]) does not have an official support
for 64-bit binaries. However, the proposed technique shall
be applicable to 64-bit binaries with no additional technical
hurdles.
Recover x86 Memory Access Instructions from REIL
Statements. As noted in Sec. 6.1.2, we use memory ac-
cess expressions instead of address formulas as the key to
simplify the memory lookup. While the memory access ex-
pressions can be acquired by checking assembly instructions,
note that our analysis is launched on REIL IR; one memory
access instruction is extended into multiple IR statements.
Hence, we perform def-use analysis to “collapse” IR state-
ments belonging to the same instruction and recover the cor-
responding memory access expression.
Critical Functions. CacheS is designed to perform both in-
ter and intra-procedural analysis on any binary code compo-
nent. For the evaluations in this research, instead of start-
ing from the program entry point, analyses were launched
on critical functions of cryptosystems that have become the
target for many previous attacks. Such critical functions are
the starting points of our interprocedural analysis, and we
recursively discover all the reachable functions on the call
graph. As reported in our evaluation (see Table 2), these re-
cursively collected functions usually form a non-trivial sub-
graph on the program call graph. In addition, taking these
critical functions as the starting points of CacheS makes it
easier to compare our findings with existing work.
8 Evaluation
In contrast to many previous studies in which cache-based
side channels are detected from only simple cases, CacheS is
evaluated on several real-world cryptosystems. As reported
in Table 1, three cryptosystems are evaluated in this re-
search. OpenSSL and Libgcrypt are widely used cryptosys-
tems on multi-purpose computers, while mbedTLS is com-
monly adopted by embedded devices. Eight critical func-
tions are selected as the starting point of our analysis, which
covers major security-sensitive components in three crypto
algorithm implementations: RSA, AES, and ElGamal.
To prepare CacheS inputs, we compile test programs
shipped in each cryptosystem and link with the correspond-
ing libraries. All the crypto libraries are written in C. We
build each library and test program into a 32-bit ELF binary
on Ubuntu 12.04 with gcc compiler (version 4.6.3).
8.1 Evaluation Result Overview
Table 2 presents the evaluation result overview. In summary,
208 information leak points are reported from the real world
cryptosystems evaluated in this research. We interpret the
results as promising; most of the evaluated cryptosystems
contain information leaks due to cache-based side channels,
and CacheS helps to pinpoint these leaks with program-wide
static analysis.
It is commonly acknowledged that the table lookup im-
plementation of the AES decryption routine is vulnerable to
various real-world cache attacks. CacheS identifies 32 in-
formation leaks from the AES implementations of OpenSSL
(versions 1.0.2f and 1.0.2k), and 64 leaks from mbedTLS.
Indeed, all of these issues are lookup table queries via direct
usages of secrets, which is consistent with findings in exist-
ing research [25, 85].
Existing research has pinpointed multiple information
leaks in the modular exponentiation implementation of
OpenSSL and Libgcrypt [85, 58]; vulnerable functions are
adopted by both RSA and ElGamal for decryption. CacheS
confirmed these findings (see Sec. 8.4 for one false positive
in OpenSSL). Furthermore, CacheS successfully revealed a
much larger information leakage surface than existing trace
and static analysis based techniques, because of its scal-
able modeling of program semantics. Table 2 shows that
CacheS identifies more information leaks from Libgcrypt
and OpenSSL in addition to confirming all issues reported
by CacheD [85]. Moreover, CacheS identifies multiple infor-
mation leakage sites from the modular exponentiation imple-
mentation of mbedTLS, which, to the best of our knowledge,
is unknown to the research community.
While 40 information leakage sites are reported in
Libgcrypt (version 1.6.1), our study shows that they have
been fixed in version 1.7.3. Without secret-dependent
memory accesses, the RSA/ElGamal implementation of
Libgcrypt 1.7.3 is generally accepted as safe regarding our
threat model. Our evaluation reports consistent findings
that no leak is detected regarding our threat model on
secret-dependent cache-line accesses (but we do find secret-
dependent control flows, see Sec. 8.5).
Computing Resource. Our evaluation is launched on a ma-
chine with 2.90 GHz Intel Xeon(R) E5-2690 CPU and 128
GB memory. For each context-sensitive analysis campaign,
Table 2 presents the covered functions, contexts, and pro-
cessed IR instructions. We report that CacheS takes less than
1700 CPU seconds to process all the test cases, and on av-
erage the peak memory usage to evaluate one case is less
than 5 GB. Overall, CacheS finished all the analysis cam-
paigns with reasonable amount of computing resources, and
we interpret that the promising results demonstrate the high
scalability of CacheS in analyzing real-world cryptosystems.
Modeling Program Semantics with Logic Formulas. As
noted in Sec. 3, we tentatively implement the idea of mod-
eling program concrete semantics with logic formulas. Note
that in addition to the semantics modeling, all the design and
evaluation settings are unchanged.
Table 2: Evaluation result overview. We compare the identified information leakage sites by CacheS with a recent research
(CacheD [85]), and we report CacheS can identify all the leakage sites reported by CacheD. A summary of all leaks can be
found in Table 10 in the appendix.
Algorithm Implementation Information Leakage # of Analyzed # of Analyzed Processing Time # of Processed Peak Memory Information Results Reported in CacheD [85]Sites (known/unknown) Procedures Contexts (CPU Seconds) REIL Instructions Usage (MB) Leakage Units Leakage Sites Processing Time Leakage Units
RSA/ElGamal Libgcrypt 1.6.1 22/18 60 81 228.8 50,436 7,749 11 22 14293.6 5
RSA/ElGamal Libgcrypt 1.7.3 0/0 59 59 182.2 33,386 5,823 0 0 11626.0 0
RSA/ElGamal OpenSSL 1.0.2k 2/3 71 81 179.2 83,183 6,134 2 N/A N/A N/A
RSA/ElGamal OpenSSL 1.0.2f 2/4 68 72 169.5 80,096 6,113 3 2 165.6 2
RSA mbedTLS 2.5.1 0/29 29 36 775.9 35,963 9,654 2 N/A N/A N/A
AES OpenSSL 1.0.2k 32/0 1 1 33.2 3,748 620 1 N/A N/A N/A
AES OpenSSL 1.0.2f 32/0 1 1 35.8 3,748 578 1 32 48.5 1
AES mbedTLS 2.5.1 64/0 1 1 32.8 4,803 619 1 N/A N/A N/A
Total 154/54 290 332 1,637.4 295,363 37,290 21 56 26,133.7 8
Table 3: Model program semantics in the logic formulas l ∈
L and SAS and test OpenSSL 1.0.2k. The second and third
rows report the modeling results with logic formulas, while
the last row reports results in SAS. The comparison of these
two program modelings is given in Sec. 3.
Algorithm Execution Time # of Processed # of Processed Peak Memory Detected(CPU Second) Function Context Usage (MB) Leaks
RSA/ElGamal timeout (> 5 CPU hours) 15 28 7,283 N/A
AES timeout (> 5 CPU hours) 1 1 47,798 N/A
RSA/ElGamal timeout (> 5 CPU hours) 28 85 53,054 N/A
AES 115.8 1 1 621 32
RSA/ElGamal 179.2 71 81 6,134 5
AES 33.2 1 1 620 32
The first two rows of Table 3 give the evaluation results for
the AES and RSA/ElGamal implementations in OpenSSL
1.0.2k, both of which report a “timeout” after 5 CPU hours.
As explained in Sec. 3, we extend the prototype with loop
induction variable detection, and the third row reports the re-
sults of the re-launched tests. Still, the RSA/ElGamal case
throws a timeout (a reflection on this tentative evaluation is
given in Sec. 3). In summary, we interpret that the SAS pro-
posed in this research has largely improved the analysis scal-
ability, which serves as an indispensable component to pin-
point cache-based timing channels in real-world cryptosys-
tems.
Comparison with CacheAudit.2 Besides CacheD [85], we
also compare our results with CacheAudit [35]. CacheAudit
failed on all of our test cases for two reasons. First, two of
our cases contain some x86 instructions that are not handled
by CacheAudit. Second, CacheAudit refuses to analyze indi-
rect function calls when constructing the control flow graph.
In addition, we also describe the key differences between
CacheS and CacheAudit in Sec. 10.
Identifying Information Leakage Units. Considering some
occurrences of information leaks are on adjacent lines of a
code component (a summary of all leaks can be found at Ta-
ble 10 in the appendix), once a leak is flagged by CacheS,
presumably any competent programmer shall spot and re-
move all the related defects. Therefore, we group the flagged
information leaks to assess the utility of CacheS and also es-
timate the bug fixing effort. Though it can be slightly sub-
jective, we propose a metric according to the source code
locations of defects: information leaks will be grouped to-
2https://github.com/cacheaudit/cacheaudit
gether as a “leakage unit” if they are within the same or ad-
jacent C statements (e.g., within the same loop or adjacent if
branches). Also, if a macro is expanded at different program
points (e.g., the macro MPN COPY which contains informa-
tion leaks in Libgcrypt 1.6.1), we count it only once.
As reported in Table 2, CacheS identified 21 units of infor-
mation leaks. We also grouped the findings of CacheD with
the same metric. We have confirmed that CacheS covered all
leakage units reported in CacheD, and further revealed new
leakage units within statements or functions not covered by
CacheD (e.g., 6 new leakage units in Libgcrypt 1.6.1). Over-
all, we interpret the evaluation results as promising; trace-
based analysis, like CacheD, is incapable of modeling the
program collecting semantics, and therefore underestimates
the attack surface.
Confirmation with Library Authors. As shown in Ta-
ble 2, we found unknown information leaks from OpenSSL
(versions 1.0.2f and 1.0.2k) and mbedTLS (version 2.5.1).
Our findings were reported and promptly confirmed by the
OpenSSL developers [4]; the latest OpenSSL has been
patched to eliminate these leaks (the leaks are discussed
shortly in Sec. 8.4). At the time of writing, we are waiting
for responses from the mbedTLS developers.
8.2 Exploring the Leaks in mbedTLS
Although mbedTLS developers have not confirmed our find-
ings, we conduct further study of the 29 flagged information
leakage sites from this library to check whether they can lead
to cache-based side channels.
As mentioned above, the constraint solver provides at least
one pair of satisfiable solutions (a pair of secrets k and k′) to
each leakage site (Sec. 5). To verify one leak, we instrument
the program source code and modify secrets with k and k′.
We then compile the instrumented programs into two bina-
ries and monitor the execution of each binary executable via
a widely-used hardware simulator (gem5 [18]). The com-
piled code is fed with test cases shipped with the cryptosys-
tems, and we use the full-system simulation mode of gem5
to monitor the execution of the instrumented program. The
full-system simulation mode uses 64-bit Ubuntu 12.04 (this
mode only supports 64-bit OS) to host the application code.
We compile the instrumented source code into 64-bit bina-
ries since executing 32-bit binaries on the 64-bit OS throws
some TLB translation exceptions (this issue is also reported
in [85]). The configuration of gem5 is reported in Table 4. At
Table 4: gem5 configurations.
ISA x86
Processor type single core, out-of-order
L1 Cache 4-way, 32KB, 2-cycle latency
L2 Cache 8-way, 1MB, 50-cycle latency
Cache line size 64 Bytes
Cache replacement policy LRU
Table 5: Hardware simulation results.
# of CacheS Detected # of Executed Cache Line Cache Status
Leakage Sites Leakage Sites Access Variants Variants
29 14 14 6
the leakage point, we intercept the cache access from CPU
to L1 Data Cache; the accessed cache line and corresponding
cache status (hit vs. miss) are recorded.
As shown in Table 5, among 29 information leakage sites
found in mbedTLS, 14 sites are covered during simulation.
We observe that different cache lines are accessed at these
leakage points, when instrumenting the program with secrets
k and k′. In other words, by observing the access of different
cache lines, attackers will be able to infer a certain amount
of secret information. In addition, we report that cache status
variants (in terms of cache hit vs. miss) are observed in sev-
eral cases. In summary, we interpret the verification results
as highly promising; we have confirmed that all the executed
information leakages are true positives since cache line ac-
cess variants are observed.
Although the employed program inputs cannot lead to the
full coverage of every leakage site, we manually checked all
the uncovered cases, and we found that these cases share the
same pattern as the covered leaks. For instance, the cov-
ered and uncovered leaks are the same inline assembly se-
quences residing within different paths. Overall, we interpret
it as convincing to conclude that all the detected information
leaks in mbedTLS are true positives.
8.3 Case Study of Leaks in mbedTLS
This section presents a thorough case study of several infor-
mation leaks identified by our tool. As presented in Table 2,
we identified 29 information leakage points in mbedTLS
2.5.1. In particular, the first four leaks were found in the
function mpi montmul (source code is given in Fig. 6(a)),
which is a major component of the modular exponentiation
implementation in mbedTLS. The value of function parame-
ter B is derived from a window size of the secret key (line 2).
In mpi montmul, B is used as a pointer to access elements
in a C struct (line 6, line 10, line 11). We envision that dif-
ferent program secrets would derive into different values of
B, which further lead to the access of different cache lines in
secret-dependent memory accesses.
The evaluation shows consistent findings. As shown in
Fig. 6(b), CacheS identifies four suspicious memory ac-
cesses in mpi montmul (two pointer dereferences at line 6
of Fig. 6(a) are optimized into one memory load at line 2
of Fig. 6(b)). By checking the constraint solver, we find a
pair of program secrets that affect the value of B and further
lead to the access of different cache lines at the first memory
access (the solution is given in Fig. 6(c)).
We then instrument the program private key with the
solver provided solutions in Fig. 6(c) and observe the run-
time cache access within gem5. This secret pair is generated
by analyzing the first leakage memory access, but since vari-
ants of B may affect the following memory traffic as well, we
report the cache status at all the suspicious memory accesses
in mpi montmul. We note that while CacheS analyzes 32-
bit binaries, at this step we compile the instrumented source
code into 64-bit binaries since the simulated OS throws some
exceptions when running 32-bit code. After compilation, the
five leakage points in the source code actually produce three
memory load instructions in the 64-bit assembly code. Cache
behaviors, including the accessed cache line and the corre-
sponding cache status, are recorded at these points. Fig. 6(d)
presents the simulation results. Due to the limited space,
we provide only the first seven records (59568 records in to-
tal). Program counters 0x40770a, 0x407744 and 0x40775d
represent the three identified memory loads of information
leaks. It is easy to see that different cache lines are accessed
at each point. Additionally, a timing window of one cache
hit vs. miss is found (this memory access represents a table
lookup in the first element of B->p).
8.4 Information Leaks in the Modular Expo-
nentiation Algorithm
Both RSA and ElGamal algorithms employ the modular ex-
ponentiation algorithm for decryption. Existing research
has reported that such an algorithm is vulnerable to cache-
based timing channel attacks [85, 58]. Here, we evaluate
the corresponding implementations in OpenSSL, Libgcrypt,
and mbedTLS. As reported in Table 2, CacheS successfully
revealed a much larger leakage surface, including 80 (54 un-
known and 26 known) information leaks, from our test cases.
Information Leaks in Libgcrypt. A large number of leak-
age points are reported from the sliding window-based mod-
ular exponentiation implementation in Libgcrypt 1.6.1. Ex-
isting research has pointed out the direct usages of (window-
size) secret keys as exploitable [58], and CacheS pinpointed
this issue. In addition to the 4 direct usages of secrets, we fur-
ther uncovered 36 leaks due to the propagation of secret in-
formation flows, as CacheS keeps track of both variable-level
and memory loading based information flows (Sec. 6.2).
While previous trace-based analysis also keeps track of
information flow propagation (i.e., CacheD [85]), CacheS
still outperforms CacheD because of its program-wide anal-
ysis. With the help of CacheD’s authors, we confirmed that
CacheS can detect all 22 leaks reported in CacheD [85], and
further reveals 18 additional points.
Information Leaks in mbedTLS. CacheS has also
identified leaks in another commonly used cryptosys-
tem, mbedTLS. Appendix C presents several leaks
found in the mbedTLS case. In general, function
mbedtls mpi exp mod implements a sliding window-
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12. 
13.
14. 
15. 
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
(a) Source code.
static int mpi_montmul(mbedtls mpi *A,
const mbedtls_mpi *B, const mbedtls_mpi ∗N, 
mbedtls mpi_uint mm, const mbedtls mpi ∗T) 
{
...
m = (B->n < n) ? B->n : n;
...
for (i = 0; i < n; i++) {
...
u1 = (d[0] + u0 * B->p[0]) * mm;
mpi_mul_hlp(m, B->p, d, u0);
...
} 
...
}
mov eax, [ebp + 0xc]
mov edx, [eax + 0x4]
...
mov eax, [eax + 0x8]
mov eax, [eax]
imul eax, [ebp - 0x10]
add     eax, edx
imul eax, [ebp + 0x14]
mov [ebp - 0xc], eax
mov eax, [ebp + 0xc]
mov eax, [eax + 0x8]
(b) Assembly instructions.
(c) Solution of mem load at line 2 of (b).
k = 0x40000000 
k’ = 0xc0000002  
1.
2.
40770a: 2199023255240 hit
407744: 2199023255240 hit 
40775d: 101018 hit 
407744: 2199023255240 hit 
40775d: 101018 hit 
407744: 2199023255240 hit 
40775d: 101018 hit
40770a: 2199023255246 hit
407744: 2199023255246 hit 
40775d: 101046 miss
407744: 2199023255246 hit 
40775d: 101046 hit 
407744: 2199023255246 hit 
40775d: 101046 hit
(d) Hardware simulation results with k 
(the upper part) and k’ (the lower part).Vulnerable program points and corresponding memory access instructions are backgrounded with blue. Secret-
carrying variables and registers are marked with red; B is a secret-dependent address (line 2 in figure (a)).
Mem	addr Accessed Cache	line		 Cache status
Timing
window
Figure 6: Case study of information leaks in mbedTLS. The constraint solver finds a pair of secrets (k and k’) which leads to
the access of different cache lines at line 2 of (b).
based modular exponentiation, which leads to secret-
dependent memory accesses (precomputed table lookup).
The table lookup statement (line 10) does not generate a
leak point since it only gets a pointer referring to an array
element, however, further memory dereferences on the ac-
quired pointer reveal 4 direct usages of secrets (discussed in
Sec. 8.3). We also find 25 leaks due to the propagation of
secret information flows (Sec. 6.2).
We note that mbedTLS uses RSA exponent blinding as a
countermeasure [49], which practically introduces noise and
mitigates cache side channels (but is still exploitable with
enough collisions or if the attacker can derive the exponent
from a single trace). We leave it as future work to model
the feasibility of exploitations, given the identified leaks and
also taking program randomness (e.g., exponent blinding)
into consideration.
Information Leaks in OpenSSL. Information leaks in
OpenSSL are within or derived from functions counting the
length of a secret array. Fig. 7 presents a function that
contains 4 memory accesses which engender information
leaks: BIGNUM maintains an array of 32-bit elements, and
BN num bits counts the number of bits within a given big
number. Since the last element of the array may be less than
32 bits, a lookup table is used to determine the exact bits in
the last element of the secret array (function call at line 7
in Fig. 7). By storing secrets within a big number structure,
table queries in BN num bits word could lead to secret-
dependent memory accesses.
While CacheD [85] flags only one information leak (line
26 in Fig. 7) covered by its execution trace, CacheS detects
more leaks. As shown in Fig. 7, four table queries are an-
alyzed by CacheS, and all of them are flagged as leaks. In
addition to these four direct usages of secrets, CacheS also
finds one more leak in OpenSSL 1.0.2k, and two in OpenSSL
1.0.2f, both are due to the propagation of secret information
flows.
False Positive. In addition to the issues in Appendix A that
have been confirmed and fixed by the OpenSSL developers,
we also find one false positive when analyzing OpenSSL
1.0.2f. To defeat side channel attacks against the precom-
puted table lookup, OpenSSL forces the cache access at the
table lookup point in a constant order [36]. This constant
order table lookup is demonstrated with a sample C code in
Appendix B. The base address of the lookup table is aligned
to zero the least-significant bits, and scatter and gather meth-
ods are employed to mimic the Fortran-style memory alloca-
tion to access the table in a constant order and remove timing
channels.
Ideally, with the base address being aligned, the table ac-
cess should not produce an information leak regarding the
cache line access model (but scatter-gather implementation
can also be exploited with cache bank attacks [95]. As dis-
cussed in Sec. 5, our cache access constraint can be fur-
ther extended to capture cache bank side channels). How-
ever, since public information (e.g., base address of the ta-
ble) is abstracted as a symbol p in CacheS, the alignment is
not modeled. Therefore, CacheS incorrectly flags the table
lookup as a leak point, which leads to a false positive.
8.5 Flag Secret-Dependent Control Flow
To reduce false negatives and also show the versatility of
CacheS, we extend CacheS to search for secret-dependent
branch conditions. Similar to the detection of secret-
dependent memory accesses (Sec. 5), we check each condi-
tional jump and flag secret-dependent jump conditions. The
conditional jump in REIL IR is jcc, and the value of its first
operand specifies whether the jump is taken or not. We trans-
late each secret-dependent condition c into an SMT formula
f and solve the following constraint:
f 6= f [s′i/si] (2)
where a satisfiable solution indicates that different secrets
lead to the execution of different branches. In addition, since
REIL IR creates additional jcc statements to model certain
x86 instructions (e.g., the shift arithmetic right sar and bit
scan forward bsf), we rule out jcc statements if their cor-
responding x86 instructions are not conditional jumps. In
this research we do not take jcc into consideration if it does
not represent an x86 conditional jump, since in general the
silicon implementations of x86 instructions on mainstream
CPUs have fixed latency [2].
Table 6 presents the evaluation results, including the in-
formation leakage units produced by the same metric used in
Table 2. While secret-dependent control flow is absent in all
the AES cases, CacheS pinpoints multiple instances in every
RSA/ElGamal implementation. We further manually stud-
ied each of them, and we report that besides 4 false positives
(explained later in this section), all the other cases represent
secret-dependent branch conditions. In the example given in
Appendix D, the value of bits, which is derived from the
private key, is used to construct several conditions. Similar
patterns are also found in other cases.
False Negative. Bernstein et al. exploited the secret-
dependent control flows in Libgcrypt 1.7.6 [17], where the
leading and trailing zeros of a window-size secret are used
to compute a branch condition. While the corresponding
vulnerable branches also exist in Libgcrypt 1.7.3, they are
not detected by CacheS. In general, 32-bit x86 opcode bsr
and bsf are used to count the leading and trailing zeros of a
given operand, and both opcodes are lifted into a while loop
implemented by a jcc statement (for the definition of their
semantics, see the bsr and bsf sections of the x86 devel-
oper manual [3]). Consider a proof-of-concept pseudo-code
below:
1 t = 0;
2 while (getBit(t, src) == 0) //src could be a secret
3 {
4 t += 1;
5 }
6 return t; // the number of trailing zeros in src
where the lifted while loop entails implicit information flow,
which is not supported (see Sec. 6.2 for the information flow
policy). In addition, although we disable the checking of jcc
regarding Constraint 2 if its corresponding x86 instruction is
not a conditional jump (like the bsr and bsf cases), we re-
port that once enabling the checking of such jcc statements,
secret-dependent control flows (e.g., line 3 of the pseudo-
code) are detected for both cases.
False Positive. We find 4 false positives when analyzing
Libgcrypt 1.6.1. This is due to the imprecise modeling of
interprocedural call sites. Consider a sample pseudo-code
below:
1 foo(k, p) { // k is {>} and p is {12}
2 if (...) {
Table 6: Secret-dependent control branches. We found no
issue in the AES implementations. A summary of all leakage
points can be found at Table 9 in the appendix.
Implementation Algorithm # of Secret-dependent False Informationconditions Positive Leakage Unit
Libgcrypt 1.6.1 RSA/ElGamal 21 4 9
Libgcrypt 1.7.3 RSA/ElGamal 6 0 4
mbedTLS 2.5.1 RSA 8 0 4
OpenSSL 1.0.2f RSA/ElGamal 12 0 5
OpenSSL 1.0.2k RSA/ElGamal 12 0 5
Total 59 4 27
3 r = bar(k); // r is {>}
4 } else {
5 r = bar(p); // r is {>} since 〈 f oo,{12}〉 ⊆ 〈 f oo,{>}〉
6 if (r) // false positive
7 ...
8 }
9
10 bar(i){return i;}
where foo performs two function calls to bar with differ-
ent parameters. The summary of the first call (line 3) is
represented as (〈 f oo,{>}〉,{>}), where 〈 f oo,{>}〉 forms
the calling context (as explained in Sec. 6.3, a calling con-
text includes the caller name and the input), and the second
{>} is the function call output. Then the following function
call (line 5) with 〈 f oo,{12}〉 as the calling context will di-
rectly return {>} and cause a false positive (line 6) according
to the recorded summary, since 〈 f oo,{12}〉 ⊆ 〈 f oo,{>}〉.
Our study shows that such sound albeit imprecise modeling
caused 4 false positives when analyzing Libgcrypt 1.6.1.
9 Discussion
Soundness. Our abstraction is sound (see Appendix E), but
the CacheS implementation is soundy [60] as it roots the
same assumption as previous techniques that aim to find bugs
rather than performing rigorous verification [62, 92, 61].
CacheS adopts a lightweight but unsound memory model
implementation; program state representations are optimized
to reduce the memory usage and speed up the analysis. There
is a line of research aiming to deliver a (nearly) sound mem-
ory model when analyzing x86 assembly [13, 71, 72, 21].
We leave it to future work to explore practical methods to
improve CacheS with a sound model without undermining
the strength of CacheS in terms of scalability and precision.
Reduce False Positives. Our abstract domain SAS models
public program information with free public symbols. To
further improve the analysis precision and eliminate false
positives, such as in the case discussed in Sec. 8.4, one ap-
proach is to perform a finer-grained modeling of public pro-
gram information. To this end, so-called “lazy abstraction”
can be adopted to postpone abstraction until necessary [80].
In contrast to our current approach where analyses are per-
formed directly over SAS, lazy abstraction provides a flexi-
ble abstraction strategy on demand, where different program
points can exhibit distinct levels of precision. Well-selected
program points for lazy abstraction are critical to achieve
scalability. For example, abstraction can be performed at ev-
ery loop merge point or whenever abstract formulas become
too large and exhaust the memory resource. We leave it to
future work to explore practical strategies for lazy abstrac-
tion.
10 Related Work
Timing Attacks. Kocher’s seminal paper [50] identifies tim-
ing attacks as a potential threat to crypto system. Later work
finds that timing information reveals the victim program’s
usage of data/instruction cache, leading to efficient timing
attacks against real world cryptography software, including
AES [41, 67, 83, 16, 20, 6], DES [84], RSA [7, 69, 94], El-
Gamal [98], and ECDSA [15]. Recent work shows that such
cache-based timing attacks are possible on emerging plat-
forms, such as cloud computing, VM environments, trusted
computing environments, and mobile platforms [73, 93, 91,
97, 58, 55, 63, 78, 24, 40].
Detect Cache-Based Timing Channels. CacheAudit lever-
ages static analysis techniques (i.e., abstract interpretation)
to reason information leakage due to cache side chan-
nels [35, 36]. CacheS outperforms CacheAudit due to our
novel abstract domain. CacheAudit uses relational and nu-
merical abstract domains to only infer the information leak-
age bound, while our abstract domain models semantics with
symbolic formulas, pinpoints information leaks with con-
straint solving, and enables the generation of counter ex-
amples to promote debugging. In addition, we propose a
principled way to improve the scalability by tracking secrets
and public information with different granularities. This
enables a context-sensitive interprocedural analysis of real-
world cryptosystems for which CacheAudit is not capable
of handling. Brotzman et al. [22] propose a static symbolic
reasoning technique that also covers multiple program paths.
However, their analysis lacks abstraction of public values,
and can analyze only small-size programs.
In contract, dynamic analysis-based approaches, such as
taint analysis or trace-based symbolic execution, are inca-
pable of analyzing the whole program [85, 90, 46, 89, 43].
CacheD [85] performs symbolic execution towards a single
trace to detect side channels. In contrast, abstract interpreta-
tion framework approximates the program collecting seman-
tics, which formalizes program abstract semantics at arbi-
trary program points regarding any path and any input. This
is fundamentally different and much more comprehensive
comparing to a path-based tool, like CacheD. Wichelmann et
al. [90] log execution traces and perform differential analy-
sis of various granularities to detect side channels. Weiser et
al. [89] detect address-based side-channels by executing test
programs under input variants and further compare traces to
detect leakages.
Countermeasure. Existing countermeasures against cache
side-channel attacks can be categorized into hardware-based
and software-based approaches. Hardware-based solutions
focus on randomizing the cache accesses with new cache
design [87, 88, 51, 86, 57, 56], or enforcing fine-grained
isolation with respect to cache usage [79, 47]. Wang et al.
propose locking the cache lines and hiding cache access pat-
terns [87], which further obfuscates cache accesses by di-
versifying the cache mappings [88]. Tiwari et al. [82] de-
vise a novel micro architecture for information-flow tracking
by design, where noninterference is deployed as the base-
line confidentiality property. Another direction at the hard-
ware level is based on contracts between software and hard-
ware [99, 53, 96], where contracts are enforced by formal
methods (e.g., type systems) on the hardware side. Further-
more, some advanced hardware extensions, like hardware
transactional memory, have also been leveraged to prevent
side channels even inside Intel SGX [39].
Analyses are also conducted on the software level to miti-
gate side channel attacks [27, 12, 70, 76, 77]. Program trans-
formation techniques are leveraged to remove control-flow
timing leaks by equalizing branches of conditionals with se-
cret guards [8], together with a binary static checker [65],
and its practicality is evaluated [27]. Constant time code de-
feats timing attacks by ensuring the control flow, memory
accesses, and execution time of individual instruction is se-
cret independent [10, 45, 68, 14, 9, 52].
11 Conclusion
In this paper, we have presented CacheS for cache-based tim-
ing channel detection. Based on a novel abstract domain
SAS, CacheS does fine-grained tracking of sensitive infor-
mation and its dependencies, while performing scalable anal-
ysis with over-approximated public information. We evalu-
ated CacheS on multiple real-world cryptosystems. CacheS
confirmed over 154 information leaks reported by previous
research and pinpointed 54 leaks not known previously.
12 Acknowledgments
We thank the Usenix Security anonymous reviewers and
Gary T. Leavens for their valuable feedback. The work was
supported in part by the National Science Foundation (NSF)
under grant CNS-1652790, and the Office of Naval Research
(ONR) under grants N00014-16-12912, N00014-16-1-2265,
and N00014-17-1-2894.
References
[1] IDAPro. https://goo.gl/snmrk3.
[2] Intel R© 64 and IA-32 architectures optimization refer-
ence manual.
[3] Intel R© 64 and IA-32 architectures software developers
manual.
[4] Patched OpenSSL vulnerabilities. https://git.io/
fj0iz, 2018.
[5] ACIICMEZ, O., AND KOC, C. K. Trace-driven cache
attacks on AES. In ICICS (2006).
[6] ACIICMEZ, O., SCHINDLER, W., AND KOC, C. K.
Cache based remote timing attack on the AES. In CT-
RSA (2006).
[7] ACIICMEZ, O., AND SEIFERT, J. Cheap hardware par-
allelism implies cheap security. In FDTC (2007).
[8] AGAT, J. Transforming out timing leaks. In POPL
(2000).
[9] ALMEIDA, J. B., BARBOSA, M., BARTHE, G., DU-
PRESSOIR, F., AND EMMI, M. Verifying constant-time
implementations. In USENIX Sec. (2016).
[10] ALMEIDA, J. B., BARBOSA, M., PINTO, J. S., AND
VIEIRA, B. Formal verification of side-channel coun-
termeasures using self-composition. Science of Com-
puter Programming (2013).
[11] APPEL, A. W. Modern Compiler Implementation in
ML. Cambridge University Press, 2004.
[12] AVIRAM, A., HU, S., FORD, B., AND GUMMADI, R.
Determinating timing channels in compute clouds. In
CCSW (2010).
[13] BALAKRISHNAN, G., AND REPS, T. Analyzing mem-
ory accesses in x86 executables. In CC (2004).
[14] BARTHE, G., REZK, T., AND WARNIER, M. Pre-
venting timing leaks through transactional branching
instructions. Electronic Notes in Theoretical Computer
Science (2006).
[15] BENGER, N., VAN DE POL, J., SMART, N. P., AND
YAROM, Y. “Ooh aah... just a little bit” : A small
amount of side channel can go a long way. In CHES
(2014).
[16] BERNSTEIN, D. J. Cache-timing attacks on AES,
2005.
[17] BERNSTEIN, D. J., BREITNER, J., GENKIN, D.,
BRUINDERINK, L. G., HENINGER, N., LANGE, T.,
VAN VREDENDAAL, C., AND YAROM, Y. Sliding
right into disaster: Left-to-right sliding windows leak.
In CHES (2017).
[18] BINKERT, N., BECKMANN, B., BLACK, G., REIN-
HARDT, S. K., SAIDI, A., BASU, A., HESTNESS, J.,
HOWER, D. R., KRISHNA, T., SARDASHTI, S., SEN,
R., SEWELL, K., SHOAIB, M., VAISH, N., HILL,
M. D., AND WOOD, D. A. The Gem5 simulator. ACM
SIGARCH Computer Architecture News (2011).
[19] BONEH, D., DURFEE, G., AND FRANKEL, Y. An
attack on RSA given a small fraction of the private key
bits. In ASIACRYPT (1998).
[20] BONNEAU, J., AND MIRONOV, I. Cache-collision tim-
ing attacks against AES. In CHES (2006).
[21] BRADLEY, A. R., MANNA, Z., AND SIPMA, H. B.
What’s decidable about arrays? In VMCAI (2006).
[22] BROTZMAN, R., LIU, S., ZHANG, D., TAN, G., AND
KANDEMIR, M. CaSym: Cache aware symbolic ex-
ecution for side channel detection and mitigation. In
IEEE SP (2018).
[23] BRUMLEY, D., AND BONEH, D. Remote timing at-
tacks are practical. Computer Networks (2005).
[24] BULCK, V., MINKIN, M., WEISSE, O., GENKIN,
D., KASIKCI, B., PIESSENS, F., SILBERSTEIN, M.,
WENISCH, T. F., YAROM, Y., AND STRACKX, R.
Foreshadow: Extracting the keys to the Intel SGX king-
dom with transient out-of-order execution. In USENIX
Sec. (2018).
[25] C, A., GIRI, R. P., AND MENEZES, B. Highly ef-
ficient algorithms for aes key retrieval in cache access
attacks. In EuroSP (2016).
[26] CALVET, J., FERNANDEZ, J. M., AND MARION, J.-
Y. Aligot: Cryptographic function identification in ob-
fuscated binary programs. In CCS (2012).
[27] COPPENS, B., VERBAUWHEDE, I., BOSSCHERE,
K. D., AND SUTTER, B. D. Practical mitigations for
timing-based side-channel attacks on modern x86 pro-
cessors. In IEEE SP (2009).
[28] COUSINEAU, G., AND NIVAT, M. On rational expres-
sions representing infinite rational trees: Application
to the structure of flow charts. In International Sympo-
sium on Mathematical Foundations of Computer Sci-
ence (1979), Springer.
[29] COUSOT, P., AND COUSOT, R. Abstract interpretation:
a unified lattice model for static analysis of programs
by construction or approximation of fixpoints. In POPL
(1977).
[30] DANIAL, A. CLOC. https://goo.gl/3KFACB.
[31] DE MOURA, L., AND BJØRNER, N. Z3: An efficient
SMT solver. In TACAS (2008).
[32] DEBRAY, S., MUTH, R., AND WEIPPERT, M. Alias
analysis of executable code. In Proceedings of the 25th
ACM SIGPLAN-SIGACT symposium on Principles of
programming languages (1998), ACM.
[33] DENNING, D. E. A lattice model of secure information
flow. CACM (May 1976).
[34] DISSELKOEN, C., KOHLBRENNER, D., PORTER, L.,
AND TULLSEN, D. Prime+Abort: A timer-free high-
precision L3 cache attack using Intel TSX. In USENIX
Sec. (2017).
[35] DOYCHEV, G., FELD, D., KOPF, B., MAUBORGNE,
L., AND REINEKE, J. CacheAudit: A tool for the
static analysis of cache side channels. In USENIX Sec.
(2013).
[36] DOYCHEV, G., AND KO¨PF, B. Rigorous analysis of
software countermeasures against cache attacks. In
PLDI (2017).
[37] FERNA´NDEZ, M., AND ESPASA, R. Speculative alias
analysis for executable code. In Parallel Architectures
and Compilation Techniques, 2002. Proceedings. 2002
International Conference on (2002), IEEE.
[38] GOOGLE. BinNavi. https://github.com/google/
binnavi, 2017.
[39] GRUSS, D., LETTNER, J., SCHUSTER, F., OHRI-
MENKO, O., HALLER, I., AND COSTA, M. Strong and
efficient cache side-channel protection using hardware
transactional memory. In USENIX Sec. (2017).
[40] GRUSS, D., MAURICE, C., FOGH, A., LIPP, M., AND
MANGARD, S. Prefetch side-channel attacks: Bypass-
ing smap and kernel aslr. In CCS (2016).
[41] GULLASCH, D., BANGERTER, E., AND KRENN, S.
Cache games—bringing access-based cache attacks on
AES to practice. In IEEE SP (2011).
[42] GUO, B., BRIDGES, M. J., TRIANTAFYLLIS, S., OT-
TONI, G., RAMAN, E., AND AUGUST, D. I. Practical
and accurate low-level pointer analysis. In Proceed-
ings of the International Symposium on Code Genera-
tion and Optimization (Washington, DC, USA, 2005),
CGO ’05, IEEE Computer Society.
[43] GUO, S., WU, M., AND WANG, C. Adversarial sym-
bolic execution for detecting concurrency-related cache
timing leaks. In FSE (2018).
[44] HE, Z., AND LEE, R. B. How secure is your cache
against side-channel attacks? In MICRO (2017).
[45] HEDIN, D., AND SANDS, D. Timing aware informa-
tion flow security for a JavaCard-like bytecode. Elec-
tronic Notes in Theoretical Computer Science (2005).
[46] IRAZOQUI, G., CONG, K., GUO, X., KHATTRI, H.,
KANUPARTHI, A. K., EISENBARTH, T., AND SUNAR,
B. Did we learn from LLC side channel attacks? A
cache leakage detection tool for crypto libraries. CoRR
(2017).
[47] KIM, T., PEINADO, M., AND MAINAR-RUIZ, G.
Stealthmem: System-level protection against cache-
based side channel attacks in the cloud. In USENIX
Sec. (2012).
[48] KINDER, J. Static analysis of x86 executables. PhD
thesis, Technische Universita¨t Darmstadt, 2010.
[49] KOCHER, P. C. Timing attacks on implementations
of Diffie–Hellman, RSA, DSS, and other systems. In
CRYPTO (1996).
[50] KOCHER, P. C. Timing Attacks on Implementations of
Diffie-Hellman, RSA, DSS, and Other Systems. 1996.
[51] KONG, J., ACIICMEZ, O., SEIFERT, J. P., AND
ZHOU, H. Hardware-software integrated approaches
to defend against software cache-based side channel at-
tacks. In HPCA (2009).
[52] KO¨PF, B., AND RYBALCHENKO, A. Approxima-
tion and randomization for quantitative information-
flow analysis. In CSF (2010).
[53] LI, X., KASHYAP, V., OBERG, J. K., TIWARI, M.,
RAJARATHINAM, V. R., KASTNER, R., SHERWOOD,
T., HARDEKOPF, B., AND CHONG, F. T. Sapper:
A language for hardware-level security policy enforce-
ment. In ASPLOS (2014).
[54] Libgcrypt. https://www.gnu.org/software/
libgcrypt/.
[55] LIPP, M., GRUSS, D., SPREITZER, R., MAURICE, C.,
AND MANGARD, S. Armageddon: Cache attacks on
mobile devices. In USENIX Sec. (2016).
[56] LIU, F., GE, Q., YAROM, Y., MCKEEN, F., ROZAS,
C., HEISER, G., AND LEE, R. B. Catalyst: Defeating
last-level cache side channel attacks in cloud comput-
ing. In HPCA (2016).
[57] LIU, F., AND LEE, R. B. Random fill cache architec-
ture. In MICRO (2014).
[58] LIU, F., YAROM, Y., GE, Q., HEISER, G., AND LEE,
R. Last-level cache side-channel attacks are practical.
In IEEE S&P (2015).
[59] LIU, K., TAN, H. B. K., AND CHEN, X. Binary code
analysis. Computer (2013).
[60] LIVSHITS, B., SRIDHARAN, M., SMARAGDAKIS, Y.,
LHOTA´K, O., AMARAL, J. N., CHANG, B.-Y. E.,
GUYER, S. Z., KHEDKER, U. P., MØLLER, A., AND
VARDOULAKIS, D. In defense of soundiness: A man-
ifesto. Commun. ACM (2015).
[61] LIVSHITS, V. B., AND LAM, M. S. Tracking pointers
with path and context sensitivity for bug detection in c
programs. SIGSOFT Softw. Eng. Notes (2003).
[62] MACHIRY, A., SPENSKY, C., CORINA, J.,
STEPHENS, N., KRUEGEL, C., AND VIGNA, G.
DR. CHECKER: A soundy analysis for linux kernel
drivers. In USENIX (2017).
[63] MAURICE, C., WEBER, M., SCHWARZ, M., GINER,
L., GRUSS, D., BOANO, C. A., MANGARD, S., AND
RO¨MER, K. Hello from the other side: SSH over robust
cache covert channels in the cloud. In NDSS (2017).
[64] mbedtls. https://tls.mbed.org/.
[65] MOLNAR, D., PIOTROWSKI, M., SCHULTZ, D., AND
WAGNER, D. The program counter security model:
Automatic detection and removal of control-flow side
channel attacks. In ICISC (2005).
[66] Openssl. https://www.openssl.org/.
[67] OSVIK, D. A., SHAMIR, A., AND TROMER, E. Cache
attacks and countermeasures: the case of AES. CT-RSA
(2006).
[68] PASAREANU, C., PHAN, Q.-S., AND MALACARIA,
P. Multi-run side-channel analysis using symbolic ex-
ecution and Max-SMT. In CSF (2016).
[69] PERCIVAL, C. Cache missing for fun and profit. In
BSDCan (2005).
[70] RAJ, H., NATHUJI, R., SINGH, A., AND ENGLAND,
P. Resource management for isolation enhanced cloud
services. In CCSW (2009).
[71] REPS, T., AND BALAKRISHNAN, G. Improved
memory-access analysis for x86 executables. In CC
(2008).
[72] REYNOLDS, J. C. Reasoning about arrays. Commun.
ACM (1979).
[73] RISTENPART, T., TROMER, E., SHACHAM, H., AND
SAVAGE, S. Hey, you, get off of my cloud: Exploring
information leakage in third-party compute clouds. In
CCS (2009), ACM.
[74] SCHMIDT, D. A. Trace-based abstract interpretation of
operational semantics. Lisp and Symbolic Computation
(1998).
[75] SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY.,
D. All you ever wanted to know about dynamic taint
analysis and forward symbolic execution (but might
have been afraid to ask). In Proceedings of the 2010
IEEE Symposium on Security and Privacy (2010).
[76] SCHWARZ, M., LIPP, M., AND GRUSS, D. Javascript
zero: Real javascript and zero side-channel attacks. In
NDSS (2018).
[77] SCHWARZ, M., LIPP, M., GRUSS, D., WEISER, S.,
MAURICE, C., SPREITZER, R., AND MANGARD, S.
Keydrown: Eliminating software-based keystroke tim-
ing side-channel attacks. In NDSS (2018).
[78] SCHWARZ, M., WEISER, S., GRUSS, D., MAURICE,
C., AND MANGARD, S. Malware guard extension: Us-
ing SGX to conceal cache attacks. In DIMVA (2017).
[79] SHI, J., SONG, X., CHEN, H., AND ZANG, B. Limit-
ing cache-based side-channel in multi-tenant cloud us-
ing dynamic page coloring. In DSNW (2011).
[80] THAKUR, A. V., ELDER, M., AND REPS, T. W. Bi-
lateral algorithms for symbolic abstraction. In SAS
(2012).
[81] THOMAS, D., AND PORST, S. REIL: A platform-
independent intermediate representation of disassem-
bled code for static code analysis. In CanSecWest
(2009).
[82] TIWARI, M., OBERG, J. K., LI, X., VALAMEHR, J.,
LEVIN, T., HARDEKOPF, B., KASTNER, R., CHONG,
F. T., AND SHERWOOD, T. Crafting a usable microker-
nel, processor, and I/O system with strict and provable
information flow security. In ACM SIGARCH Com-
puter Architecture News (2011), ACM.
[83] TROMER, E., OSVIK, D., AND SHAMIR, A. Efficient
cache attacks on AES, and countermeasures. Journal
of Cryptology 23, 1 (2010), 37–71.
[84] TSUNOO, Y., SAITO, T., SUZAKI, T., SHIGERI, M.,
AND MIYAUCHI, H. Cryptanalysis of DES imple-
mented on computers with cache. In CHES (2003).
[85] WANG, S., WANG, P., LIU, X., ZHANG, D., AND
WU, D. CacheD: Identifying cache-based timing chan-
nels in production software. In USENIX Sec. (2017).
[86] WANG, Z., AND LEE, R. B. Covert and side channels
due to processor architecture. In ACSAC (2006).
[87] WANG, Z., AND LEE, R. B. New cache designs for
thwarting software cache-based side channel attacks. In
ISCA (2007).
[88] WANG, Z., AND LEE, R. B. A novel cache architec-
ture with enhanced performance and security. In MI-
CRO (2008).
[89] WEISER, S., ZANKL, A., SPREITZER, R., MILLER,
K., MANGARD, S., AND SIGL, G. DATA – differen-
tial address trace analysis: Finding address-based side-
channels in binaries. In USENIX Sec. (2018).
[90] WICHELMANN, J., MOGHIMI, A., EISENBARTH, T.,
AND SUNAR, B. MicroWalk: A framework for finding
side channels in binaries. In ACSAC (2018).
[91] WU, Z., XU, Z., AND WANG, H. Whispers in the
hyper-space: High-speed covert channel attacks in the
cloud. In USENIX Sec. (2012).
[92] XIE, Y., AND AIKEN, A. Scalable error detection us-
ing boolean satisfiability. In POPL (2005).
[93] XU, Y., BAILEY, M., JAHANIAN, F., JOSHI, K.,
HILTUNEN, M., AND SCHLICHTING, R. An explo-
ration of L2 cache covert channels in virtualized envi-
ronments. In CCSW (2011).
[94] YAROM, Y., AND FALKNER, K. FLUSH+RELOAD:
A high resolution, low noise, L3 cache side-channel at-
tack. In USENIX Sec. (2014).
[95] YAROM, Y., GENKIN, D., AND HENINGER, N.
CacheBleed: A timing attack on OpenSSL constant
time RSA. Tech. rep., Cryptology ePrint Archive, Re-
port 2016/224, 2016.
[96] ZHANG, D., WANG, Y., SUH, G. E., AND MYERS,
A. C. A hardware design language for timing-sensitive
information-flow security. In ASPLOS (2015).
[97] ZHANG, Y., JUELS, A., OPREA, A., AND REITER,
M. K. HomeAlone: Co-residency detection in the
cloud via side-channel analysis. In IEEE SP (2011).
[98] ZHANG, Y., JUELS, A., REITER, M. K., AND RIS-
TENPART, T. Cross-VM side channels and their use to
extract private keys. In CCS (2012).
[99] ZHANG, Y., AND REITER, M. K. Du¨ppel: Retrofitting
commodity operating systems to mitigate cache side
channels in the cloud. In CCS (2013).
B Scatter & Gather Methods in OpenSSL
1 char∗ align(char∗ buf) {
2 uintptr t addr = (uintptr t) buf;
3 return (char∗)(addr − (addr&(BLOCK SZ−1)) + BLOCK SZ);
4 }
5
6 void scatter(char∗ buf, char p[][16], int k) {
7 for (int i = 0; i < N; i++) {
8 buf[k+i∗spacing] = p[k][i];
9 }
10 }
11
12 void gather(char∗ r,char∗ buf,int k) {
13 for (int i = 0; i < N; i++) {
14 r[i] = buf[k+i∗spacing];
15 }
16 }
Figure 8: Simple C program demonstrating the scatter &
gather methods in OpenSSL to remove timing channels. This
program should be secure regarding our threat model, but it
would become insecure by skipping the alignment function.
A Unknown Information Leaks in OpenSSL
1 int BN num bits(const BIGNUM ∗a) {
2 int i = a->top − 1;
3 bn check top(a);
4
5 if (BN is zero(a))
6 return 0;
7 return ((i ∗ BN BITS2) + BN num bits word(a->d[i]));
8 }
9
10 int BN num bits word(BN ULONG l) {
11 static const char bits[256]={
12 0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4,
13 ...
14 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
15 };
16 if (l & 0xffff0000L) {
17 if (l & 0xff000000L)
18 return bits[l >> 24] + 24;
19 else
20 return bits[l >> 16] + 16;
21 }
22 else {
23 if (l & 0xff00L)
24 return bits[l >> 8] + 8;
25 else
26 return bits[l];
27 }
28 }
Figure 7: RSA information leaks found in OpenSSL (1.0.2f).
Program secrets and their dependencies are marked as red
and the leakage points are boldfaced.
D Secret-Dependent Branch Conditions in
OpenSSL
1 int BN mod exp mont consttime(BIGNUM ∗rr,
2 const BIGNUM ∗a, const BIGNUM ∗p,
3 const BIGNUM ∗m, BN CTX ∗ctx,
4 BN MONT CTX ∗in mont) {
5 ...
6 bits = BN num bits(p);
7 if (bits == 0)
8 ...
9
10 window = BN window bits for exponent size(bits);
11 for (wvalue = 0, i = bits%window; i>=0; i--,bits--)
12 {
13 ...
14 while (bits >= 0){
15 ...
16 }
17 }
18 ...
19 }
20
21 #define BN window bits for exponent size(b) \
22 ((b) > 671 ? 6 : \
23 (b) > 239 ? 5 : \
24 (b) > 79 ? 4 : \
25 (b) > 23 ? 3 : 1)
Figure 10: Several secret-dependent branch conditions found
in OpenSSL (1.0.2f). Program secrets and their dependen-
cies are marked as red and the information leakage condi-
tions are boldfaced. Note that the output of BN num bits
depends on the private key.
C Unknown Information Leaks in mbedTLS
1 int mbedtls mpi exp mod(mbedtls mpi ∗X, mbedtls mpi ∗A,
2 mbedtls mpi ∗E, mbedtls mpi ∗N, mbedtls mpi ∗ RR)
3 {
4 ...
5 while (1) {
6 ei = (E->p[nblimbs] >> bufsize) & 1;
7 ...
8 wbits |= (ei << (wsize − nbits));
9 ...
10 mpi montmul(X, &W[wbits], N, mm, &T);
11 }
12 ...
13 }
14
15 static int mpi montmul(mbedtls mpi ∗A, mbedtls mpi ∗B,
16 mbedtls mpi ∗N, mbedtls mpi uint mm, mbedtls mpi ∗T)
17 {
18 ...
19 m = (B->n < n) ? B->n : n;
20 for(i = 0; i < n; i++)
21 {
22 u1 = (d[0] + u0 * B->p[0]) * mm;
23 mpi mul hlp(m, B->p, d, u0);
24 }
25 ...
26 }
Figure 9: RSA information leaks found in mbedTLS (2.5.1).
Program secrets and their dependencies are marked as red
and the leakage points are boldfaced.
E Formalization and Soundness Proof
In this appendix section, we define necessary components to
formalize the basis of our abstract interpretation-based anal-
ysis. We also give soundness proof of our abstraction.
E.1 Concrete Semantics
To facilitate a “down-to-earth” modeling of program cache
access information, our analysis is directly performed to-
wards program binary executables. For the ease of analysis,
we translate input binary code to an intermediate language
(REIL [81]) with low-level program representation (details
are disclosed in the implementation section). Our analysis is
conducted on the basis of the lifted REIL programs. Since
we analyze cryptosystems and capture side channels due to
secret-dependent cache access, we assume REIL programs
have been annotated with locations of program secrets be-
fore feeding into our analysis framework. In this section, we
define the concrete semantics of REIL programs upon which
our abstraction is derived.
Prog p ::= c∗
Comm c ::= r := e | r1 := load(r2) | jmp(r1,r2)
| r1 := is zero(r2) | store(r1,r2)
Expr e ::= r | n | e3e
Oper 3 ::= + | − | AND | BSH | DIV |MOD
| MUL | OR | SUB | XOR
Figure 11: The syntax of the REIL language, where r de-
notes a (temporary) register, and n represents a 32-bit un-
signed integer.
E.1.1 Syntax
REIL is designed as a platform-independent intermediate
language. One assembly instruction is typically mapped
into a sequence of REIL instructions to expose composed
operations, implicit memory accesses, and CPU flag ma-
nipulations into explicit statements. Each REIL instruction
has a typical three-address representation with at most three
operands (registers, constant, etc.). REIL programs contain
unlimited number of temporary registers (e.g., t0, t1) and
also preserve the originally x86 CPU registers like eax and
esp. Also, REIL uses a flat memory model, which has an
infinite amount of storage. In this paper we treat registers
uniformly unless otherwise stated.
Fig. 11 defines the syntax of REIL programs. A pro-
gram consists of a possibly empty sequence of numbered
commands. Typical commands include memory operations,
control-flow transfers as well as assignments. The notation,
3, stands for binary operators which compute two operands
(i.e., Expr) and use the output to update a third one. For
the ease of presentation, we note that immediate addressing,
such as r := load(n), is encoded as r1 := n r := load(r1).
E.1.2 Concrete Semantics
In this section, we define the concrete semantics of secret-
annotated REIL, which is inspired by the work of Schwartz
et al. and has operational flavors [75]. The program assumes
the availability of user annotations that specify the location
program secrets (e.g., a piece of private key or random num-
bers). In other words, users need to pinpoint some regis-
ters which contain addresses of program secrets, for instance
the location of private keys before program starts. Note that
while the pinpointed content is confidential, memory ad-
dresses in those registers are considered to be non-secret.
Besides those specified registers, we assume the rest stores
public values. In the semantics definition, we annotate such
pointers of secrets by specifying their values as elements in
set U. Each u ∈ U represents the address of program secrets
in memory, for instance the beginning address of a private
key array. Addresses in U are disjoint with those addresses
storing public values, and it is easy to see that memory load-
ing from u ∈U would create one piece of secret. In addition,
we define another set IM which contains all the literal num-
bers in the semantics definition.
To model secret information flow, we introduce two labels
as hi and lo. Label hi denotes program secrets, such as el-
ements in a private key array. In contrast, label lo denotes
program non-secret information. It is easy to see that lo and
hi form a simple lattice of two elements, where hi sits on the
upper level. Therefore any program value stored in memory
cells and registers can be represented as a pair of an integer
and its security tag: Val= {Int}×{hi, lo}. For the ease of the
definition, for each data v ∈ Val, we use v.n to represent the
first projection of the pair (i.e., the content) while v.l gives us
the associated security label.
Program State. A program state s ∈ S is a tripe of a store,
a memory and a program counter. A store, σ , is a partial
Notation Explanation
s.σ the store σ , where s = (σ ,m, pc)
s.m the memory m, where s = (σ ,m, pc)
s.pc the program counter pc in the state s,where s = (σ ,m, pc)
a∗ the possibly empty sequence a
Table 7: Meta-functions used by the definition of REIL se-
mantics.
function that maps a register to its value. A memory, m, is a
partial function that maps an address to its value.
A program is a sequence of numbered commands that are
stored in a command table, θ . A program table maps a com-
mand number to its command, and a program counter pc is
used to fetch the command from θ . In Table 7, we present
meta-functions used in the definition of the semantics.
Concrete Semantics. The concrete semantics rules of REIL
are defined in Fig. 12. N is defined as the standard mean-
ing function for numeric literals, and function E evaluates a
given expression. FunctionMP takes a program table and a
program state, and returns a new state. FunctionMS takes
a program state and a command, and produces a new state.
With a bound check on each memory access, error state may
be generated. For simplicity, the bound check is omitted in
the definition.
As shown in Fig. 12, E evaluates the input expression re-
garding the current program store σ , and outputs a value pair
v ∈ Val which includes the computation output and its asso-
ciated security label.
The secret labels are propagated following the standard
convention [33]. As shown in the E function, computations
among tags of different security degrees naturally lead to hi,
while security tags are preserved for the other cases. Indeed
recall hi and lo forms a lattice of two elements, it is easy to
see that the least upper bound on the lattice is obtained at this
step.
In Fig. 12, the command, x := e, writes the value of e
to the register x. The command, r1:=load(r2) fetches the
value from a memory location whose address is in r2 and
writes to it to r1. Again, the value stored in r2 will be as-
sociated with label hi whenever the memory address in r1 is
within U. In contrast, the original tag (could be hi or lo)
of the loaded memory content will flow into the memory
reader. Memory store command store(r1,r2) writes r1’s
value into the memory location pointed by r2. Command x
:= is zero(y) sets x to (1,lo) if y is zero and sets x to
(0,lo) if y is one. Command jmp(r1,r2) performs a (con-
ditional) jump towards the address stored in r2, if predicate
in r1 is true. Note that x86 direct jump (i.e., jmp) can be
easily modelled by setting the condition as always true.
E.1.3 Concrete Program Traces
A program trace is a finite non-empty alternating sequence of
program states and actions, s0,θ(s0.pc),s1,θ(s1.pc), · · · ,sn,
such that s0 is an initial state, and ∀ i ∈ {0, · · · ,n− 1},
E : Expr→ Store→ Val
E [[r]](σ) = (σ(r), lo)
E [[n]](σ) = (N [[n]], lo)
E [[e13e2]](σ) = let v1 = E [[e1]](σ) in in
let v2 = E [[e2]](σ) in in v1 3 v2
where v1 3 v2 =
if v1.l 6= v2.l then (v1.nMO[[3]] v2.n,hi)
else (v1.nMO[[3]] v2.n,v1.l)
MP : Command Table→ State→ State
MP[[θ [pc]]]θ (σ ,m, pc) =
let (σ ′,m′, pc′) =MS[[θ(pc)]](σ ,m, pc) in in
(MS[[θ [pc′]]](σ ′,m′, pc′)
MS : Command→ State→→ State
MS[[r := e]](σ ,m, pc) = (σ [r 7→ E [[e]](σ)],m, pc+1)
MS[[r1 := load(r2)]](σ ,m, pc) = let v = E [[r2]](σ) in in
if v.n ∈ U then
(σ [r1 7→ (m(v.n).n,hi)],m, pc+1)
else (σ [r1 7→ m(v.n)],m, pc+1)
MS[[store(r1,r2)]](σ ,m, pc) = let v1 = E [[r1]](σ) in in
let v2 = E [[r2]](σ) in in (σ ,m[v2 7→ v1], pc+1)
MS[[r1 := is zero(r2)]](σ ,m, pc) = let v = E [[r2]](σ) in in
if v.n = 0 then (s[r1 7→ (1, lo)],m, pc+1)
else (σ [r1 7→ (0, lo)],m, pc+1)
MS[[ jmp(r1,r2)]](σ ,m, pc) = let v1 = E [[r1]](σ) in in
if v1.n 6= f alse then
let v2.n = E [[r2]](σ) in in (σ ,m,v2.n)
else (σ ,m, pc+1)
Figure 12: The concrete semantics rules of REIL, where
MO[[−]] yields the semantics of operators. The allocate
function takes a memory and the expected allocation size,
and returns a new address.
(si+1) =MS[[θ(si.pc)]](si), where θ is a command table.
A program computation is the powerset of program traces.
Thus, for a given piece of input, the program execution gen-
erates a concrete computation tree whose path forms an exe-
cution trace t. If the computation is divergent, the execution
trace is infinite.
Let tr = s0θ(s0.pc)s1θ(s1.pc) · · ·sn be a computation
trace. The function root(tr) = s0 denotes tr’s root. The no-
tation tri is the trace ending with the i-th state in t, i.e.,
tri = s0,θ(s0.pc),s1,θ(s1.pc), · · · ,si−1.
The notation tr  tr′ means that there is a sequence of
actions a∗, such that root(tr′) =MS[[a∗]](root(tr)).
AbstractValue av ::= > | P | S |U | N | E
Numbers N ::= n | n13ˆn2
Public P ::= p
Secret S ::= s | s3ˆn | n3ˆs | ε⊕ s | h⊕ s
| s13ˆs2
Header U ::= h | h3ˆn
ESP E ::= ε | ε⊕n
Ops 3˜ ::= ⊕ | ⊗
LinearOps ⊕ ::= + | −
OtherOps ⊗ ::= × | ÷ |% | AND | OR | XOR
| SHIFT
Figure 13: Grammar of AV.
E.1.4 Concrete Path-based Collecting Semantics
The forward path-based collecting semantics maps a pro-
gram counter pc to the set of execution paths that end at
the program point referred by pc: collct : PC→P(Trace),
which is collct(pc) = tpc, where t is a program computation
tree.
E.2 Abstract Semantics
This section explains necessary components of our abstrac-
tion. To this end, we formalize our abstract domain SAS and
further establish a lattice over SAS. We then present abstract
transfer functions over SAS and the abstract collecting se-
mantics, and also discuss the termination conditions.
E.2.1 Abstract Values
This section proposes the design of a novel abstract domain
named Secret-Augmented Symbolic domain (SAS). SAS is
designed to be acquired by a standard abstract interpretation
framework to analyze secret-aware software systems. To do
so, we start by defining abstract values f ∈ AV. Each f ∈
AV composites symbols and constants via operators, and the
grammar of AV is defined in Fig. 13. Shortly we will show
that SAS is defined as the powerset of AV, meaning each
element e ∈ SAS is an abstract value set { f | f ∈ AV}.
For the ease of presentation and analysis, Fig. 13 puts ab-
stract values into disjoint categories; each category has its
own notation. We now elaborate on different categories of
abstract values f ∈ AV.
• P: this category only has one unique identifier p, which
presents any non-secret program information. By keep-
ing track of public information with only one identifier
p, P enables a coarse-grained and scalable representa-
tion of program semantics.
• S: this category includes secret-carry abstract values,
where each piece of program secret are represented by
one symbol si. In other words, S = { f ∈ AV | ∃s ∈
{si} s.t. s is a subterm of f} where {si} represents the
set of secrets that our analysis intends to keep track of.
For example, an abstract memory address s0+4 means
the base address is derived from a piece of program se-
cret. Note that in this way, different pieces of program
secrets can be represented by the variable si with differ-
ent indexes. Secrets are kept track of in a fine-grained
approach, and an element in this category is named a
S-value.
• U : this category represents special memory addresses
that point to secrets before program execution. To
be more specific, we create special identifier h to
present the base address of a secret memory re-
gion, e.g., the header of a private key array. Be-
fore execution, we assume that pointers referring to
the base address of secret memory chunk have been
initialized with identifier h. Hence U = { f ∈ AV |
h is identifical to or a subterm of f}. A value u ∈U in
this category is called a U-value.
• E: this category represents abstract memory addresses
of x86 stack. To this end, we create special identifier ε
to present the initial value of stack register esp. Before
analysis, we assume that the value set of register esp
has been initialized with {ε}. Hence E = { f ∈ AV |
ε is identifical to or a subterm of f}. A value e ∈ E in
this category is named as a E-value. Also, memory off-
sets of values in E should be constant (Fig. 13), since E
is defined as disjoint with other categories.
At this step we have introduced several kinds of abstract
identifiers and categories, and strict partial order  can be
defined over these values from each category with respect
to granularities of semantics abstraction.3 Nevertheless, it is
not possible to define a complete order, since some identifiers
are not comparable, for instance u ∈U and e ∈ E.
Fig. 14 presents a lattice of aforementioned categories
over AV with respect to different abstraction levels. Obvi-
ously, > over-approximates any program information, and
hence it is located on the top of the lattice. p ∈ P represents
all the program public information, and therefore exhibits the
least upper bound of any abstract values f ∈ (N∪E∪U). On
the other hand, s∈ S stands for the program secrets and infor-
mation derived from secrets, hence s ∈ S is not comparable
to p ∈ P. Also, there is no direct comparison between N, U ,
and E, although all of them deliver finer-grained semantics
information comparing to P.
E.2.2 Domain Definitions
We now elaborate on the design of our proposed abstract do-
main. The proposed abstract domain is named as Secret-
Augmented Symbolic domain (SAS), since it augments the
modeling of secret information by performing fine-grained
tracking of program secrets and dependencies on the secrets,
while only delivers coarse-grained overestimations towards
public information.
3It is easy to see that asymmetric (if C1  C2 holds then C2  C1 does
not), transitive (if C1 C2 and C2 C3 then C1 C3), and irreflexive (Ci 
Ci is impossible) relations hold. Hence strict partial order over the defined
categories is established.
>
p
n u e
s
Figure 14: Abstraction lattice for abstract values in AV,
where s ∈ S, u ∈U , n ∈ N, e ∈ E.
Definition 2. Let AV be the set of abstract values. Then
SAS =P(AV)
forms a domain whose elements are subsets of all valid ab-
stract values.
We now make SAS as a lattice. To do so, we will specify
a top element > ∈ SAS and a join operator unionsq over SAS.
Set Collapse and Bound. Each element in SAS is a set of
formulas defined in AV. Considering formulas with different
degrees of abstractions may exist in one set, here we define
reasonable rules to “collapse” elements in a set. The “col-
lapse” function COL : SAS→ SAS is given by:
COL(X) =

{>} if> ∈ X
{>} else if p ∈ X ∧S∩X 6=∅
{p} else if p ∈ X ∧S∩X =∅
X otherwise
While the first three rules introduce single symbols as a
safe and concise approximation, the last rule preserve a set
in SAS.
In addition, each set in SAS is also bounded with a maxi-
mum size of N through function BOU as follows:
BOU(X) =

{>} if |X |> N∧S∩X 6=∅
{p} else if |X |> N∧S∩X =∅
X otherwise
Hence, the abstract value set of any variable is bounded
by N during computations within SAS, which practically
speedups the convergence of our analysis.
With COL and BOU defined, we can finally complete SAS
as a lattice.
Claim 2. SAS=P(AV) forms a lattice with the top element
>SAS = {>}
bottom element
⊥SAS = {}
and the join operator
unionsq= BOU◦COL◦∪
Theorem E.1. The definition of unionsq is sound.
E.2.3 Abstract Semantics
This section defines the abstract semantics. In general, ab-
stract semantics defines computations over abstract value
sets { f | f ∈ AV}. A program’s abstract state is a triple of
an abstract store (σˆ ), an abstract memory (mˆ), and a set of
program counters. An abstract store is a partial function that
maps a register to a set of abstract values; an abstract mem-
ory is a partial function that maps an abstract value (i.e., ab-
stract memory address) to a set of abstract values.
To interpret abstract memory accesses, the classic chal-
lenge is to reason point-to relationships. It should be noted
that aliasing analysis has been extensively studied in litera-
tures to date [42, 48, 37, 59, 32], and therefore in this section
we assume to acquire point-to information from a standby
module along the analysis. In particular, we assume that
each memory pointer maintains a set of pointers which may
be aliased with the pointer. Therefore, memory loading via
a pointer indeed joins the value sets of its aliased memory
locations, while memory storing updates all the aliased lo-
cations. For the ease of presentation, we omit this part in
Fig. 15.
Fig. 15 presents the definition of abstract semantics. Func-
tion E˜ evaluates a given abstract expression, and function
M˜P takes a program table and a set of abstract states, and
returns a new set of abstract states. Function M˜S takes a
program abstract state and a command, and computes a new
abstract state. As noted earlier, we assume pointers referring
to the base memory address of program secrets have been
pinpointed and initialized with special identifier h∈U . Also,
we follow the standard convention to perform “weak update”
when updating the value sets of variables.
Note that E˜ defines the evaluation rules of abstract expres-
sions, and given two abstract values f1, f2 ∈ AV, we define
abstract operator 3ˆ in Fig. 16. The first six cases reasonbly
over-approximate computations among f ∈ AV with differ-
ent degrees of abstraction. The seventh case would be ap-
plied to compute two pieces of constants, while the last case
is applied if no other case can be matched. Indeed the last
case concatenates two abstract values in AV with an abstract
operator.
M˜S defines memory operations within our abstract do-
main.
Memory loading yields a> as a safe over-estimation if the
memory address addr ∈P or addr ∈>. For memory address
addr ∈ S∪U , we create a fresh piece of secret identifier si to
update the register. For the other cases, we use the recorded
content to perform a weak update.
The abstract semantics of the store command
(store(r1,r2)) is straightforward. If r1 stores the value
>, then the whole memory is updated to >. In this case, the
program will terminate immediately. Otherwise, values of
r2 will be added to the memory location which is pointed to
by r1.
E.2.4 Termination
One key reason to use the abstract interpretation framework
is that it guarantees the termination of the analysis within fi-
E˜ : E→ AbsStore→P(AV)
Eˆ [[r]](σˆ) = σˆ(r)
Eˆ [[n]](σˆ) = {n}
Eˆ [[e13e2]](σˆ) = {a3ˆb | a ∈ Eˆ [[e1]](σˆ),b ∈ Eˆ [[e2]](σˆ)}
MˆP : Command Table→P(AbstractState)→
P(AbstractState)
MˆP[[θ ]](Sˆ) =⋃sˆ∈Sˆ{MˆS[[θ(pc)]](sˆ)}pc∈sˆ.pc
MˆS : Command→ AbstractState→ AbstractState
MˆS[[r := e]](σˆ , mˆ, pˆc) = (σˆ [r 7→ σˆ(r)unionsqEˆ [[e]](σˆ)], mˆ, pˆc+1)
MˆS[[r1 := load(r2)]](σˆ , mˆ, pˆc) =
let V =
cases σˆ(r2) of
> → >
P → >
S → {si}unionsq σˆ(r1) where si is fresh secret identifier
U → {si}unionsq σˆ(r1) where si is fresh secret identifier
E → mˆ(σˆ(r2))unionsq σˆ(r1)
N → mˆ(σˆ(r2))unionsq σˆ(r1)
end
in (σˆ [r1 7→V ], mˆ, pˆc+1)
MˆS[[store(r1,r2)]](σˆ , mˆ, pˆc) = (σˆ , mˆ′, pˆc+1)
where mˆ′ = ∀ v ∈ σˆ(r1).mˆ[v 7→ (mˆ(v)unionsq σˆ(r2))]
MˆS[[r1 := is zero(r2)]](σˆ , mˆ, pˆc) =
if σˆ(r2)⊆ Nthen
cases σˆ(r2) of
{0} → (σˆ [r1 7→ {0}], mˆ, pˆc+1)
0 6∈V → (σˆ [r1 7→ {1}], mˆ, pˆc+1)
else (σˆ [r1 7→ {0,1}], mˆ, pˆc+1)
end
else (σˆ [r1 7→ {0,1}], mˆ, pˆc+1)
MˆS[[ jmp(r1,r2)]](σˆ , mˆ, pˆc) = (σˆ , mˆ,(pˆc+1)∪ σˆ(r2))
Figure 15: The abstract semantics of REIL. The notation
pˆc+1 is a short hand for {pc+1 | pc ∈ pˆc}.
nite computation steps, even though a precise modeling of
program semantics may not be achievable. To do so, the ab-
stract domain is required to form a lattice of finite height, and
abstract transfer functions defined over the abstract domain
needs to be monotonic.
It is easy to see that all the abstract transfer functions de-
fined in SAS are monotonic (see Sec. E.2.3), and we have
also shown that SAS forms a lattice of finite height by defin-
ing the BOU function to bound the size of each element (i.e.,
v1 3ˆ v2 = cases (v1,v2) of
(v,>) → >
(>,v) → >
(p,s) → > where s ∈ S
(s, p) → > where s ∈ S
(p,v) → p where v 6∈ S
(v, p) → p where v 6∈ S
(n1,n2) → n13ˆn2
(av1,av2) → av13ˆav2
end
Figure 16: Definition of abstract binary operations where
v1 ∈ AV and v2 ∈ AV.
{ f | f ∈ AV}) in SAS. Hence, the termination guarantee of
SAS is naturally established.
E.2.5 Abstract Program Traces
A program abstract trace is a finite non-empty alter-
nating sequence of abstract program states and actions,
sˆ0,θ(sˆ0.pc)sˆ1θ(sˆ1.pc) · · · sˆn, such that ∀i ∈ {0, · · · ,n− 1},
ˆsi+1 = MˆS[[a]](sˆi). Compared with the concrete program
traces defined in Section E.1.3, the abstract data represents
properties of the concrete one. For given abstract input data,
the program execution generates an abstract computation
tree.
Due to the abstraction, a terminating concrete computa-
tion may terminate, but its abstract one may not. Follow-
ing Schmidt’s work [74], we build a regular computation
tree [28], so that trace building is terminated at the nodes
that have been seen earlier in the path [74].
E.2.6 Abstract Path-based Collecting Semantics
The abstract forward path-based collecting semantics maps
an abstract program counter to the set of abstract execu-
tion paths that end with the program counter : collatˆ :
AbstractPC → P(AbstractTraces), which is defined as
collatˆ(pˆc) = tˆpˆc, where tˆ is a computation tree.
E.3 Soundness
In this section we give the soundness proof of our abstrac-
tion. We start by defining the abstraction and concretization
functions. We then present the proofs accordingly.
E.3.1 Abstraction and Concretization Functions
Fig. 17 defines the abstraction function α and the concretiza-
tion γ function. The abstraction function α is defined over
concrete values α : Val→ SAS. As shown in Fig. 17, each
piece of secret is translated into a singleton set of {si}, and
concrete data is preserved. Memory addresses towards x86
memory stack is modeled as {e} where e ∈ E, and pointers
referring to the locations of program secrets are mapped into
{u}. As for the other cases where a non-secret value does
not belong to any of the aforementioned category, it would
be lifted into {p}.
We also define the concretization function γ : SAS →
P(Val) which casts a set of abstract values into a set of
concrete values. Here we start by defining a gadget con-
α(v : Val) =
cases v of
(n,hi) → {s}
(n, lo) → {n} where n ∈ IM
(n, lo) → {u} where n ∈ U
(n, lo) → {e} where n ∈ S
(n, lo) → {p} where n ∈ Z∧n 6∈ U∪ IM∪S
end
γ◦(v˜ : AV) = cases v˜ of
n → {(n, lo) | n ∈ IM}
p → {(n, lo) | n ∈ Z}
u → {(n, lo) | n ∈ U}
e → {(n, lo) | n ∈ S}
s → {(n,hi) | n ∈ Z}
> → {(n, t) | n ∈ Z, t ∈ {lo,hi}}
end
γ(S) :=
⋃
f∈S γ◦( f )
Figure 17: The definition of abstraction function α and con-
cretization function γ . S defines the set of stack memory
addresses, and s ∈ S, u ∈U , n ∈ N, e ∈ E.
cretization function γ◦ : AV→P(Val) which operates on
individual abstract value. As shown in Fig. 17, function γ◦
preserves the constant data back and forth, and e is trans-
lated into the stack memory addresses in S. Public symbol
p over-approximates all the non-secret values inP(Val). si
is converted into its corresponding secret value in Val, while
> maps to the whole set of values inP(Val). Note that for
most cases the output of γ is a singleton set.
E.3.2 Soundness Of Abstract Values
The following lemma states the abstraction and concretiza-
tion functions on values are correct. As defined earlier, given
a concrete value v, α(v) computes v’s abstract value, and
γ(α(v)) maps the abstract value back to concrete values. A
correct approximation means that v ∈ γ(α(v)).
Lemma E.2. Let Val be the set of concrete values. Let α
and γ be the abstract function and the concretization function
respectively. Then ∀v ∈ Val,v ∈ γ(α(v)) holds.
Proof. Let s be a an arbitrary program state. Let v ∈ Val be
an arbitrary value in s. There are five cases.
1. (n, lo), where n ∈ IM. In this case, we need to show
that (n, lo) ∈ γ(α(n, lo)). By the definition in Fig. 17,
γ(α((n, lo))) = γ(n) and γ(n) = {(n, lo) | n ∈ IM}.
2. (n, lo), where n ∈ U. In this case, we need to show
that (n, lo) ∈ γ(α(n, lo)). By the definition in Fig. 17,
γ(α(n, lo)) = γ(u) for some u∈U , and γ(u) = {(n, lo) |
n ∈ U}.
3. (n, lo), where n ∈ Z and n 6∈ U∪ IM∪S. In this case,
we need to show that (n, lo) ∈ γ(α(n, lo)). By the def-
inition in Fig. 17, γ(α(n, lo)) = γ(p) for p ∈ P, and
γ(p) = {(n, lo) | n ∈ Z}.
4. (n, lo), where n ∈ S. In this case, we need to show
that (n, lo) ∈ γ(α(n, lo)). By the definition in Fig. 17,
γ(α(n, lo)) = γ(e) for some e∈ E, and γ(ε) = {(n, lo) |
n ∈ S}.
5. (n,hi). In this case, we need to show that (n,hi) ∈
γ(α(n,hi)). By the definition in Fig. 17, γ(α((n,hi)))=
γ(s) for some s ∈ S and γ(s) = {(n,hi) | n ∈ Z}.
The following lemma shows that the semantics of the ab-
stract operator defined in Fig. 16 is sound.
Lemma E.3. Let Val be the set of concrete values. Let α
and γ be the abstract function and the concretization func-
tion, respectively. Let3 be a concrete binary operator. Then
∀v1 ∈ Val,v2 ∈ Val,(v13v2) ∈ γ(α(v1)3ˆα(v2)) holds.
Proof. Let v1 ∈ Val and v2 ∈ Val be arbitrary. And Let 3ˆ be
α(3).
1. ((n1, lo),(n2, lo)), where n1 ∈ IM and n2 ∈ IM. In this
case, we need to show that (n1, lo)MO[[3]](n2, lo) ∈
γ(α(n1, lo)3ˆα(n2, lo)). By the definition of
the concrete semantics (Fig. 12), we know that
(n1, lo)3(n2, lo) = (n1MO[[3]]n2, lo). By the defini-
tion in Fig. 17 twice and by the definition in Fig. 16,
we know α(n1, lo)3ˆα(n2, lo) = n13ˆn2. Thus, by the
definition in Fig. 17, we get (n13n2, lo) ∈ γ(n13ˆn2).
2. ((n1, lo),(n2,hi)), where n1 ∈ IM and n2 ∈ Z. In this
case, we need to show that (n1, lo)MO[[3]](n2,hi) ∈
γ(α(n1, lo)3ˆα(n2,hi)). By the definition of
the concrete semantics (Fig. 12), we know
that (n1, lo)3(n2,hi) = (n1MO[[3]]n2,hi).
By the definition in Fig. 17 twice, we know
α(n1, lo)3ˆα(n2,hi) = n13ˆs, for some s ∈ S. By
the definition of the abstract value in Fig. 13, we
know n13ˆs ∈ S. By the definition in Fig. 17, we
have γ(n13ˆs) = {(n,hi) | n ∈ Z}. Thus, we get
(n1MO[[3]]n2,hi) ∈ γ(n13ˆs).
3. ((n1, lo),(n2, lo)), where n1 ∈ IM and n2 ∈ U. In this
case, we need to show that (n1, lo)MO[[3]](n2,hi) ∈
γ(α(n1, lo)3ˆ(n2, lo)). By the definition of the con-
crete semantics (Fig. 12), we know (n1, lo)3(n2, lo) =
(n1MO[[3]]n2, lo). By the definition in Fig. 17 twice,
we know α(n1, lo)3ˆα(u, lo) = n13ˆu, for some u ∈U .
By the definition of the abstract value in Fig. 13, we
know n13ˆu ∈U . By the definition in Fig. 17, we have
γ(n13ˆu) = {(n, lo) | n ∈ U}. Thus, by the definition in
Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(n13ˆu).
4. ((n1, lo),(n2, lo)), where n1 ∈ IM, and n2 ∈ S. In this
case, we need to show that (n1, lo)MO[[3]](n2, lo) ∈
γ(α(n1, lo)3ˆ(n2, lo)). By the definition of the con-
crete semantics (Fig. 12), we know (n1, lo)3(n2, lo) =
(n1MO[[3]]n2, lo). By the definition in Fig. 17 twice,
we know α(n1, lo)3ˆα(ε, lo) = n13ˆε , for some e ∈ E.
By the definition of the abstract value in Fig. 13, we
know that n13ˆe ∈ E. By the definition in Fig. 17, we
have γ(n13ˆe) = {(n, lo) | n ∈ E}. Thus, by the defini-
tion in Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(n13ˆe).
5. ((n1, lo),(n2, lo)), where n1 ∈ IM and n2 6∈
(U ∪ IM ∪ S). In this case, we need to show that
(n1, lo)MO[[3]](n2, lo) ∈ γ(α(n1, lo)3ˆα(n2, lo)). By
the definition of the concrete semantics (Fig. 12),
we know (n1, lo)3(n2, lo) = (n1MO[[3]]n2, lo).
By the definition in Fig. 17 twice, we know
α(n1, lo)3ˆα(n2, lo) = n13ˆp, for p ∈ P. By the
definition in Fig. 16, we know n13ˆp ∈ P. Thus, by the
definition in Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(p),
for p ∈ P.
6. ((n1, lo),(n2, lo)), where n1 ∈U and n2 6∈ (U∪ IM∪S).
In this case, we need to show that (n1, lo)3(n2, lo) ∈
γ(α(n1, lo)3ˆα(n2, lo)). By the definition of the con-
crete semantics (Fig. 12), we know (n1, lo)3(n2, lo) =
(n1MO[[3]]n2, lo). By the definition in Fig. 17 twice,
we know α(n1, lo)3ˆα(n2, lo) = u3ˆp, for some u ∈U
and p ∈ P. By the definition in Fig. 16, we know
u3ˆp ∈ P. Thus, by the definition in Fig. 17, we get
(n1MO[[3]]n2, lo) ∈ γ(p), for p ∈ P.
7. ((n1, lo),(n2, lo)), where n1 ∈ {esp} and n2 6∈ (U ∪
IM ∪ S). In this case, we need to show that
(n1, lo)3(n2, lo) ∈ γ(α(n1, lo)3ˆα(n2, lo)). By the def-
inition of the concrete semantics (Fig. 12), we know
(n1, lo)3(n2, lo) = (n1MO[[3]]n2, lo). By the defini-
tion in Fig. 17 twice, we know α(n1, lo)3ˆα(n2, lo) =
ε3ˆp, for some ε ∈ E and p ∈ P. By the definition in
Fig. 16, we know e3ˆp ∈ P. Thus, by the definition in
Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(p), for p ∈ P.
8. ((n1, lo),(n2,hi)), where n1 ∈U . In this case, we need
to show that (n1, lo)3(n2,hi) ∈ γ(α(n1, lo)3ˆ(n2,hi)).
By the definition of the concrete semantics (Fig. 12),
(n1, lo)MO[[3]](n2,hi) = (n13n2,hi). By the defini-
tion in Fig. 17 twice, α(n1, lo)3ˆα(n2,hi) = u3ˆs, for
some u ∈U and s ∈ S. By the definition of the abstract
value (Fig. 13), we know u3ˆs ∈ S. By the definition in
Fig. 17, we have γ(u3ˆs) = {(n,hi) | n ∈ Z}. Thus, by
the definition in Fig. 17, we get (n1MO[[3]]n2,hi) ∈
γ(u3ˆs).
9. ((n1, lo),(n2,hi)), where n1 ∈ S. In this case, we need
to show that (n1, lo)3(n2,hi) ∈ γ(α(n1, lo)3ˆ(n2,hi)).
By the definition of the concrete semantics (Fig. 12),
(n1, lo)MO[[3]](n2,hi) = (n13n2,hi). By the defini-
tion in Fig. 17 twice, α(n1, lo)3ˆα(n2,hi) = e3ˆs, for
some e ∈ E and s ∈ S. By the definition of the abstract
value (Fig. 13), we know e3ˆs ∈ S. By the definition in
Fig. 17, we have γ(e3ˆs) = {(n,hi) | n ∈ Z}. Thus, by
the definition in Fig. 17, we get (n1MO[[3]]n2,hi) ∈
γ(e3ˆs).
10. ((n1, lo),(n2,hi)), where n1 6∈ (U ∪ IM ∪ S). In
this case, we need to show that (n1, lo)3(n2,hi) ∈
γ(α(n1, lo)3ˆ(n2,hi)). By the definition of the con-
crete semantics (Fig. 12), (n1, lo)MO[[3]](n2,hi) =
(n1MO[[3]]n2,hi). By the definition in Fig. 17 twice,
α(n1, lo)3ˆα(n2,hi) = p3ˆs, for some p ∈ P and s ∈ S.
By the definition of the abstract operator (Fig. 16), we
know p3ˆs ∈ >. By the definition in Fig. 17, we have
γ(p3ˆs) = {(n, t) | n∈Z, t ∈ {lo,hi}}. Thus, by the def-
inition in Fig. 17, we get (n1MO[[3]]n2,hi) ∈ γ(p3ˆs).
11. ((n1,hi),(n2,hi)). In this case, we need to show
that (n1,hi)3(n2,hi) ∈ γ(α(n1,hi)3ˆ(n2,hi)). By
the definition of the concrete semantics (Fig. 12),
(n1,hi)MO[[3]](n2,hi) = (n1MO[[3]]n2,hi). By the
definition in Fig. 17 twice, α(n1,hi)3ˆα(n2,hi) =
s13ˆs2, for some s1 ∈ S and s2 ∈ S. By the definition
of the abstract value (Fig. 13), we know s13ˆs2 ∈ S. By
the definition in Fig. 17, we have γ(s13ˆs2) = {(n,hi) |
n ∈ Z}. Thus, by the definition in Fig. 17, we get
(n1MO[[3]]n2,hi) ∈ γ(s13ˆs2).
12. ((n1, lo),(n2, lo)), where n1 or n2 6∈ (U∪ IM∪ S). In
this case, we need to show that (n1, lo)3(n2, lo) ∈
γ(α(n1, lo)3ˆ(n2, lo)). By the definition of the con-
crete semantics (Fig. 12), (n1, lo)MO[[3]](n2, lo) =
(n1MO[[3]]n2, lo). By the definition in Fig. 17 twice,
α(n1, lo)3ˆα(n2, lo) = p3ˆp, where p ∈ P. By the def-
inition of the abstract operator (Fig. 16), we know
p3ˆp ∈ P. By the definition in Fig. 17, we have γ(p) =
{(n, lo) | n ∈ Z,n 6∈ (U∪ IM∪S)}. Thus, by the defini-
tion in Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(p).
13. ((n1, lo),(n2, lo)), where n1 and n2 ∈ U . In this
case, we need to show that (n1, lo)3(n2, lo) ∈
γ(α(n1, lo)3ˆ(n2, lo)). By the definition of the con-
crete semantics (Fig. 12), (n1, lo)MO[[3]](n2, lo) =
(n1MO[[3]]n2, lo). By the definition in Fig. 17 twice,
α(n1, lo)3ˆα(n2, lo) = u13ˆu2, for some u1 ∈ U and
u2 ∈U . By the definition of the abstract value (Fig. 13),
we know u13ˆu2 ∈U . By the definition in Fig. 17, we
have γ(u) = {(n, lo) | n ∈U}. Thus, by the definition in
Fig. 17, we get (n1MO[[3]]n2, lo) ∈ γ(u13ˆu2).
E.3.3 Soundness of Abstract Semantics
In order to avoid introducing further meta-functions to our
notation, we will reuse the notation for the abstract and con-
cretization functions.
Before the definitions, we introduce some common nota-
tions used in this section. Let X and Y be two sets. Let f be a
function that maps from X to Y . Then the set X is the domain
of f , written Domain(() f ) = X ; the set Y is the codomain of
f , written codom( f ) = Y .
The following defines the abstraction functions for the
store, the memory and the program counter.
Definition 3. Let σ be a store. Then α(σ) generates the
abstract store, such that
α(σ) = {(x,v) | x ∈ Domain(()σ),v = {α(σ(x))}}.
Let m be a memory. Then α(m) generates the abstract mem-
ory, such that
α(m)= {(l,v) | l′ ∈Domain(()m), l = {α(l′)},v= {α(m(l′))}}).
Let pc be a program counter. Then α(pc) generates the ab-
stract program counter, such that α(pc) = {pc}.
Let (σ ,m, pc) be a program state. Then α(σ ,m, pc)
generates the abstract state, such that α(σ ,m, pc) =
(α(σ),α(m),α(pc)).
The following defines the concretization functions for the
store, the memory and the program counter.
Definition 4. Let σˆ be an abstract store. Then γ(σˆ) gener-
ates the set of possible concrete stores, such that
γ(σˆ) = {σ | x ∈ Domain(()σˆ),σ(x) ∈ γ(σˆ(x))}).
Let mˆ be an abstract memory. Then γ(mˆ) generates the set
of possible concrete memories, such that
γ(mˆ) = {m | l ∈ Domain(()mˆ),m(l) ∈ γ(m(l))}).
Let pˆc be an abstract program counter. Then γ(pˆc) generates
the set of possible program counters, such that γ(pˆc) = {pc |
pc ∈ pˆc}.
Let (σˆ , mˆ, pˆc) be an abstract state. Then γ(σˆ , mˆ, pˆc)
generates the set of possible concrete states, such that
γ(σˆ , mˆ, pˆc) = {(σ ,m, pc) | σ ∈ γ(σˆ),m ∈ γ(mˆ), pc ∈ pˆc}.
A concrete state s is safely approximated by an abstract
state sˆ, written s ≈ sˆ, if s ∈ γ(sˆ), where γ is a concretization
function.
Lemma E.4. Let α and γ be the abstract and concretization
functions defined in Def. 3 and Def. 4. Let s be a concrete
state, then s≈ α(s).
The following lemma shows that definition of the abstract
evaluation on expressions is correct.
Lemma E.5. Let e be an expression, and σˆ be an abstract
store. Let γ be the concretization function for σˆ defined in
Def. 4. Let σ be a program store, such that σ ∈ γ(σˆ). Then
E [[e]](σ) ∈ γ(Eˆ [[e]](σˆ))
Proof. Let e, σˆ , γ and σ be given. The proof is by the induc-
tion on the expression’s structure. The proof is done in cal-
culational style, starting from the concrete evaluation. There
are two base cases.
1. (x) In this case, e has the form x.
E [[x]](σ)
= 〈by the concrete semantics in Fig. 12〉
σ(x)
∈ 〈by Lemma E.2〉
γ(σˆ(x))
= 〈by the abstract semantics in Fig. 15〉
γ(Eˆ [[x]](σˆ))
2. (n) In this case, e has the form n.
E [[n]](σ)
= 〈by the semantics in Fig. 12〉
(N [[n]], lo)
∈ 〈by Lemma E.2〉
γ(n)
= 〈by the semantics in Fig. 15〉
γ(Eˆ [[n]](σˆ))
The inductive hypothesis is that for all subexpressions ei,
E [[ei]](σ) ∈ γ(Eˆ [[ei]](σˆ)). There is one inductive case, where
e is (e13e2).
E [[e13e2]](σ)
= 〈by the semantics in Fig. 12〉
E [[e1]](σ)3E [[e2]](σ)
⇒ 〈by inductive hypothesis〉
E [[e1]](σ) ∈ γ(Eˆ [[e1]](σˆ)) and E [[e2]](σ) ∈ γ(Eˆ [[e2]](σˆ))
⇒ 〈by assumption〉
Eˆ [[e1]](σˆ) = α(E [[e1]](σ)) and Eˆ [[e2]](σˆ) = α(E [[e2]](σ))
⇒ 〈by Lemma E.3〉
E [[e1]](σ)3E [[e2]](σ) ∈ γ(Eˆ [[e1]](σˆ)3ˆEˆ [[e2]](σˆ))
= 〈by the semantics in Fig. 15〉
E [[e1]](σ)3E [[e2]](σ) ∈ γ(Eˆ [[e13ˆe2]](σˆ))
The rest of the section shows that the abstract path-based
collecting semantics is a safe modeling of the concrete se-
mantics. The following definition con-inductively defines
that the abstract computation trace safely approximates the
concrete computation trace.
Definition 5. A concrete computation trace, trc is safely ap-
proximated by an abstract computation trace, tra, written
trc ≈ tra, if and only if
1. root(trc)≈ root(tra)
2. If {si =MS[[ai]](root(trc))}i∈I is the set of all pos-
sible transitions from root(trc), and for each i, ai, if
si =MS[[ai]](root(trc)), then there exists a transition
sˆ j = MˆS[[ai]](root(tra)), such that si ≈ sˆ j.
Theorem E.6. Let trc be a concrete computation trace, and
let tra be its abstract computation trace. Then trc is safely
approximated by tra.
Proof. Let trc be a concrete program trace, and let s0 =
root(trc). Let tra be the abstract computation trace of trc,
and α(s0) = root(tra). According to the definition of the
safe approximation (Def. 5), there are two proof obligations.
Obligation 1: root(tc) ≈ root(ta). This is discharged by
Lemma E.4, where s0 ≈ sˆ0.
Obligation 2: Assume s0 ≈ sˆ0. Let s0 = (σ0,m0, pc0), and
let sˆ0 = (σˆ0, mˆ0, pˆc0). We enumerate all the possible transi-
tions a.
1. (r := e)
MS[[r := e]](σ0,m0, pc0)
= 〈by the concrete semantics defined in Fig. 12〉
(σ0[r 7→ E [[e]](σ0)],m0, pc0+1)
MˆS[[r := e]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r 7→ Eˆ [[e]](σˆ0)], mˆ0, pˆc+1)
Because σ0 ≈ σˆ0 by the assumption, by Lemma E.5,
σ0[r 7→ E [[e]](σ0)] ≈ σˆ [r 7→ Eˆ [[e]](σˆ0)]. As pc0 ≈
pˆc0, pc0 ∈ pˆc0. By the definition of pˆc0 + 1, we
know that (pc0 + 1) ≈ (pˆc0 + 1). Thus, (σ0[r 7→
E [[e]](σ0)],m0, pc0 + 1) ≈ (σˆ0[r 7→ Eˆ [[e]](σˆ0)], mˆ0, pˆc+
1).
2. (r1 := load(r2)) Let v = σ0(r2). There are three cases.
(a) v.n ∈ U.
MS[[r1 := load(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ (m0(v.n).n,hi)],m0, pc0+1)
By the assumption s0≈ sˆ0 and definition of the ab-
straction function in Fig. 17, we know that α(v) =
{u} for some u ∈U , where v.n ∈ U.
MˆS[[r1 := load(r2)]](σˆ0,m0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ ({s}unionsq σˆ0(r1))], mˆ0, pˆc0+1)
where s = mˆ0(u). We need to prove that for
all possible value of σˆ0(r1), α(m0(v.n).n,hi) ⊆
({s}unionsq σˆ0(r1)), which is true by the soundness of
unionsq (Theorem E.1).
(b) v.l = hi.
MS[[r1 := load(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ m0(v.n)],m0, pc0+1)
By the assumption s0≈ sˆ0 and definition of the ab-
straction function in Fig. 17, we know that α(v) =
{s′}, for some s′. Because loading from a secret
address gets a secret value, let mˆ0(s′) = {s}.
MˆS[[r1 := load(r2)]](σˆ0,m0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ ({s}unionsq σˆ0(r1))], mˆ0, pˆc0+1)
We need to prove that for all possible value of
σˆ0(r1), α(m0(v.n)) ⊆ (mˆ0(s′) unionsq σˆ0(r1)), where
α(v) = {s′} and mˆ0(s′) = {s}. By the assump-
tion s0 ≈ sˆ0, α(m0) ⊆ mˆ0. Thus, α(m0(v.n)) ⊆
mˆ0(α(v)). By the soundness of unionsq (Theorem E.1),
{α(m0(v.n))} ⊆ (mˆ0(s′)unionsq σˆ0(r1)) is true.
(c) v.n 6∈ U and v.l = lo.
MS[[r1 := load(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ m0(v.n)],m0, pc0+1)
There are two case:
i. α(v) = P. By the abstract semantics defined
in Fig. 15, r1 is updated to >. As > sits on
the top of the lattice, the result is sound.
ii. α(v) = ε or α(v) = n.
MˆS[[r1 := load(r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ (mˆ(σˆ(r2))unionsq σˆ0(r1))], mˆ0, pˆc0+1)
We need to prove that for all possible value
of σˆ0(r1), α(m0(σ0(r2).n)) ⊆ (mˆ0(σˆ0(r2)) unionsq
σˆ0(r1)). By the assumption s0 ≈ sˆ0 and definition
of the abstraction function in Fig. 17, α(m0)⊆ mˆ0
and α(σ0) ⊆ σˆ0. Therefore, α(σ0(r2)) ⊆ σˆ0(r2)
and α(m0(σ0(r2).n)⊆ mˆ0(σˆ0(r2)). By the sound-
ness of unionsq (Theorem E.1), α(m0(σ0(r2).n)) ⊆
(mˆ0(σˆ0(r2))unionsq σˆ0(r1)) is true.
3. (r1 := is zero(r2)). Let v = σ0(r2). There are four
cases.
(a) v = (0, lo), where 0 ∈ IM.
MS[[r1 := is zero(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ (1, lo)],m0, pc0+1)
By the assumption s0≈ sˆ0 and definition of the ab-
straction function in Fig. 17, we know that α(v) =
{0}.
MˆS[[r1 := load(r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ {1}], mˆ0, pˆc0+1)
We need to prove that α((1, lo)) ⊆ {1}, which is
true by the definition of α in Fig. 17.
(b) v = (n, lo), where n 6= 0 and n ∈ IM.
MS[[r1 := is zero(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ (0, lo)],m0, pc0+1)
By the assumption s0≈ sˆ0 and definition of the ab-
straction function in Fig. 17, we know that α(v) =
{n}, where n ∈ IM.
MˆS[[r1 := load(r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ {0}], mˆ0, pˆc0+1)
We need to prove that α((0, lo)) ⊆ {0,1}, which
is true by the definition of α in Fig. 17.
(c) v = (0, l), where l ∈ {lo,hi}.
MS[[r1 := is zero(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ (1, l)],m0, pc0+1)
By the assumption s0 ≈ sˆ0 and definition of the
abstraction function in Fig. 17, we know that
α((0, l)) could be any value in p, U, E or S.
MˆS[[r1 := load(r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ {0,1}], mˆ0, pˆc0+1)
We need to prove that α((0, l))⊆ {0,1}, which is
true by the definition of α in Fig. 17.
(d) v = (n, l), where n 6= 0 and l ∈ {lo,hi}.
MS[[r1 := is zero(r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined Fig. 12〉
(σ0[r1 7→ (0, l)],m0, pc0+1)
By the assumption s0 ≈ sˆ0 and definition of the
abstraction function in Fig. 17, we know that
α((n, l)), could be any value in p, U, E or S.
MˆS[[r1 := load(r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ0[r1 7→ {0,1}], mˆ0, pˆc0+1)
We need to prove that α((n, l))⊆ {0,1}, which is
true by the definition of α in Fig. 17.
4. (store(r1,r2)). Recall the concrete semantics as fol-
lows:
MS[[store(r1,r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined in Fig. 12〉
(σ0,m0[σ0(r1) 7→ σ0(r2)], pc0+1)
And recall its abstract semantics as follows:
MˆS[[store(r1,r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defined in Fig. 15〉
(σˆ , mˆ, pˆc0+1)
where mˆ = ∀ v ∈ σˆ0(r1).mˆ0[v 7→ (σˆ0(r1)unionsq σˆ0(r2))].
By the assumption (σ0,m0, pc0) ≈ (σˆ0, mˆ0, pˆc0), we
need to show that (1) α(σ0(r1)) ⊆ σˆ0(r1) and (2)
α(σ0(r2)) ⊆ (σˆ0(r1)unionsq σˆ0(r2)). The obligation (1) is
discharged by the assumption. The obligation (2) is dis-
charged by Theorem E.1.
5. ( jmp(r1,r2)). There are two cases.
(a) σ0(r1).n 6= 0. Recall the concrete semantics as fol-
lows:
MS[[ jmp(r1,r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined in Fig. 12〉
(σ0,m0,σ0(r2).n)
Recall the abstract semantics as follows:
MˆS[[ jmp(r1,r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defed in Fig. 15〉
(σˆ0, mˆ0,(pˆc0+1)∪ σˆ0(r2))
We need to show that α(σ0(r2)) ⊆ (pˆc0 +
1) ∪ σˆ0(r2)), which is true by the assumption
(σ0,m0, pc0)≈ (σˆ0, mˆ0, pˆc0).
(b) σ0(r1).n = 0 Recall the concrete semantics as fol-
lows:
MS[[ jmp(r1,r2)]](σ0,m0, pc0)
= 〈by the concrete semantics defined in Fig. 12〉
(σ0,m0, pc0+1)
Recall the abstract semantics as follows:
MˆS[[ jmp(r1,r2)]](σˆ0, mˆ0, pˆc0)
= 〈by the abstract semantics defed in Fig. 15〉
(σˆ0, mˆ0,(pˆc0+1)∪ σˆ0(r2))
We need to show that α(pc0 + 1) ⊆ (pˆc0 +
1) ∪ σˆ0(r2)), which is true by the assumption
(σ0,m0, pc0)≈ (σˆ0, mˆ0, pˆc0).
Table 8: Evaluating different configurations of BOU. When N
is set as 1 and 10, several analyses terminated before reach-
ing the fixed point due to memory write accesses through the
public symbol p. The full evaluation data in terms of each
configuration can be found at Table 11–15.
Value of N True Positive False Positive Processing Time (CPU Seconds)
1 N/A N/A N/A
10 167 1 584.5
25 207 1 1,446.8
50 (the default config) 207 1 1,637.4
100 207 1 3,563.46
F Evaluating Different Configurations of the
BOU Function
The definition of the BOU function includes a parameter N
as the maximum size of each abstract value set. Table 8 re-
ports the evaluation results of CacheS with respect to dif-
ferent N. As expected, with the increase of the allowed
size, analyses took more time before reaching the fixed point.
Also, when the allowed size is small (i.e., N is 1 or 10), the
value set of certain registers is lifted into {p} rapidly and ter-
minates the analysis due to memory write accesses through
p (see Sec. 6.2; we terminate the analysis for memory access
of p since it rewrites the whole memory). The full evalua-
tion data in terms of different configurations is available in
Table 11–15.
Table 9: Table: Information leakage sites due to secret-
dependent control branches. False positives are marked as
red.
Library Algorithm File line number Function Leakage Units
mbedTLS 2.5.1 RSA bignum.c 1736 mbedtls mpi exp mod 1
mbedTLS 2.5.1 RSA bignum.c 1739 mbedtls mpi exp mod 1
mbedTLS 2.5.1 RSA bignum.c 1784 mbedtls mpi exp mod 2
mbedTLS 2.5.1 RSA bignum.c 1793 mbedtls mpi exp mod 3
mbedTLS 2.5.1 RSA bignum.c 1128 mpi mul hlp 4
mbedTLS 2.5.1 RSA bignum.c 1143 mpi mul hlp 4
mbedTLS 2.5.1 RSA bignum.c 1154 mpi mul hlp 4
mbedTLS 2.5.1 RSA bignum.c 1167 mpi mul hlp 4
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 199 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 200 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 208 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 771 BN is bit set 2
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 775 BN is bit set 2
OpenSSL 1.0.2f RSA/ElGmal bn exp.c 684 BN mod exp mont consttime 3
OpenSSL 1.0.2f RSA/ElGmal bn exp.c 1096 BN mod exp mont consttime 4
OpenSSL 1.0.2f RSA/ElGmal bn exp.c 1106 BN mod exp mont consttime 4
OpenSSL 1.0.2f RSA/ElGmal bn lcl.h 148 BN window bits for exponent size 5
OpenSSL 1.0.2f RSA/ElGmal bn lcl.h 149 BN window bits for exponent size 5
OpenSSL 1.0.2f RSA/ElGmal bn lcl.h 150 BN window bits for exponent size 5
OpenSSL 1.0.2f RSA/ElGmal bn lcl.h 151 BN window bits for exponent size 5
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 199 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 200 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 208 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 771 BN is bit set 2
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 775 BN is bit set 2
OpenSSL 1.0.2k RSA/ElGmal bn exp.c 724 BN mod exp mont consttime 3
OpenSSL 1.0.2k RSA/ElGmal bn exp.c 1136 BN mod exp mont consttime 4
OpenSSL 1.0.2k RSA/ElGmal bn exp.c 1146 BN mod exp mont consttime 4
OpenSSL 1.0.2k RSA/ElGmal bn lcl.h 148 BN window bits for exponent size 5
OpenSSL 1.0.2k RSA/ElGmal bn lcl.h 149 BN window bits for exponent size 5
OpenSSL 1.0.2k RSA/ElGmal bn lcl.h 150 BN window bits for exponent size 5
OpenSSL 1.0.2k RSA/ElGmal bn lcl.h 151 BN window bits for exponent size 5
Libgcrypt 1.6.1 RSA/ElGmal secmem.c 116(1) ptr into pool p 1
Libgcrypt 1.6.1 RSA/ElGmal secmem.c 116(2) ptr into pool p 1
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 615 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 670 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 704 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 706 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 769 gcry mpi powm 3
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 493 gcry mpih mul 4
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 494 gcry mpih mul 4
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 510 gcry mpih mul 4
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 512 gcry mpih mul 4
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 83 mul n basecase 5
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 84 mul n basecase 5
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 100 mul n basecase 5
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 102 mul n basecase 5
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 214 mul n 6
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 219 mul n 6
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 148 gcry mpih cmp 7
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 157 gcry mpih cmp 7
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 51 gcry mpih add 1 8
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 97 gcry mpih sub 1 9
Libgcrypt 1.7.3 RSA/ElGmal mpi-internal.h 116 MPN NORMALIZE 1
Libgcrypt 1.7.3 RSA/ElGmal mpi-pow.c 609 gcry mpi powm 2
Libgcrypt 1.7.3 RSA/ElGmal mpi-pow.c 680 gcry mpi powm 2
Libgcrypt 1.7.3 RSA/ElGmal mpi-pow.c 706 gcry mpi powm 3
Libgcrypt 1.7.3 RSA/ElGmal mpi-pow.c 724 gcry mpi powm 3
Libgcrypt 1.7.3 RSA/ElGmal mpi-pow.c 780 gcry mpi powm 4
Table 10: Table: Information leakage sites due to secret-
dependent cache accesses. False positives are marked as red.
Library Algorithm File line number Function Leakage Units
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 677 gcry mpi powm 1
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 678 gcry mpi powm 1
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 713 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpi-pow.c 714 gcry mpi powm 2
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 82 mul n basecase 3
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 99 mul n basecase 3
Libgcrypt 1.6.1 RSA/ElGmal mpi-internal.h 88 MPN COPY 4
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 146 gcry mpih cmp 5
Libgcrypt 1.6.1 RSA/ElGmal mpi-inline.h 147 gcry mpih cmp 5
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 135 mul n 6
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 137 mul n 6
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 81 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 82 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 84 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 85 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 87 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 88 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 90 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 91 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 93 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 94 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 96 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 97 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 99 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 100 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 102 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-sub1.S 103 gcry mpih sub n 7
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul1.S 68 gcry mpih mul 1 8
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul2.S 69 gcry mpih addmul 1 9
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 80 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 83 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 86 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 89 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 92 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 95 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 98 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-add1.S 101 gcry mpih add n 10
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 492 gcry mpih mul 11
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 495 gcry mpih mul 11
Libgcrypt 1.6.1 RSA/ElGmal mpih-mul.c 509 gcry mpih mul 11
mbedTLS 2.5.1 RSA bignum.c 1563(1)–(2) mpi montmul 1
mbedTLS 2.5.1 RSA bignum.c 1571 mpi montmul 1
mbedTLS 2.5.1 RSA bignum.c 1573 mpi montmul 1
mbedTLS 2.5.1 RSA bignum.c 1131(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1132(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1133(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1134(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1136(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1137(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1138(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1139(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1146(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1147(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1149(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1150(1)–(2) mpi mul hlp 2
mbedTLS 2.5.1 RSA bignum.c 1157 mpi mul hlp 2
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 201 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 203 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 209 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 212 BN num bits word 1
OpenSSL 1.0.2f RSA/ElGmal bn lib.c 777 BN is bit set 2
OpenSSL 1.0.2f RSA/ElGmal bn exp.c 633 MOD EXP CTIME COPY FROM PREBUF 3
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 201 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 203 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 209 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn lib.c 212 BN num bits word 1
OpenSSL 1.0.2k RSA/ElGmal bn exp.c 777 BN is bit set 2
mbedTLS 2.5.1 AES aes.c 788(1)–(16) mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 789(1)–(16) mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 792(1)–(16) mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 795 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 796 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 797 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 798 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 801 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 802 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 803 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 804 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 807 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 808 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 809 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 810 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 813 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 814 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 815 mbedtls internal aes decrypt 1
mbedTLS 2.5.1 AES aes.c 816 mbedtls internal aes decrypt 1
OpenSSL 1.0.2f AES aes-586.pl 1357(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1358(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1359(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1360(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1377(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1378(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1379(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2f AES aes-586.pl 1380(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1357(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1358(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1359(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1360(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1377(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1378(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1379(1)–(4) x86 AES decrypt compact 1
OpenSSL 1.0.2k AES aes-586.pl 1380(1)–(4) x86 AES decrypt compact 1
Table 11: Evaluation result overview when the parameter N of the BOU function is 1. All the analysis campaigns are terminated before
reaching the fixed point due to memory write accesses through the public symbol p. See the last paragraph of Section 6.2 “Information Flow”
for discussion of such cases.
Algorithm Implementation Processing Time # of Analyzed # of Analyzed # of Analyzed Peak Memory Information Leakage SitesProcedures Contexts (CPU Seconds) REIL Instructions Usage (MB) (known/unknown)
RSA/Elgamal libgcrypt 1.6.1 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA/Elgamal libgcrypt 1.7.3 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA/Elgamal OpenSSL 1.0.2k The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA/Elgamal OpenSSL 1.0.2f The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA mbedTLS 2.5.1 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
AES OpenSSL 1.0.2k The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
AES OpenSSL 1.0.2f The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
AES mbedTLS 2.5.1 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
Table 12: Evaluation result overview when the parameter N of the BOU function is 10. Two analysis campaigns are terminated before
reaching the fixed point due to memory write accesses through the public symbol p. See the last paragraph of Section 6.2 “Information Flow”
for discussion of such cases. Variances in terms of analyzed contexts are highlighted.
Algorithm Implementation # of Analyzed # of Analyzed Processing Time # of Analyzed Peak Memory Information Leakage SitesProcedures Contexts (CPU Seconds) REIL Instructions Usage (MB) (known/unknown)
RSA/Elgamal libgcrypt 1.6.1 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA/Elgamal libgcrypt 1.7.3 The analysis is terminated before reaching the fixed point due to a memory write access through p. NA
RSA/Elgamal OpenSSL 1.0.2k 71 81 168.67 83,183 4,237 2/3
RSA/Elgamal OpenSSL 1.0.2f 68 72 150.3 80,096 4,151 2/4
RSA mbedTLS 2.5.1 29 34 125.34 34,137 3,501 0/29
AES OpenSSL 1.0.2k 1 1 46.76 3,748 566 32/0
AES OpenSSL 1.0.2f 1 1 47.91 3,748 574 32/0
AES mbedTLS 2.5.1 1 1 45.52 4,803 569 64/0
Total 191 190 584.5 209,715 13,598 132/36
Table 13: Evaluation result overview when the parameter N of the BOU function is 25. Variances in terms of analyzed contexts are highlighted.
Algorithm Implementation # of Analyzed # of Analyzed Processing Time # of Analyzed Peak Memory Information Leakage SitesProcedures Contexts (CPU Seconds) REIL Instructions Usage (MB) (known/unknown)
RSA/Elgamal libgcrypt 1.6.1 60 81 351.69 50,436 6,956 22/18
RSA/Elgamal libgcrypt 1.7.3 59 59 211.72 33,386 6,385 0/0
RSA/Elgamal OpenSSL 1.0.2k 71 81 199.41 83,183 5,100 2/3
RSA/Elgamal OpenSSL 1.0.2f 68 72 165.35 80,096 5,345 2/4
RSA mbedTLS 2.5.1 29 35 378.98 35,050 6,347 0/29
AES OpenSSL 1.0.2k 1 1 47.29 3,748 557 32/0
AES OpenSSL 1.0.2f 1 1 46.46 3,748 628 32/0
AES mbedTLS 2.5.1 1 1 45.94 4,803 633 64/0
Total 290 331 1,446.84 294,450 31,951 154/54
Table 14: Evaluation result overview when the parameter N of the BOU function is 50 (configuration used in our evaluation). Variances in
terms of analyzed contexts are highlighted.
Algorithm Implementation # of Analyzed # of Analyzed Processing Time # of Analyzed Peak Memory Information Leakage SitesProcedures Contexts (CPU Seconds) REIL Instructions Usage (MB) (known/unknown)
RSA/ElGamal libgcrypt 1.6.1 60 81 228.8 50,436 7,749 22/18
RSA/ElGamal libgcrypt 1.7.3 59 59 182.2 33,386 5,823 0/0
RSA/ElGamal OpenSSL 1.0.2k 71 81 179.2 83,183 6,134 2/3
RSA/ElGamal OpenSSL 1.0.2f 68 72 169.5 80,096 6,113 2/4
RSA mbedTLS 2.5.1 29 36 775.9 35,963 9,654 0/29
AES OpenSSL 1.0.2k 1 1 33.2 3,748 620 32/0
AES OpenSSL 1.0.2f 1 1 35.8 3,748 578 32/0
AES mbedTLS 2.5.1 1 1 32.8 4,803 619 64/0
Total 290 332 1,637.4 295,363 37,290 154/54
Table 15: Evaluation result overview when the parameter N of the BOU function is 100. Variances in terms of analyzed contexts are
highlighted.
Algorithm Implementation # of Analyzed # of Analyzed Processing Time # of Analyzed Peak Memory Information Leakage SitesProcedures Contexts (CPU Seconds) REIL Instructions Usage (MB) (known/unknown)
RSA/Elgamal libgcrypt 1.6.1 60 81 335.08 50,436 6,750 22/18
RSA/Elgamal libgcrypt 1.7.3 59 59 226.16 33,386 7,339 0/0
RSA/Elgamal OpenSSL 1.0.2k 71 81 358.02 83,183 8,431 2/3
RSA/Elgamal OpenSSL 1.0.2f 68 72 314.53 80,096 8,549 2/4
RSA mbedTLS 2.5.1 29 36 2,189.69 35,963 22,140 0/29
AES OpenSSL 1.0.2k 1 1 47.02 3,748 567 32/0
AES OpenSSL 1.0.2f 1 1 45.57 3,748 590 32/0
AES mbedTLS 2.5.1 1 1 47.39 4,803 631 64/0
Total 290 332 3,563.46 259,363 54,997 154/54
