Quantifying the Information Leak in Cache Attacks through Symbolic
  Execution by Chattopadhyay, Sudipta et al.
Quantifying the Information Leak in Cache Attacks through Symbolic Execution
Sudipta Chattopadhyay
Saarland University
Moritz Beck
Saarland University
Ahmed Rezine
Linko¨ping University
Andreas Zeller
Saarland University
Abstract—Cache timing attacks allow attackers to infer the
properties of a secret execution by observing cache hits and
misses. But how much information can actually leak through
such attacks? For a given program, a cache model, and an
input, our CHALICE framework leverages symbolic execution
to compute the amount of information that can possibly leak
through cache attacks. At the core of CHALICE is a novel
approach to quantify information leak that can highlight crit-
ical cache side-channel leaks on arbitrary binary code. In our
evaluation on real-world programs from OpenSSL and Linux
GDK libraries, CHALICE effectively quantifies information
leaks: For an AES-128 implementation on Linux, for instance,
CHALICE finds that a cache attack can leak as much as 127
out of 128 bits of the encryption key.
1. Introduction
Cache timing attacks [11] are among the best known side
channel attacks to determine secret features of a program
execution without knowing its input or output. The general
idea of a timing attack is to observe, for a known program, a
timing of cache hits and misses, and then to use this timing
to determine or constrain features of the program execution,
including secret data that is being processed.
The precise nature of the information that can leak
through such attacks depends on the cache and its features,
as well as the program and its features. Consequently, given
a model of the cache and a program run, it is possible to an-
alyze which and how much information would leak through
a cache attack. This is what we do in this paper. Given
a program execution and a cache model, our CHALICE
approach automatically determines which bits of the input
would actually leak through a potential cache attack.
As an example, consider an implementation of the pop-
ular AES encryption algorithm. Given an input and an
encryption key (say, 128 bits for AES-128), CHALICE can
determine which and how many of the bits of the key would
leak if the execution were subject to a cache attack. To this
end, CHALICE uses a novel symbolic execution over the
given concrete input. During symbolic execution, CHALICE
derives symbolic timings of cache hits and misses; these
then again reveal under which circumstances individual bits
of encryption key may leak.
The reason why CHALICE works is that the timings
of cache hits and misses are not uniformly distributed; and
therefore, some specific timings may reveal more informa-
tion than others. Figure 1 demonstrates the execution of an
Number of cache misses
Nu
m
be
r o
f k
ey
s
13800
0
2 keys
13850 keys
213 279
Not uniform distribution
Figure 1. For a fixed input message, the plot shows the number of keys
leading to a given number of cache misses incurred by executing AES-128
encryption (sample size = 256000 keys)
AES-128 implementation [1] for a fixed input and 256,000
different keys, inducing between 213 and 279 cache misses.
We see that the distribution of cache misses is essentially
Gaussian; if the number of cache misses is average, there
are up to 13,850 keys which induce this very cache timing.
If we have an extreme cache timing with 213 misses (the
minimum) or 279 misses (the maximum), then there are
only 2 keys that induce this very timing. CHALICE can
determine that for these keys, 90 of 128 bits would leak
if the execution were subjected to a cache attack, which
in practice would mean that the remaining 38 bits could
be guessed through brute force—whereas other “average”
keys would be much more robust. For each key and input,
CHALICE can precisely predict which bits would leak,
allowing its users to determine and find the best alternative.1
It is this precision of its symbolic analysis that sets
CHALICE apart from the state of the art. Existing
works [16] [21] use static analysis alone to provide an upper
bound on the potential number of different observations that
an attacker can make. This upper bound, however, does
not suffice to choose between alternatives, as it ignores
the distribution of inputs: It is possible that certain inputs
may leak substantially more information than others. Not
only that such an upper bound might be imprecise, it is
also incapable to identify inputs that exhibits substantial
information leakage through side channels. Given a set of
inputs (typically as part of a testing pipeline), CHALICE
1. In the best of all worlds, one might have an implementation of
every critical algorithm, such as an encryption routine, to have a uniform
distribution over cache misses. But neither does such implementations exist
that would be efficient, nor do we know whether such implementations
can exist; and replacing a well-studied algorithm like AES by some other
algorithm with uniform distribution may induce other, yet unknown risks.
ar
X
iv
:1
61
1.
04
42
6v
1 
 [c
s.C
R]
  1
4 N
ov
 20
16
/* k is sensitive input */ 
char p[256]; 
unsigned char k;   
char q[256]; 
load  reg1, p[k] 
if (k <= 127) 
load  reg2, q[255-k] 
else 
load  reg2, q[k-128] 
add   reg1, reg2 
store reg1, p[k]
k=0 (<m,m,m>) 
1 ≤ k ≤ 255 (<m,m,h>) 
/* k is sensitive input */ 
char p[256]; 
unsigned char k;   
char q[256]; 
load  reg1, q[255] 
if (k <= 127) 
load  reg2, p[k%2] 
else 
load  reg2, p[128*(k%2)]  
add   reg1, reg2 
store reg1, q[255]
k%2==0 (<m,m,m>) 
k%2==1 (<m,m,h>) 
0 ≤ k ≤ 255 (<m,m,h>) 
/* k is sensitive input */ 
char p[256]; 
unsigned char k;   
char q[256]; 
if (k <= 127) 
load  reg2, q[255-k] 
else 
load  reg2, q[k-128] 
load  reg1, p[k] 
add   reg1, reg2 
store reg1, p[k]
p[0], q[255]
p[1]
k
q[0]
q[1]
q[254]
Cache
256 bytes
256 bytes
p[255]
(a) (b) (c) (d)
Figure 2. k is a sensitive input. (a)-(c) three code fragments and respective partitions of the input space with respect to cache hit/miss sequence (reg1,
reg2 represent registers), (d) mapping of program variables into a direct-mapped cache sized 512 bytes (q[255] and p[0] conflict in the cache)
can precisely quantify the leak for each input, and thus
provide a full spectrum that characterizes inputs with respect
to information leakage.
The remainder of this paper is organized as follows.
After giving an overview on CHALICE (section 2), we make
the following contributions:
1) We present CHALICE, a new approach to precisely
quantify information leak in execution and its usage
in software testing (section 3).
2) We introduce a symbolic cache model to instantiate
CHALICE to detect cache side channel leakage
(section 4). This is the first usage of symbolic
execution to explore cache states along with the
program states.
3) We demonstrate that the model generalizes across
multiple observer models. section 5 demonstrates
how CHALICE is instantiated for both direct-
mapped and LRU cache replacement policies.
4) We provide an implementation (section 6) based
on LLVM and the KLEE symbolic virtual machine.
Source code of CHALICE and all experimental data
will be publicly available in the following URL:
https://bitbucket.org/sudiptac/cache-side-channel
5) We evaluate our CHALICE approach (section 7)
to show how we quantify the information leaked
through execution in several libraries, including
OpenSSL and Linux GDK libraries, and show that
the information leak can be as high as 25116 for
certain implementations [1] of AES-128.
After discussing related work (section 8), we close with
conclusion and consequences (section 9).
2. Overview
In this section, we convey the key insight behind our
approach through examples. In particular, we illustrate how
CHALICE is used to quantify information leak from the
execution trace of a program.
Motivating Example
Let us assume that our system contains a direct-mapped
cache of size 512 bytes. Figures 2(a)-(c) show different code
fragments executed in the system. For the sake of clarity, we
use both assembly-level and source-level syntaxes. However,
our framework takes a binary code as input, in order to
accurately capture the memory behaviour of a program. For
simplicity in the example, we assume that conditional checks
do not involve any access to cache (i.e. k is assigned to a
register). The mapping of different variables into the cache
is shown in Figure 2(d). Let us assume that the code frag-
ments of Figures 2(a)-(c) are executed with some arbitrary
(and unknown) value of k. Broadly, CHALICE answers the
following question: Provided only the cache performance
(e.g. cache hit/miss sequence) from such executions, how
much information about the sensitive input k is leaked?
The cache performance induces a partition on the pro-
gram input space. Let us capture the cache performance via
a sequence of hits (h) and misses (m). In Figure 2(a), for all
values of k between 0 and 127, we observe two cache misses
due to the first two memory accesses, p[k] and q[255− k],
respectively. The second access to p[k] is a cache hit, for
k ∈ [1, 127]. However, if k = 0, the content of p[k] will
be replaced by q[255− k], resulting in a cache miss at the
second access of p[k]. For k ∈ [128, 255], p[k] is never
replaced once it is loaded into the cache. Therefore, the
second access to p[k] is a cache hit for k ∈ [128, 255]. In
other words, we observe the sequence of cache hits and
misses to induce the following partition on the input space:
k = 0 (hit/miss sequence = 〈m,m,m〉) and k ∈ [1, 255]
(hit/miss sequence = 〈m,m, h〉). A similar exercise for the
code in Figure 2(b) results in the following partition of the
sensitive input space: k ∈ [0, 255] ∧ k mod 2 = 0 (hit/miss
sequence = 〈m,m,m〉) and k ∈ [0, 255] ∧ k mod 2 6= 0
(hit/miss sequence = 〈m,m, h〉).
Key observation. In this work, we stress the importance
of quantifying information leaks from execution traces and
not from the static representation of a program. To illustrate
this, consider the input partitions created for code fragments
in Figures 2(a)-(b). We emphasize that observing the cache
hit/miss sequence 〈m,m,m〉, from an execution of the code
fragment in Figure 2(a), results in complete disclosure of
sensitive input k. On the contrary, observing the sequence
〈m,m,m〉, from an execution of the code fragment in
Figure 2(b), will only reveal the information that k is odd.
Such information still demands a probability of 1128 in order
to correctly guess k at first attempt. This is in contrast to
accurately guessing the correct value of k at first attempt (as
happened through the sequence 〈m,m,m〉 for Figure 2(a)).
In order to fix the cache side-channel leak in Figure 2(a),
we can reorder the code as shown in Figure 2(c).
Limitations of static analysis. Existing works in
static analysis and verification have aimed at quantifying
side channel leaks [16], [21] and verifying constant-time
implementations [7], [10]. These works correlate the number
of possible observations (by an attacker) with the number
of bits leaked through a side channel. We believe this
view can be dangerous. Indeed, both code fragments in
Figures 2(a)-(b) have exactly two possible cache hit/miss
sequences, for arbitrary values of k. Therefore, approaches
based on static analysis [16], [21] will consider these two
code fragments equivalent in terms of cache side-channel
leakage. As a result, statically analyzing a program will
not reveal crucial information leak scenarios, such as the
execution of code fragment in Figure 2(a) with k = 0.
Techniques based on verifying that programs execute in
constant time typically check that memory accesses do not
depend on sensitive inputs. Yet, most implementations do
not execute in constant time. Besides, programs such as
in Figure 2(c) have accesses that may depend on sensitive
inputs without leaking information about it to a cache-
performance observer. Therefore, we not only check the
dependency between accessed memory address and program
inputs, but we also accurately track the information flow
through cache performance.
Can we use dynamic tainting?. In the preceding paragraph,
we state the importance of dynamically tracking sensitive
information flow through cache performance. Approaches
based on dynamic taints [13] can accomplish the task to
detect information leak through standard functional outputs.
However, such approaches fail to detect information leak
through software non-functional outputs, such as cache per-
formance, among others. Our methodology targets this angle
of information leak detection by building a relationship
between sensitive inputs and observed cache performance.
In order to establish such a relationship, we leverage on
symbolic analysis and constraint solving.
Limitations of side-channel vulnerability metrics. In con-
trast to existing works on measuring cache side channel
leakage [15], we do not aim to check the strength of
an attacker to observe information through side channel.
Although promising, this work [15] fails to detect the infor-
mation flow between sensitive inputs and observed perfor-
mance. As a result, the side-channel vulnerability metric can
only quantify how well an attacker can retrieve information
from a system, but, does not highlight the information
potentially leaked to the attacker. Of course, we believe our
work is complementary to the metrics proposed in [15] and
CHALICE could be combined with such metrics to build
more advanced metrics for measuring side channel leakage.
Such metrics could consider both information leaked by the
system as well as the information that could be retrieved by
an attacker.
The usage of CHALICE. CHALICE is aimed to be used
for validating security properties of software. Given a test
suite (i.e. a set of concrete test inputs) for the software,
CHALICE is used to quantify the information leaked for
each possible observation obtained from this test suite. This
is possible, as the observation by an attacker (e.g. number
of cache miss) corresponds to a (set of) test inputs and
CHALICE presents how much can be deduced about such
inputs from the respective observation. In other words, our
framework CHALICE fits the role of a test oracle [9] in
the software validation process. For instance, if CHALICE
reports substantial information leakage, the test inputs lead-
ing to the respective observation should be avoided (e.g.
avoiding a “weak” encryption key) or the candidate program
needs to be restructured to avoid such information leak. The
generation of an effective and optimized test suite, in order
to detect cache side channels, is an open problem. However,
CHALICE can be instantiated to generate a witness for each
possible observations made by an attacker. The set of all
these witnesses forms a concise test suite and our proposed
method in CHALICE can quantify information leak for each
element in such a test suite. In this paper, we only focus
on the quantification of information leak in a single test
execution and not on the generation of a test suite.
CHALICE should not be used for verifying the absence
of cache side-channel leakage. Implementations that must
adhere to zero-leakage, may leverage on CHALICE during
the early design, specifically to discover the severity of
potential cache side-channel leaks and the program locations
exhibiting such leaks. Nevertheless, CHALICE is aimed
for testing arbitrary software and we envision that such a
strategy becomes an integral component of software testing
pipeline in the future.
How CHALICE works. Let us assume that we execute
the code in Figure 2(a) with some input I ∈ [0, 255]
and observed the trace tI ≡ 〈m,m,m〉. Given only the
observation tI , CHALICE quantifies how much information
about program input I is leaked. CHALICE symbolically
executes the program and it tracks all memory accesses
dependent on the sensitive input k. For each explored path,
CHALICE constructs a symbolic cache model, which ac-
curately encodes all possible cache hit/miss sequences for
the respective path. In this example, CHALICE constructs
Γ(0 ≤ k ≤ 127) and Γ(128 ≤ k ≤ 255), which encode all
cache hit/miss sequences for inputs satisfying 0 ≤ k ≤ 127
and 128 ≤ k ≤ 255, respectively. Let us consider the
path explored for inputs k ∈ [0, 127]. While exploring the
path, we record a sequence of symbolic memory addresses
〈&p[k],&q[255− k],&p[k]〉, where &x denotes the address
of value x. Since we started execution with an empty cache,
the first access to p[k] inevitably incurs a cache miss,
irrespective of the value of k. The subsequent accesses can
either be cold misses (first access to the respective cache
line) or eviction misses (non-first access to the respective
cache line). Let us consider the second access to p[k], as
this is the memory access that partitions the input space. In
order to check whether the second access to p[k] is a cold
miss, we check the following constraint:
(0 ≤ k ≤ 127) ∧ (set(&p[k]) 6= set(&q[255− k]))
∧ (set(&p[k]) 6= set(&p[k])) (1)
where set(&x) captures the cache line where memory ad-
dress &x is mapped to. Intuitively, the constraint checks
whether access to p[k] touches a cache line for the first
time. Constraint (1) is clearly unsatisfiable, leading to the
fact that the second access to p[k] does not access a cache
line for the first time during execution.
Subsequently, we check whether the second access to
p[k] can suffer an eviction miss. To this end, we check
whether q[255−k] can evict p[k] from the cache as follows:
(0 ≤ k ≤ 127) ∧ (set(&p[k]) = set(&q[255− k]))
∧ (tag(&p[k]) 6= tag(&q[255− k])) (2)
where tag(&x) captures the cache tag associated with the
accessed memory block. Intuitively, Constraint (2) is satis-
fied if and only if q[255 − k] accesses a different memory
block as compared to p[k], but q[255 − k] and p[k] access
the same cache line (hence, causing an eviction before p[k]
was accessed for the second time). In this way, we collect
Constraints (1)-(2) to formulate the cache behaviour of a
memory access into Γ(0 ≤ k ≤ 127).
After constructing Γ(0 ≤ k ≤ 127), we explore the
path for inputs k ∈ [128, 255] and record the sequence of
memory accesses p[k], q[k − 128] and p[k]. Performing a
similar exercise, we can show that the second access to p[k]
cannot be a cold miss along this path. In order to check
whether the second access to p[k] was an eviction miss along
this path, we check whether q[k − 128] can evict p[k] from
the cache as follows:
(128 ≤ k ≤ 255) ∧ (set(&p[k]) = set(&q[k − 128]))
∧ (tag(&p[k]) 6= tag(&q[k − 128])) (3)
Constraint (3) is used to formulate Γ(128 ≤ k ≤ 255) and
is unsatisfiable. This is because only p[0] shares a cache line
with q[255] (i.e. set(&p[0]) = set(&q[255])) and therefore,
set(&p[k]) = set(&q[k−128]) is evaluated false for 128 ≤
k ≤ 255. As a result, the second access to p[k] is not a
cache miss for any input k ∈ [128, 255].
From the observation 〈m,m,m〉, we know that the
second access to p[k] was a miss. From the discussion in
the preceding paragraph, we also know that this observation
cannot occur for any inputs k ∈ [128, 255]. Therefore,
the value of k must result in Constraint (2) satisfiable.
Constraint (2) is unsatisfiable if we restrict the value of k
between 1 and 127. This happens based on the fact that
only p[0] is mapped to the same cache line as q[255] (cf.
Figure 2(d)). As a result, CHALICE reports 255 (127 for
the if branch and 128 for the else branch in Figure 2(a))
values being leaked for the observation 〈m,m,m〉. In other
words, CHALICE accurately reports the information leak
(i.e. k = 0) for the observation 〈m,m,m〉.
3. Framework
In the following, we formally introduce the problem
statement and provide an outline of our overall approach
to solve this problem.
3.1. Foundation
Threat model. Side-channel attacks are broadly classified
into synchronous and asynchronous attacks [25]. In syn-
chronous attack, an attacker can trigger the processing of
known inputs (e.g. a plain-text or a cipher-text for encryp-
tion routines), whereas such a phenomenon is not possible
for asynchronous attacks. Synchronous attacks are clearly
easier to perform, since the attacker does not need to
compute the start and end of the targeted routine under
attack. For instance, in synchronous attack, the attacker
can trigger encryption of known plaintext messages and
observe the encryption-timing [11]. Since CHALICE is a
software validation tool with the aim of producing side-
channel resistant implementations, we assume the presence
of a strong attacker in this paper. Therefore, we consider the
attacker can request and observe the execution (e.g. number
of cache miss) of the targeted routine. We also assume
that the attacker can execute arbitrary user-level code in the
same processor running the targeted routine. This allows the
attacker to flush the cache before the targeted routine starts
execution and therefore, reduce the external noise in the
observation. The attacker, however, is incapable to access
the address space of the target routine.
Notations. The execution of program P on input I results
in an execution trace tI . tI is a sequence over the alphabet
Σ = {h,m} where h (respectively, m) represents a cache
hit (respectively, cache miss). Our proposed method in
CHALICE quantifies the information leaked through tI . We
capture this quantification via L(tI). We assess the infor-
mation leakage with respect to an observer. An observer is
a mapping O : Σ∗ → D where D is a countable set. For
instance, an observer O : Σ∗ → N can count the number of
misses and will associate both sequences 〈m,h,m, h, h〉 and
〈m,m, h, h, h〉 to 2. It will therefore not differentiate them.
The most precise observer would be the identity mapping on
Σ∗. However, an observer that tracks prefixes of some fixed
lengths (for example 2) would be enough to differentiate the
two aforementioned sequences.
We use the variable missi to capture whether or not
the i-th memory access was a cache miss during exe-
cution. The observation by an attacker, over the execu-
tion for an arbitrary input and according to the observer
model O, is considered via the observation constraint ΦO.
Program 
(P)
Symbolic Execution
Path 
condition 
(pc)
Memory  
Addresses
Symbolic cache behaviour  𝚪(pc)
Predicates on input 
segments (π)
Observation  
(e.g. trace of hit/miss)
Information leak
L(tI)
Observer Model  
(O)(tI ∈ ∑*)
Observation Constraint 
(ΦO)
Figure 3. The framework CHALICE.
ΦO is a symbolic constraint over the set of variables
{miss1,miss2, . . . ,missn}, where n is the total number
of memory accesses during an execution. For instance,
ΦO ≡
(∑n
i=1 missi = 100
)
accurately captures that the
attacker observes 100 cache misses in an execution man-
ifesting n memory accesses. For the sake of formulation,
we use ΦO,e to define a projection of ΦO on an arbitrary
program path e. In particular, ΦO,e captures the observation
constraint if program path e is executed. Given only ΦO to
be observed by an attacker, CHALICE quantifies how much
information about the respective program input is leaked.
The central idea of our information leak detection is to
capture the cache behaviour via symbolic constraints. Let us
consider a set of inputs I that exercise the same execution
path with n memory accesses. We use Γ(I) to accurately
encode all possible combinations of values of variables
{miss1,miss2, . . . ,missn}. Therefore, if Γ(I) ∧ ΦO is
unsatisfiable, we can deduce that the respective observation
ΦO did not occur for any input I ∈ I.
We now describe how L(tI) is computed based on the
notations and the intuition mentioned in the preceding.
3.2. Quantifying Information Leak in Execution
Figure 3.1 provides an outline of our entire framework.
We symbolically execute a program P compute the path
condition [18] for each explored path. Such a path con-
dition symbolically encodes all program inputs for which
the respective program path was followed. Our symbolic
execution based framework tracks all memory accesses on
a taken path and therefore, enables us to characterize, for
all symbolic arguments satisfying the path condition, the set
of all associated cache behaviors.
Recall that we use Γ(I) to capture possible cache
hit/miss sequences in an execution path, which was activated
by a set of inputs I. In an abuse of notation, we capture set of
inputs I via path conditions. For instance, in Figure 2(a), we
use Γ(0 ≤ k ≤ 127) to encode all possible cache hit/miss
sequences for inputs activating the If branch.
For an arbitrary execution path, let us consider pc be the
path condition. Along this path, we record each memory
access and we consider its cache behaviour via variable
missi. missi is set to 1 (resp. 0) if and only if the i-
th memory access along the path encounters a cache miss
(hit). Given n to be the total number of memory accesses
along the path, we formulate Γ(pc) to bound the value of
{miss1,miss2, . . . ,missn}. In particular, any solution of
Γ(pc) ∧ (missi = 1) captures a concrete input I ⇒ pc and
such an input I leads to an execution where the i-th memory
access is a cache miss. Therefore, if an observation ΦO
happens to be for input I ⇒ pc, Γ(pc) ∧ ΦO is always
satisfiable.
We capture the information leak through execution trace
tI as follows:
L(tI) = 2N − |
∨
e∈Path
(Γ(pce) ∧ ΦO,e) |sol (4)
where N is size of program input (in bits), ΦO,e is the
projection of the observation constraint on path e, Path is
the set of all program paths and pce is the path condition
for program path e. |X |sol captures the number of solu-
tions satisfied by predicate X . It is worthwhile to note that
|∨e∈Path (Γ(pce) ∧ ΦO,e) |sol accurately captures the num-
ber of program inputs that exhibit the observation satisfied
by ΦO. In other words, Equation (4) quantifies the number
of program inputs that does not exhibit the observation, as
captured by ΦO. Hence, if the attacker observes ΦO, she
can deduce as many as L(tI) inputs were impossible for
the respective observation.
In practice, however, computing the exact value of L(tI)
might be infeasible, as it might require the enumeration
of all solutions. In order to control such enumeration, we
generate predicates on input variables. In particular, we
sample an N -bit input into K equal segments, resulting in
input segments of length NK . Subsequently, we constrain the
search space of the solver by restricting the value of each
such input segment to any possible value, that is, pointing
to a value in the set {0, 1, . . . , 2NK − 1}. For instance, let us
assume x is the program input and xi captures the i-th input
segment. A predicate pi ≡ (xi = 0) will guide the solver to
search for a solution only in the input space where the i-th
input segment is 0. Since, we have K different segments,
we generate a total of
(
K · 2NK
)
different predicates. For
each such predicate pi, we record information leak if the
following constraint is unsatisfiable:∨
e∈Path
(Γ(pce) ∧ ΦO,e ∧ pi) (5)
Concretely, if Constraint (5) is unsatisfiable, we can ac-
curately record that input I , which leads to observation
ΦO along some program path, satisfies the predicate ¬pi.
An appealing feature of this process is that all K · 2NK
predicates can be generated independently and therefore, the
unsatisfiability check of Constraint (5) can be performed in
parallel for different predicates.
Let us assume, U1,U2, . . . ,UK are the number of unsat-
isfiable solutions reported for each of the K input segments
respectively. Therefore, we can estimate a lower bound on
L(tI) from these unsatisfiability checks as follows:
L(tI) ≥ 2N −
∏
1≤i≤K
(
2
N
K − Ui
)
(6)
Due to the classic path explosion problem in symbolic
execution, it is possible that only a subset of paths P ′ ⊆
Path can be explored within a given time budget. In such
cases, we can quantify L(tI) as follows.
L(tI) = 2N − |
∨
e∈Path
(Γ(pce) ∧ ΦO,e) |sol
= |
∨
e∈P′
pce|sol + |
∨
e∈Path\P′
pce|sol
− |
∨
e∈P′
(Γ(pce) ∧ ΦO,e) |sol
− |
∨
e∈Path\P′
(Γ(pce) ∧ ΦO,e) |sol
≥ |
∨
e∈P′
pce|sol − |
∨
e∈P′
(Γ(pce) ∧ ΦO,e) |sol
≥ |
∨
e∈P′
pce|sol −
∏
1≤i≤K
(
2
N
K − Ui
)
(7)
This result follows from the fact that Γ(pce) ∧ ΦO,e ⇒
Γ(pce)⇒ pce. The term |
∨
e∈P′ pce|sol involves only path
conditions and it can be computed via model counting [5].
Finally, it is worthwhile to note that setting K = 1 is
equivalent to enumerating all solutions as in Equation (4).
In contrast, setting K = N is equivalent to checking infor-
mation leak at bit-level (i.e. checking whether the value of
a single bit can influence cache performance). Therefore,
K provides a tunable parameter for different levels of
information leak detection. We have conducted evaluation
for K = 8 and K = N . This means, we have checked how
much information about a single byte and respectively, a
single bit are leaked through observing cache performance.
In the next section, we will describe the construction of
Γ (pc) for an arbitrary path condition pc.
4. Generating Symbolic Cache Model
The technical contribution of our methodology is a
symbolic model for cache behaviour – establishing a link
between the program input and observed cache performance.
To describe our model, we shall use the following notations
throughout our discussions:
• 2S : The number of cache sets in the cache.
• 2B : The size of a cache line (in bytes).
• A : Associativity of cache. For direct-mapped
caches, A = 1.
• set(ri) : Cache set accessed by instruction ri.
• tag(ri) : The tag stored in the cache for the memory
block accessed by ri.
• ζi : The cache state before executing instruction ri
and after executing instruction ri−1.
In the following, we will explain the different steps of
generating the symbolic cache model.
4.1. Intercepting Memory Requests
We symbolically execute a program P . During symbolic
execution, we track the path condition and the sequence of
memory accesses for each explored path. For instance, while
symbolically exercising the If branch of Figure 2(a), we
track the path condition 0 ≤ k ≤ 127 and the sequence of
memory addresses 〈&p[k],&q[255− k],&p[k]〉. It is worth-
while to note that such memory addresses might capture
symbolic expressions due to the dependency from program
inputs. Concretely, we compute the path condition pc and
the execution trace Ψpc for each explored path as follows:
Ψpc ≡ 〈(r1, σ1), (r2, σ2), . . . , (rn−1, σn−1), (rn, σn)〉 (8)
where ri captures the i-th memory-related instruction ex-
ecuted along the path and σi symbolically captures the
memory address accessed by ri.
4.2. Modeling Symbolic Cache Access
In order to find the impact on caches, we need to
find out the set of cache lines being accessed. This is
accomplished by manipulating the expression σi, which was
collected while executing each memory-related instruction
ri (cf. Equation (8)). In particular, we formulate set(ri) as
follows:
set(ri) = (σi  B) &
(
2S − 1) (9)
In Equation (9), “&” captures a bitwise-and operation and
“” captures a right-shift operation.
Apart from the cache set a memory address is mapped
to, we need to distinguish different memory addresses from
which contents are stored into the cache. This is different
from just checking the inequality between σi values, as
the memory controller groups contents of different memory
addresses into a memory block and stores the memory block
into a cache line. In order to distinguish different memory
blocks mapped into the same cache lines, a tag is stored
within each cache line. For instruction ri, such a tag tag(ri)
is captured as follows:
tag(ri) = (σi  (B + S)) (10)
Therefore, if tag(ri) 6= tag(rj), we can conclude that ri and
rj are accessing different memory blocks, even if set(ri) =
set(rj) holds.
It is worthwhile to note that both set(ri) and tag(ri)
might be symbolic expressions due to the presence of sym-
bolic expression σi in Equations (9)-(10). Moreover, the
computations of set(ri) and tag(ri) are independent of any
cache replacement policy.
4.3. Direct-mapped Caches
In this section, we assume that the cache is direct-
mapped. Therefore, each cache set holds exactly one cache
line. In the next section, we extend our symbolic model for
set-associative caches.
rkr1 rj rnri
Induced cache miss (causing eviction)
No reuse of  
memory block
Figure 4. Memory-access rj induces a cache miss at ri if rj accesses the
same cache set as ri and rk does not load the block accessed by ri
We characterize cache misses into the following two
categories:
1) Cold cache misses. ri suffers a cold miss if and only
if set(ri) has not been accessed by any previous
instruction r ∈ {r1, r2, . . . , ri−1}.
2) Cache misses due to eviction. ri suffers a cache
miss due to eviction if and only if the last ac-
cess to set(ri) had been from an instruction rj ∈
{r1, r2, . . . , ri−1}, such that tag(rj) 6= tag(ri).
Constraints to formulate cold cache misses. If a cache line
is accessed for the first time, such an access will inevitably
incur a cache miss. Let us consider that we want to check
whether instruction ri accesses a cache line for the first time
during execution. In other words, we can check none of the
instruction r ∈ {r1, r2, . . . , ri−1} touches the same cache
line as ri. Therefore ri suffers a cold miss if and only if the
following condition holds:
Θcoldi ≡
∧
p∈[1,i)
(set(rp) 6= set(ri)) (11)
Constraints to formulate cache evictions. In the following,
we formulate a set of constraints to encode cache misses
other than cold cache misses. Such cache misses occur due
to the eviction of memory blocks from caches.
To illustrate different cache-miss scenarios clearly, let
us consider the example shown in Figure 4. Assume that
we want to check whether ri will suffer a cache miss due
to eviction. This might happen only due to instructions
appearing before (in the program order) ri. Consider one
such instruction rj , for some j ∈ [1, i). Informally, rj is
responsible for a cache miss at ri, only if the following
conditions hold:
1) ψcnf (j, i): ri and rj access the same cache set.
Therefore, we have the following constraint:
ψcnf (j, i) ≡ (set(rj) = set(ri)) (12)
2) ψdif (j, i): ri and rj access different memory-block
tags. This can be formalized as follows:
ψdif (j, i) ≡ (tag(rj) 6= tag(ri)) (13)
3) ψeqv(j, i): There does not exist any instruction rk
where k ∈ [j+1, i), such that rk accesses the same
memory block as ri. It is worthwhile to note that
the existence of rk will load the memory block
accessed at ri. Since rk is executed after rj (in
program order), rj must not be responsible for
a cache miss at ri. We formulate the following
constraint to capture this condition:
ψeqv (j, i) ≡
∧
k: j<k<i
(tag(rk) 6= tag(ri)
∨ set(rk) 6= set(ri))
(14)
Constraints (12)-(14) capture necessary and sufficient
conditions for instruction rj to replace the memory block
accessed by ri (where j < i) and the respective block not
being accessed between rj and ri. In order to check whether
ri suffers a cache miss due to eviction, we need to check
Constraints (12)-(14) for any r ∈ {r1, r2, . . . , ri−1}. This
can be captured via the following constraint:
Θempi ≡
 ∨
j: 1≤j<i
(ψcnf (j, i) ∧ ψdif (j, i) ∧ ψeqv (j, i))

(15)
ri will not suffer a cache miss due to eviction when
at least one of the Constraints (12)-(14) does not hold for
all prior instructions of ri. This scenario is the negation of
Constraint (15) and therefore, it is captured via ¬Θempi .
We use variable missi to capture whether instruction
ri suffers a cache miss. As discussed in the preceding
paragraphs, ri suffers a cold miss (i.e. satisfying Con-
straint (11)) or the memory block accessed by ri would be
evicted due to instructions executed before ri (i.e. satisfying
Constraint (15)). Using this notion, we formulate the value
of missi as follows:
Θmp,diri ≡
(
Θempi ∨Θcoldi
)
(16)
Θm,diri ≡
(
Θmp,diri ⇒ (missi = 1)
)
(17)
Θh,diri ≡
(
¬Θmp,diri ⇒ (missi = 0)
)
(18)
Putting it all together. Recall that Γ(pc) captures
the constraint system to encode the cache behaviour for
all inputs I ⇒ pc. In order to construct Γ(pc), we gather
constraints, as derived in the preceding sections, and the
path condition into Γ(pc) as follows:
Γ(pc) ≡ pc ∧
∧
i∈[1,n]
(
Θm,diri ∧Θh,diri
)
(19)
4.4. Set-associative Caches
In direct-mapped caches, exactly one memory-block tag
is contained by a cache set. As a result, this memory block
is replaced by any instruction accessing the same cache set,
but accessing a different memory-block tag. In contrast,
set-associative caches group multiple cache lines into a
cache set. Therefore, evicting a memory block from a cache
set might require multiple accesses to the respective cache
set. The number of such accesses, as required to evict a
memory block from a cache set, is determined by the relative
position of the same block within the cache set. This relative
position is updated during execution according to a cache
replacement policy. In this paper, we instantiate CHALICE
for set-associative caches with LRU replacement policy.
From technical perspective, we need to modify Con-
straints (15)-(18) to reflect the working principle of set-
associative caches. Before discussing such modifications, we
introduce the concept of cache conflict, which is crucial for
formulating the cache behaviour of set-associative caches.
Definition 4.1. (Cache Conflict): rj generates a cache
conflict to ri only if executing rj can influence the relative
position of memory block accessed by ri within the cache
state ζi (i.e. the cache state before ri and after ri−1).
In order to check whether ri suffers a cache miss, we
distinguish between the following two scenarios:
1) ri accesses a memory block for the first time.
Hence, ri will suffer a cold cache miss.
2) The number of unique cache conflicts generated to
ri is sufficient to evict the memory block accessed
by ri. Hence ri will suffer a cache miss.
Constraints to formulate cold cache misses. If ri accesses
a memory block for the first time, the following condition
must hold:
Θcoldi ≡
∧
1≤k<i
(tag (rk) 6= tag (ri)
∨ set (rk) 6= set (ri))
(20)
Informally, Constraint (20) states that every instruction r ∈
{r1, r2, . . . , ri−1} either accesses a different cache set than
set(ri) or the accessed memory block has a different tag
compared to tag(ri). This leads to a cold cache miss at ri.
Constraints to formulate cache evictions. The eviction of
a memory block from the cache is critically influenced by
cache conflict. Therefore, we need to consider all scenarios
where a cache conflict might be generated. For LRU caches,
rj generates a cache conflict to ri (where j < i) only if the
following conditions hold:
1) ψcnf (j, i), ψdif (j, i) and ψeqv(j, i) hold (cf. Con-
straints (12)-(14)). This ensures that rj and ri ac-
cess the same cache set, but different memory-block
tags. Additionally, ψeqv(j, i) ensures that there does
not exist any instruction between rj and ri that
loads the memory block accessed by ri.
2) Note that multiple accesses may influence the cache
content in set-associative caches. Therefore, we
need to distinguish unique memory accesses in
order to formulate cache conflict. For instance, con-
sider the following memory accesses in sequence:
r1:m1 → r2:m2 → r3:m2 → r4:m1, where ri
captures the instruction and mj captures the re-
spective memory block being accessed. If m1 and
m2 map to the same cache set in a 2-way LRU
cache, r4 will still be a cache hit. This is because
r4 suffers cache conflict only once, from the access
to memory block m2, even though m2 has been
accessed twice (at r2 and at r3). In order to account
unique cache conflicts, we only record the cache
conflict from the closest access to different memory
blocks. For instance, in the preceding example, we
only record cache conflict from r3 to r4. Formally,
we need additional constraints to distinguish such
closest accesses. We use the constraint ψunq (j, i)
for such purpose. ψunq (j, i) is satisfiable if and
only if there does not exist any instruction between
rj (where j ∈ [1, i)) and ri that accesses the same
memory block as rj . ψunq (j, i) is formalized as
follows:
ψunq (j, i) ≡
∧
k: j<k<i
(tag(rj) 6= tag(rk)
∨ set(rj) 6= set(rk))
(21)
Constraints (12)-(14) and Constraint (21) accurately cap-
ture scenarios where rj (j ∈ [1, i)) will create a unique
cache conflict to ri. Let us assume Ψevti,j captures whether
rj creates a unique cache conflict to ri. Using the intuition
described in the preceding paragraph, we can formulate the
following constraints to set the value of Ψevti,j .
Θemj,i ≡ (ψcnf (j, i) ∧ ψdif (j, i) ∧ ψeqv (j, i)
∧ ψunq (j, i))⇒
(
Ψevtj,i = 1
)
(22)
If any of the conditions in Constraints (12)-(14) and in
Constraint (21) is not satisfied between rj and ri, then we
do not account for the cache conflict between rj and ri, as
captured by the following formulation:
Θehj,i ≡ (¬ψcnf (j, i) ∨ ¬ψdif (j, i) ∨ ¬ψeqv (j, i)
∨¬ ψunq (j, i))⇒
(
Ψevtj,i = 0
)
(23)
We use variable missi to capture whether ri is a cache
miss. Therefore, missi is set to 1 if ri is a cache miss, and
is set to 0 otherwise. We formulate the value of missi using
the following constraints:
Θmp,lrui ≡
 ∑
j∈[1,i)
Ψevtj,i ≥ A
 ∨Θcoldi (24)
Θm,lrui ≡
(
Θmp,lrui ⇒ (missi = 1)
)
(25)
Θh,lrui ≡
(
¬Θmp,lrui ⇒ (missi = 0)
)
(26)
In Constraint (24), A captures the associativity of the
cache. Once a memory block is loaded into the cache,
it requires at least A unique cache conflicts to evict the
block. If Ψevti,j ≥ A, ri has suffered at least A unique
cache conflicts since the last access of the memory block
referenced by ri – resulting ri to be a cache miss. If ri is
not a cold miss (i.e. ¬Θcoldi holds) and it has not sufferedA unique cache conflicts, ri will be a cache hit, as captured
by Constraint (26).
Putting it all together. To derive the symbolic cache behav-
ior Γ(pc), we gather all constraints over {r1, . . . , rn} and
the path condition pc as follows:
Γ(pc) ≡
pc ∧
∧
i∈[1,n]
Θm,lrui ∧Θh,lrui ∧ ∧
j∈[1,i)
Θemj,i ∧
∧
j∈[1,i)
Θehj,i

(27)
Θm,lrui and Θ
h,lru
i together bound the value of missi,
which, in turn captures whether ri is a cache miss. However,
Θm,lrui and Θ
h,lru
i are dependent on symbolic variables
Ψevtj,i where j ∈ [1, i). The bound on Ψevtj,i is captured via
Θemj,i and Θ
eh
j,i (Constraints (22)-(23)). Hence, the formula-
tion of Γ(pc) includes both Θemj,i and Θ
eh
j,i for j ∈ [1, i).
Complexity of constraints. The size of our constraint
system, in order to check cache side-channel leaks, is O(n3).
Here n is the number of memory accesses. The dominating
factor in our constraint system is the set of constraints gen-
erated from Constraint (15) and Constraint (22). In general,
we generate constraints for each pair of memory accesses
that may potentially conflict in the cache, leading to O(n2)
pairs in total. For each such pair, the constraint may have a
size O(n) — making the size of overall constraint system
to be O(n3). However, our evaluation reveals that such a
bound is pessimistic and the constraint system can be solved
efficiently for real-life embedded programs.
5. Checking Information Leak
In this section, we instantiate CHALICE for two different
observer models. In particular, we show the formulation of
Equation (5) by leveraging on our symbolic cache model
Γ(pc) (as described in Sections 4.3-4.4) and instantiating
ΦO for different observer models. We assume that tI is the
observed execution trace for input I and we wish to quantify
how much information about input I is leaked through tI .
Observation via total miss count. In this scenario, an
attacker can observe the number of cache misses in different
executions [11]. The observer O : Σ∗ → N is a function,
where a sequence of cache hits and misses are mapped
to a non-negative integer capturing the number of cache
misses. Therefore, for a given trace t ∈ Σ∗, O(t) captures
the number of cache misses in the trace t.
Recall that we use variable missi to capture whether
the i-th memory access was a cache miss. We check the
unsatisfiability of the following logical formula to record
information leak:∨
e∈Path
Γ(pce) ∧
 ∑
i∈[1,ne]
missi = O(tI)
 ∧ pi
 (28)
where ne is the number of memory accesses occurring
along path e and pi is a predicate defined on program
inputs. Concretely, if Constraint (28) is unsatisfiable, we can
establish that the information “¬pi ≡ true” is leaked through
the execution trace tI . By performing such unsatisfiability
checks over the entire program input space, we quantify
the information leak L(tI) through execution trace tI (cf.
Equation (6)).
Observation via hit/miss sequence. For an execution trace
t ∈ Σ∗, an observer can monitor hit/miss sequences from
t [6]. Concretely, let us assume {o1, o2, . . . , ok} is the set of
positions in trace t where the observation occurs. If n is the
total number of memory accesses in t, we have oi ∈ [1, n]
for each i ∈ [1, k].
We define the observer O : Σ∗ → {0, 1}k as a projection
from the execution trace onto a bitvector of size k. Such a
projection satisfies the following conditions: O(t)i = 1 if
toi = m and O(t)i = 0 otherwise. O(t)i captures the i-th
bit of O(t) and similarly, toi captures the oi-th element in
the execution trace t. Note that a strong observer could map
the entire execution trace to a bitvector of size n.
For such an observer, we check the unsatisfiability of
the following formula to record information leak:
∨
e∈Path
Γ (pce) ∧ ∧
i∈{1,2,...,k}
(
oi ≤ ne
∧missoi = O(tI)i
)
∧ pi

(29)
where pi is a predicate on program inputs. By generating
such predicates over the input space, we quantify the infor-
mation leaked about input I via L(tI) (cf. Equation (6)).
Although we instantiate CHALICE for two observer
models, we believe that our framework is generic to capture
a wide range of such models. In particular, we can tune
CHALICE for any observer model that is expressed via
symbolic constraints over variables missi.
6. Implementation Aspects
In this section, we discuss some crucial implementation
aspects for the efficiency and effectiveness of CHALICE.
Implementation setup. We implemented CHALICE on top
of the KLEE symbolic virtual machine [2]. However, in
order to design such an implementation, we faced the fol-
lowing challenges.
/* load local variable */ 
load  reg1, 16[@Sp] 
beq   reg1, 127, L2 
L1: load  reg2, 24[@Sp] 
    br L3   
L2: load  reg2, 32[@Sp] 
L3: add reg1, reg2 
/* register spill */ 
store reg1, 16[@Sp] 
load reg1, 40[@Sp] 
sub  reg1, reg2
/* load local variable */ 
%0 = getelemptr i8* @Sp, i8 16 
%1 = load  i8* %0 
%2 = icmp eq i8 %1, 127 
br i1 %2, label L1, label L2 
L1: %3 = getelemptr i8* @Sp, i8 24 
 %4 = load i8* %3 
    br label L3   
L2: %5 = getelemptr i8* @Sp, i8 32  
 %6 = load i8* %5  
L3: %7 = phi i8 [%4, L1], [%6, L2] 
 %8 = add i8 %1, %7 
/* register spill */ 
store i8 %1, i8* %0 
%9 =  getelemptr i8* @Sp, i8 40  
%10 = load i8* %9 
%11 = sub i8 %10, %7
(a) Binary code, assume all loads  
are loading bytes
(b) Translated LLVM code,  
some details are removed for clarity 
Figure 5. Translation from binary code to LLVM code
KLEE works on LLVM bitcode [4]. Considering cache
performance, at the level of LLVM bitcode, introduces
several inaccuracies. For instance, LLVM bitcode uses an
unbounded number of virtual registers. In contrast, any given
execution platform only contains a finite number of physical
registers. In order to understand how this impacts memory
performance, consider the example in Figure 5.
In Figure 5, we assume that the execution platform con-
tains only two physical registers. As a result, a register spill
is required in the binary code to preserve the functionality
of the LLVM bitcode. In general, aggressive compiler opti-
mizations may change the structure and memory behaviour
of the LLVM bitcode dramatically, when translated into
native binary.
In order to solve this challenge and still use the power
of symbolic execution on target-independent LLVM bitcode,
we have designed a translator that converts binary code
to LLVM bitcode. Such a translation must preserve the
following properties to produce a valid LLVM bitcode. First,
we ensure that each load/store instruction in the binary code
to have a functionally equivalent load/store instruction in the
translated bitcode. Secondly, we preserve the static-single-
assignment (SSA) form of LLVM bitcode by systematically
inserting Phi functions. Thirdly, several instructions at the
machine code may require multiple LLVM instructions to
implement. The LWL and LWR are such machine-level in-
structions for MIPS architecture. Finally, LLVM bitcode is
strongly typed. As a result, LLVM bitcode uses different
instructions for pointer arithmetic as compared to general-
purpose arithmetic. We use a lightweight type inference
on the binary code and compute the appropriate LLVM
instruction for a given machine-level instruction. Figure 5(b)
demonstrates how the example binary code is translated
into LLVM bitcode. The instruction getelemptr handles
pointer arithmetic in the LLVM bitcode.
From a technical point of view, we have designed a
translator that converts PISA binaries (a MIPS like archi-
tecture) into LLVM bitcode. Such a translator is unique
in the sense that it focuses on preserving the memory
behaviour during the translation. Nevertheless, our translator
may introduce additional instructions to preserve the SSA
semantics of LLVM bitcode. Such additional instructions
are not part of the binary code. In order to exclude such in-
structions from our analysis, we annotate the LLVM bitcode
with a mapping from each memory-related instruction in the
binary to the respective memory-related instruction in the
LLVM bitcode. As a result, CHALICE accurately captures
the cache side-channel leaks for applications compiled into
PISA binaries.
Our translator currently does not handle indirect jump
instructions. However, we can use a lightweight static anal-
ysis to compute the potential targets for indirect jumps
and the translator can easily be modified to take this into
account. Besides, CHALICE is modular in the sense that it
can easily be adapted for a different architecture. This can
be accomplished only by extending the translator to convert
the respective machine code into LLVM bitcode.
Program Lines of Lines of Max. #Memory
C code LLVM code access
AES [1] 800 4950 2134
AES [3] 1428 1800 420
DES [3] 552 3990 334
RC4 [3] 160 668 1538
RC5 [3] 256 1820 410
gdk_keyval_to_unicode 1300 268 114
gdk_keyval_name 1350 1408 12
TABLE 1. SALIENT FEATURES OF THE EVALUATED SUBJECT PROGRAMS
Reducing the number of constraints. In order to reduce
the size of Γ(pc), we first inspect constraints generated for
each memory-related instruction individually. In particular,
for each memory-related instruction ri, we check whether
the respective memory access leads to a cache miss (or
hit) for all inputs satisfying pc. For instance, consider
Constraints (17)-(18) for direct-mapped caches. In order
to check whether instruction ri is a miss for all inputs
I ⇒ pc, we check the validity of the constraint pc∧Θmp,diri .
Similarly, we check the unsatisfiability of the constraint
pc ∧ Θmp,diri , to prove that ri is always a cache hit for all
inputs I ⇒ pc. If pc∧Θmp,diri is valid (resp. unsatisfiable),
we can directly consider missi to be 1 (resp. 0) within the
symbolic cache model Γ(pc). As a result, we discard all
constraints Θm,diri and Θ
h,dir
i in formulating Γ(pc). It is
worthwhile to note that this optimization increases the time
to process a single memory-related instruction, as the solver
is called at each memory access. However, we discovered
that in practice, this step dramatically reduces the size of
Γ(pc), making our information leak detection tractable.
7. Evaluation
Experimental setup. In order to evaluate the ef-
fectiveness of CHALICE, we have chosen cryptographic
applications from OpenSSL library [3] and other software
repository [1], as well as applications from Linux GDK
library. The choice of our subject programs is motivated by
the critical importance of validating security-related prop-
erties in these applications. Some salient features of the
evaluated subject programs is outlined in Table 1. We have
performed all our experiments on an Intel I7 machine with
8GB of RAM and running Debian as operating systems.
7.1. Generating Predicates on Inputs
Using CHALICE, we can select an arbitrary number of
bits in the program input to be symbolic. These symbolic
bits capture the high sensitivity of the input subspace and our
framework focuses to quantify the information leaked about
this subspace. For instance, in encryption routines, the bits
of private input (e.g. a secret key) can be made symbolic.
Without loss of generality, in the following discussion, we
assume that the entire input is sensitive and we make all
input bits to be symbolic.
Let us assume N -byte program input. We use the no-
tation k[i] to capture the i-th byte of an arbitrary input k.
Similarly, we use k[i, j] to capture the j-th bit of the i-th
byte in k. We generate the following predicates on inputs
for quantifying information leak L(tI) (cf. Equation (6)).
Pbit = {k[i, j] = v | i ∈ [1, N ], j ∈ [1, 8], v ∈ [0, 1]}
Pbyte = {k[i] = v | i ∈ [1, N ], v ∈ [0, 255]}
It is worthwhile to mention that for a 16-byte sensitive
input (e.g. in AES-128), Pbit and Pbyte lead to 256 and
4096 calls to the solver, respectively to quantify L(tI).
7.2. Experience with AES-128
We used two different implementations [1], [3] of the
Advanced Encryption Standard (AES). AES is a widely used
encryption standard for achieving confidential communica-
tion. AES has been of great importance for delivering se-
curity in embedded systems because of its sound protection
strength and high throughput (e.g. even on credit cards).
Therefore, it is crucial to validate security-related properties,
such as side-channel resistance, for AES.
AES has input-dependent memory accesses. In partic-
ular, different encryption rounds of AES revolve around
accessing an sbox – a matrix-like structure kept in main
memory (DRAM). During encryption, AES code accesses
varied locations in the sbox. The location of the sbox
being accessed, for a given instruction, depends on the secret
key. That is, the sequence of memory blocks, accessed dur-
ing encryption, is dependent on the value of secret key. As
a result, we potentially obtain different cache performance
for different secret keys.
7.2.1. Key result. We used an 8 KB direct-mapped cache
with a line size of 32 bytes. This size is big enough to keep
the entire sbox of AES in the cache. We executed AES in
simplescalar simulator [8] (cf. Figure 1) with a test suite and
obtained the respective set of observations (e.g. number of
cache misses). For such observations, we intended to check
how much information is leaked through a bit or a byte,
by generating predicates Pbit and Pbyte (as described in
Section 7.1), respectively.
For the collected set of observations, CHALICE quan-
tifies L(tI) to be 0 when the set of predicates Pbit is
used. Therefore, each observation (e.g. the number of cache
misses) is possible irrespective of whether an arbitrary bit
of the AES input (in both implementations of AES [1], [3])
is “1” or “0”. Therefore we deduce, for the given set of
observations, there does not exist any dependency between
the cache performance and the value of an arbitrary bit of
the key.
Figure 6(a) captures an outline of information leak high-
lighted via CHALICE, for two different implementations of
AES [1], [3]. For each byte of the 16-byte secret key, we
show the amount of information leaked through the num-
ber of cache misses. For instance, we establish for certain
observations, that as many as 251 values (out of 256) are
leaked for each byte of AES key (in the implementation [1]).
This means, there exists at least 25116 possible keys (out
of a total 2128) that can be eliminated just by observing
the cache misses. Such an information gives the designer
valuable insights when designing embedded systems, both
in terms of choosing an AES key and a cache architecture,
in order to avoid serious security breaches. In contrast to
the implementation of [1], we can observe from Figure 6(a)
that the implementation of AES from OpenSSL exhibits
substantially fewer information leaks. For instance, certain
key bytes of OpenSSL AES do not leak any information
through the number of cache misses.
In our framework, we also investigated on adversaries
who can observe the sequence of cache hits and misses,
instead of just the overall number of cache misses. However,
to simplify our evaluation, we focused on sequences of
length 1, and considered all the memory accesses. Our goal
is to check the dependency between the AES-key and the
hit/miss characteristics of an arbitrary memory access.
Figure 6(b) captures a snapshot of dependencies between
AES-key bytes and the cache behavior of different memory
accesses. For instance, the maximum values leaked through
a byte can be as high as 235, as shown via Figure 6(b).
Similar to Figure 6(a), we also observe that the AES imple-
mentation from OpenSSL leaks substantially less informa-
tion, as compared to the implementation in [1], when cache
behavior is observed individually for each memory access.
7.2.2. Sensitivity of Information Leak w.r.t Cache Size.
Figures 7-8 capture the sensitivity of information leakage
with respect to different configurations. For all experiments,
the replacement policy is set to LRU and the cache-line
size is set to a fixed 32 bytes. Figures 7(a)-(b) captures
the information-leakage-sensitivity for observations via a
given number of cache misses. Increasing cache size (or
associativity) may have two contrasting effects as follows.
For a given cache size, let us assume a subset of the input
space I=C ⊆ I<C ∪ I=C ∪ I>C (where I<C ∪ I=C ∪ I>C
is the entire input space) which leads to C cache misses.
Increasing cache size reduces cache conflict. Therefore, it
is possible that some input i ∈ I>C , which leads to more
than C cache misses with a smaller cache, produces C cache
misses with the increased cache size. This tends to increase
the number of inputs leading to C cache misses, thus re-
ducing the amount of information leaked through observing
C misses. Secondly, some input i ∈ I=C may have less
than C cache misses with increased cache size. This may
reduce the number of inputs having C cache misses, thus
increasing the potential leakage through the observation of
C cache misses. In Figure 7(a), the reduction in cache side-
channel leakage is visible for cache sizes up to 16 KB, for
AES implementation from [1]. However, for a 4-way 32 KB
cache, we observe the increase in information leakage. This
is because the number of possible keys, leading to a given
observation, is reduced considerably.
Figures 8(a)-(b) capture the sensitivity of information
leakage (w.r.t. cache size) for an adversary who can ob-
serve the cache behavior of an arbitrary memory access.
Concretely, consider the bars in Figure 8(a) for 8 KB and
32 KB caches. For a 2-way, 8 KB cache, a significant
information about the first key byte is leaked. With 32 KB
 0
 50
 100
 150
 200
 250
 300
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in AES (observation via miss count)
AES from basic Crypto AES from OpenSSL
 0
 50
 100
 150
 200
 250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in AES (observation via hit/miss sequence length 1)
AES from basic Crypto AES from OpenSSL
(a) (b)
Figure 6. Information leak observed using an 8 KB direct-mapped cache
 50
 100
 150
 200
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in AES (basic crypto) w.r.t. cache configurations (observation via miss count)
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
 5
 10
 15
 20
 25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in AES (OpenSSL) w.r.t. cache configurations (observation via miss count)
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
(a) (b)
Figure 7. Information leak in AES w.r.t. observations based on miss count (set-associative caches employing LRU policy)
caches, the number of cache conflicts reduces substantially,
but we observe substantial leakage of information about key
bytes one, six and ten. Therefore, even though the increased
cache size improves performance, it might make the overall
system potentially less secure, as shown in Figure 8(b). In
summary, we believe such insights are valuable for designers
to build secure systems.
The evaluation also reveals that the AES implementa-
tion from OpenSSL exhibits information leak, as shown in
Figure 8(b). Figure 8(b) highlights the last four bytes of the
key to experience more leakage of information as compared
to other key bytes.
7.3. Experience with DES
Data Encryption standard (DES) [3] is a symmetric key
algorithm for electronic data. The OpenSSL implementa-
tion of DES encrypts 64 bit message with a 64 bit secret
key. Figures 9(a)-(b) summarize our result on quantifying
information leak in DES. Figure 9(a) reports information
leaks through observing miss count. For instance, using
8KB caches, DES leaks more than 150 values for several
key bytes. In contrast, information leak in the OpenSSL
version of AES is relatively sparse and it generally leaks
less information about key bytes (cf. Figure 7(b)). In Fig-
ure 9(b), we observe a similar trend, as DES continues to
suffer from information leak when the cache behavior of an
arbitrary memory access is observed. Our results summarize
potentially insecure nature of DES, even if we only consider
security leaks through cache behaviour.
7.4. Experience with RC4
RC4 [3] is a stream cipher. It uses variable length key
(between 40 and 2048 bits) and it is considered to be vul-
nerable in many applications. In our evaluation, we studied
how RC4 leaks information through cache side channels.
We analyzed the OpenSSL version of RC4 implementation,
where we fixed the size of key to be 64 bits. Figures 10(a)-
(b) outline our findings. Figure 10(a) summarizes our results
for miss-count-based observer models. CHALICE highlights
information being leaked about the first byte. For bigger
 50
 100
 150
 200
 250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Information leak in AES (basic crypto) w.r.t. cache configurations (observation via hit/miss sequence length 1)
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
 50
 100
 150
 200
 250
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Information leak in AES (OpenSSL) w.r.t. cache configurations (observation via hit/miss sequence length 1)
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
(a) (b)
Figure 8. Information leak in AES w.r.t. observations based on hit/miss sequence
 0
 50
 100
 150
 200
 250
1 2 3 4 5 6 7 8
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in OpenSSL DES (observation via miss count)
1-way, 4KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
 0
 20
 40
 60
 80
 100
 120
 140
 160
 180
 200
1 2 3 4 5 6 7 8
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in OpenSSL DES (observation via hit/miss sequence length 1)
1-way, 4KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
(a) (b)
Figure 9. Information leak in DES w.r.t. different observer models
cache sizes (e.g. > 16KB), such information leak disappears,
as the executions of RC4 only suffer the minimum number
of misses to load all the memory blocks into the cache.
Figure 10(b) highlights information leaks when the
cache hit/miss characteristics of arbitrary memory accesses
are observed. With respect to such observations, we identify
that a substantial information may leak (254 values out of
a total of 256) about the first byte. However, with bigger
cache sizes, such information leak disappears.
7.5. Experience with RC5
RC5 [3] is a symmetric block cipher, which is suitable
for both software and hardware implementation. RC5 has a
variable word size and a variable-length secret key. In our
evaluation, we analyzed the RC5 implementation available
in the OpenSSL library and we fixed size of both the
plaintext and the secret key to be 16 bytes.
During the execution of RC5, our tool CHALICE does
not report any symbolic memory address. This means, for
any memory-related instruction, the referenced address is
independent of secret key. As a result, cache performance
(i.e. number of cache misses or the sequence of hits and
misses) of RC5 is unrelated to input and does not exhibit
information leak with respect to the observer models studied
in this paper. It is also worthwhile to mention that RC5
does not have any key-dependent branches. Therefore, we
can turn the report generated by CHALICE into verification,
meaning that we can prove the absence of information leak
according to the observer models explored in this paper.
7.6. Experience with GDK Library
Figures 11(a)-(b) present the average information leak
discovered in routines gdk_keyval_to_unicode and
gdk_keyval_name from the Linux GDK library. As
shown in Figure 11, several scenarios lead to a com-
plete disclosure of information for the third and the fourth
byte of input (i.e. 255 out of 256 values are leaked for
these bytes). Moreover, the reported information leak per-
sists across a wide-range of cache configurations. Upon
close inspection, we discovered that the cache behaviour of
 0
 5
 10
 15
 20
 25
 30
 35
 40
 45
 50
1 2 3 4 5 6 7 8
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in OpenSSL RC4 (observation via miss count)
1-way, 4KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
 0
 50
 100
 150
 200
 250
 300
1 2 3 4 5 6 7 8
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Key bytes
Cache side-channel leak in OpenSSL RC4 (observation via hit/miss sequence length 1)
1-way, 4KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
(a) (b)
Figure 10. Information leak in RC4 w.r.t. different observer models
 50
 100
 150
 200
 250
1 2 3 4
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Input bytes
Average cache side-channel leak in GDK routines w.r.t. cache configurations (observation via miss count)
1-way, 8KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
 50
 100
 150
 200
 250
1 2 3 4
# v
a l
u e
s  
l e
a k
e d
 p
e r
 b
y t
e
Input bytes
Average cache side-channel leak in GDK routines w.r.t. cache configurations (observation via miss sequence)
1-way, 8KB
2-way, 8KB
4-way, 8KB
2-way, 16KB
4-way, 16KB
2-way, 32 KB
4-way, 32 KB
(a) (b)
Figure 11. Information leak in Linux GDK library w.r.t. different observer models
TABLE 2. T1 CAPTURES AVERAGE TIME TAKEN FOR ONE SOLVER CALL, Tbyte CAPTURES THE AVERAGE TIME TAKEN TO CHECK INFORMATION
LEAK FOR ONE INPUT BYTE AND Tall CAPTURES THE TIME TAKEN TO CHECK INFORMATION LEAK VIA ALL PREDICATES IN Pbyte (cf. SECTION 7.1)
Subject program Observation via total miss count Observation via hit/miss of an arbitrary access
Constraint size Peak mem. T1 Tbyte Tall Constraint size Peak mem. T1 Tbyte Tall
AES [1] 144072 261M ≈ 20 sec 1 hour 16 hours 1580 105M < 1 sec ≈ 1 min 16 min
AES [3] 21444 129M ≈ 18 sec 77 min 20 hours 265 90M < 1 sec ≈ 2 min 45 min
DES [3] 53808 127M ≈ 10 sec 50 min 8 hours 1809 35M < 1 sec ≈ 1 min 12 min
RC4 [3] 38622 1.1G ≈ 4 sec 15 min 4 hours 490 32M < 1 sec ≈ 1 min 16 min
RC5 [3] 0 28.3M ≈ 15 sec ≈ 15 sec ≈ 15 sec 0 29.2M ≈ 14 sec ≈ 14 sec ≈ 14 sec
GDK 21 102M < 1 sec < 1 sec ≈ 2 min 21 100M < 1 sec < 1 sec ≈ 1 min
gdk_keyval_to_unicode and gdk_keyval_name
is primarily dominated by the number of cold cache misses,
which, in turn is heavily influenced by the path exe-
cuted in the respective routine. As a result, observing
the cache performance may lead to a disclosure of the
(set of) paths taken in gdk_keyval_to_unicode and
gdk_keyval_name. Since we include path condition pc
within our symbolic cache model Γ(pc) (cf. Constraint (19)
and Constraint (27)), we can accurately quantify the infor-
mation leak even in the presence of multiple program paths.
7.7. Analysis Time
Table 2 outlines the analysis time for different subject
programs while using a direct-mapped 8KB cache. In most
cases, a single call to the solver, which reports informa-
tion leak via unsatisfiability check (e.g. Constraint (5)),
is efficient. Due to the repeated calls to solver, checking
the information leakage, for the entire input space, takes
significant time. However, CHALICE incorporates anytime
strategy, meaning the more time it runs the more accurately
it can quantify the information leak. Besides, the timing
reported in Table 2 is either consistent or decreases with
increasing cache size. This is due to the fact that our
symbolic cache model uses the notion of cache conflict to
encode the cache behaviour and the size of our model does
not vary dramatically with increasing cache size. Finally, the
performance of CHALICE can be improved drastically using
a parallel implementation. For instance, we can assign one
or more independent threads to check information leaked
about each input byte. We plan to implement such a parallel
version of CHALICE in the future. Table 2 only reports
timing for a sequential implementation in this paper.
7.8. Discussion
For the sake of brevity, we have only presented the quan-
tification of information leak discovered through CHALICE.
Of course, due to the symbolic nature of our analysis,
CHALICE not only quantifies information leak, it also high-
lights which values might leak through a potential cache
attack. Furthermore, for each memory-related instruction,
CHALICE highlights the set of input values that may leak
for a given execution. In summary, the report generated
by CHALICE can be leveraged for debugging and fixing
critical information leak scenarios. Some of the potential
debugging strategies would be to restructure the code,
suppressing or enabling compiler optimizations (such as
bypassing the cache for certain memory blocks or using
software-controlled memory) and choosing an appropriate
hardware platform. In future, we plan to use CHALICE to
study the impact of such hardware/software transformations
on information leak.
8. Related Work
The closest to our work are approaches based on static
analysis [16], [21]. These works quantify information leak
from the static representation of a program. In particular,
the information leak is quantified via the unique number of
observations made by an attacker. As a result, these works
are incapable to highlight critical information leak scenar-
ios when a particular observation leaks substantially more
information than the rest. CHALICE quantifies information
leak from execution traces and therefore, it does not suffer
from the aforementioned limitation. Our work is orthogonal
to approaches proposed in [7], [10]. In particular, our ap-
proach targets arbitrary software binaries and it is not limited
to the verification of constant-time cryptographic software.
Besides, our approach has a significant flavor of testing
and debugging, as we highlight information leak scenarios
directly from execution traces. A recent work [22] aims to
quantify side-channel leakage via symbolic execution and
Max-SMT. However, this work does not take into account
side-channel leaks through micro-architectural entities, such
as caches.
Over the last few decades, cache-based side-channel
attacks have emerged to be a prevalent class of security
breaches for many systems. A detailed account on these
attacks can be found in the survey [17]. The observer models
used in this paper are based on existing cache attacks [6],
[11]. However, we believe that CHALICE is generic to
incorporate more advanced attack scenarios [12], [19], [20],
as long as the attacks are expressed via the intuition given
in Section 5.
To defend against cache-based side-channel attacks, sev-
eral countermeasures have been proposed over the past few
years. Some of these countermeasures require hardware
support, such as designing new cache architecture [26] or
compiler support, such as devising new instruction-based
scheduling [23]. More recently, the approach described
in [14] leverages on software diversity at runtime to random-
ize the cache behavior and hence, reducing the probability
for a potential cache side-channel attack. Our proposal is
orthogonal to approaches proposing countermeasures. Of
course, we believe that our framework can be leveraged as a
valuable tool to discover potential flaws in countermeasures
proposed to mitigate cache side channels.
Finally, static cache analysis [24] is still an active re-
search topic. Compared to static cache analysis, our ap-
proach has significant flavors of testing and debugging.
Moreover, our approach can highlight memory accesses that
leak significant information via side-channels. This can be
leveraged to drive security-related optimizations.
In summary, we propose a new approach to quantify
cache side-channel leakage from execution traces and not
from the static representation of the program. We demon-
strate that such an approach clearly has benefits over ap-
proaches based on static or logical analysis. This is because
CHALICE can highlight critical information leak scenarios
that are impossible to be discovered by competitive static or
logical analysis.
9. Concluding Remarks
In this paper, we propose a new approach to quantify
cache side-channel leakage. To the best of our knowledge,
CHALICE is the first work to categorize input segments with
respect to memory performance. We illustrate that the mech-
anism of CHALICE is highly desirable for security testing
of arbitrary software, specifically, to detect the amount of
information that can leak through memory performance.
Besides security testing, CHALICE can also be used to
discover bugs while writing constant-time cryptographic
applications. We demonstrate the usage of CHALICE to
highlight critical information leak scenarios in real-world
software – including applications from OpenSSL and Linux
GDK libraries.
We believe CHALICE provides a platform to lift the
state-of-the-art in security testing, in particular, detecting
security-related flaws due to side channels. As a result, we
envision to extend CHALICE for side channels other than
caches and use it to detect the potential of advanced side-
channel attacks not investigated in this paper. We hope that
the core idea of CHALICE would influence regular activities
in software testing and in testing regressions.
References
[1] Advanced Encryption Standard Implementation. https://github.com/
B-Con/crypto-algorithms.
[2] KLEE LLVM execution engine. https://klee.github.io/.
[3] OpenSSL Library. https://github.com/openssl/openssl/tree/master/
crypto.
[4] The LLVM compiler infrastructure. http://llvm.org/.
[5] UC Davis, Mathematics. Latte integrale. https://www.math.ucdavis.
edu/∼latte/.
[6] Onur Acıic¸mez and C¸etin Kaya Koc¸. Trace-driven cache attacks on
AES. In Information and Communications Security. Springer, 2006.
[7] Jose´ Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Franc¸ois Du-
pressoir, and Michael Emmi. Verifying constant-time implementa-
tions. In USENIX, pages 53–70, 2016.
[8] Todd Austin, Eric Larson, and Dan Ernst. SimpleScalar: An infras-
tructure for computer system modeling. Computer, 35(2), 2002.
[9] Earl T Barr, Mark Harman, Phil McMinn, Muzammil Shahbaz, and
Shin Yoo. The oracle problem in software testing: A survey. IEEE
transactions on software engineering, 41(5):507–525, 2015.
[10] Gilles Barthe, Gustavo Betarte, Juan Diego Campo, Carlos Daniel
Luna, and David Pichardie. System-level non-interference for
constant-time cryptography. In CCS, pages 1267–1279, 2014.
[11] Daniel J Bernstein. Cache-timing attacks on AES, 2005.
[12] Billy Bob Brumley and Risto M Hakala. Cache-timing template
attacks. In ASIACRYPT. Springer, 2009.
[13] James Clause, Wanchun Li, and Alessandro Orso. Dytan: a generic
dynamic taint analysis framework. In ISSTA. ACM, 2007.
[14] Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen,
and Michael Franz. Thwarting cache side-channel attacks through
dynamic software diversity. In NDSS, 2015.
[15] John Demme, Robert Martin, Adam Waksman, and Simha Sethu-
madhavan. Side-channel vulnerability factor: A metric for measuring
information leakage. In ISCA, 2012.
[16] Goran Doychev, Boris Ko¨pf, Laurent Mauborgne, and Jan Reineke.
CacheAudit: a tool for the static analysis of cache side channels.
TISSEC, 18(1):4, 2015.
[17] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. A survey
of microarchitectural timing attacks and countermeasures on con-
temporary hardware. In Cryptology ePrint Archive, 2016. https:
//eprint.iacr.org/2016/613.pdf/.
[18] Patrice Godefroid, Nils Klarlund, and Koushik Sen. DART: directed
automated random testing. In PLDI, 2005.
[19] Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. Cache template
attacks: Automating attacks on inclusive last-level caches. In USENIX
Security, 2015.
[20] David Gullasch, Endre Bangerter, and Stephan Krenn. Cache games–
bringing access-based cache attacks on AES to practice. In IEEE
Symposium on Security and Privacy. IEEE, 2011.
[21] Boris Ko¨pf, Laurent Mauborgne, and Martı´n Ochoa. Automatic
quantification of cache side-channels. In CAV. Springer, 2012.
[22] Corina S. Pasareanu, Quoc-Sang Phan, and Pasquale Malacaria.
Multi-run side-channel analysis using symbolic execution and max-
smt. In CSF, 2016.
[23] Deian Stefan, Pablo Buiras, Edward Z Yang, Amit Levy, David
Terei, Alejandro Russo, and David Mazie`res. Eliminating cache-based
timing attacks with instruction-based scheduling. In ESORICS, pages
718–735. Springer, 2013.
[24] Henrik Theiling, Christian Ferdinand, and Reinhard Wilhelm. Fast
and precise WCET prediction by separated cache and path analyses.
Real-Time Systems, 18(2-3), 2000.
[25] Eran Tromer, Dag Arne Osvik, and Adi Shamir. Efficient cache at-
tacks on aes, and countermeasures. Journal of Cryptology, 23(1):37–
71, 2010.
[26] Zhenghong Wang and Ruby B. Lee. New cache designs for thwarting
software cache-based side channel attacks. In ISCA, pages 494–505,
2007.
