Microarchitectural attacks compromise security by exploiting software-visible
artifacts of microarchitectural optimizations such as caches and speculative
execution. Defending against such attacks at the software level requires an
appropriate abstraction at the instruction set architecture (ISA) level that
captures microarchitectural leakage. Hardware-software leakage contracts have
recently been proposed as such an abstraction. In this paper, we propose a
semi-automatic methodology for synthesizing hardware-software leakage contracts
for open-source microarchitectures. For a given ISA, our approach relies on
human experts to (a) capture the space of possible contracts in the form of
contract templates and (b) devise a test-case generation strategy to explore a
microarchitecture's potential leakage. For a given implementation of an ISA,
these two ingredients are then used to automatically synthesize the most
precise leakage contract that is satisfied by the microarchitecture. We have
instantiated this methodology for the RISC-V ISA and applied it to the Ibex and
CVA6 open-source processors. Our experiments demonstrate the practical
applicability of the methodology and uncover subtle and unexpected leaks