CANAL: A Cache Timing Analysis Framework via LLVM Transformation

@article{Sung2018CANALAC,
  title={CANAL: A Cache Timing Analysis Framework via LLVM Transformation},
  author={Chungha Sung and Brandon Paulsen and Chao Wang},
  journal={2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)},
  year={2018},
  pages={904-907}
}
A unified modeling framework for non-functional properties of a program is essential for research in software analysis and verification, since it reduces burdens on individual researchers to implement new approaches and compare existing approaches. We present CANAL, a framework that models the cache behaviors of a program by transforming its intermediate representation in the LLVM compiler. CANAL inserts auxiliary variables and instructions to allow standard verification tools to handle a new… 

Figures and Tables from this paper

Mitigating power side channels during compilation
TLDR
A type-based technique for detecting leaks, which leverages Datalog-based declarative analysis and domain-specific optimizations to achieve high efficiency and accuracy and a mitigation technique for the compiler's backend, more specifically the register allocation modules, to ensure that leaky intermediate computation results are stored in different CPU registers or memory locations.
Abstract interpretation under speculative execution
TLDR
The notion of virtual control flow to augment instructions that may be speculatively executed and thus affect subsequent instructions is introduced and the analysis efficient is proposed to handle merges and loops and to safely bound the speculative execution depth.
SPECUSYM: Speculative Symbolic Execution for Cache Timing Leak Detection
TLDR
This work proposes a new symbolic execution based method, Specusym, for precisely detecting cache timing leaks introduced by speculative execution and implemented SpecuSym atop KLEE, which successfully detected from 2 to 61 leaks in 6 programs under 3 different cache settings.
Data-Driven Synthesis of Provably Sound Side Channel Analyses
TLDR
This work proposes a data-driven method for synthesizing static analyses to detect side-channel information leaks in cryptographic software and guarantees soundness by proving each learned analysis rule via a technique called query containment checking.
Adversarial symbolic execution for detecting concurrency-related cache timing leaks
TLDR
This work develops a new method, named adversarial symbolic execution, that systematically explores both the feasible program paths and their interleavings while modeling the cache, and leverages an SMT solver to decide if there are timing leaks.
ct-fuzz: Fuzzing for Timing Leaks
TLDR
The ct-fuzz tool is presented, which lends coverage-guided grey box fuzzers the ability to detect two safety property violations, and is capable of exposing violations to any two-safety property expressed a sequality between two program traces.
Parametric Timed Model Checking for Guaranteeing Timed Opacity
TLDR
This work addresses the following problem: given a timed system, synthesize the execution times for which one cannot deduce whether the system performed some secret behavior, and solves this problem in the setting of timed automata (TAs).
Runtime Verification: 19th International Conference, RV 2019, Porto, Portugal, October 8–11, 2019, Proceedings
TLDR
A retrospective of the Monitoring and Checking project, which gave rise to a framework for runtime monitoring with respect to formally specified properties and built a pioneering runtime verification tool, Java-MaC, that was an instantiation of the approach to check properties of Java programs.
Debreach: Mitigating Compression Side Channels via Static Analysis and Transformation
TLDR
Debreach, a static analysis and program transformation based approach to mitigating compression side channels, uses taint analysis to soundly identify flows of sensitive data in the program and uses code instrumentation to annotate data before feeding them to the compressor.
Verifying and Quantifying Side-channel Resistance of Masked Software Implementations
TLDR
This work proposes a refinement-based method for verifying masking countermeasures and proposes algorithms for quantifying the amount of side-channel information leakage from a software implementation using the notion of quantitative masking strength.
...
1
2
...

References

SHOWING 1-10 OF 17 REFERENCES
Scalable and Precise Refinement of Cache Timing Analysis via Model Checking
TLDR
This paper proposes a novel approach of combining abstract interpretation and model checking for different varieties of cache analysis ranging from single to multi-core platforms and demonstrates that it can obtain significant improvement in precision with reasonable analysis time overhead.
SMACK: Decoupling Source Language Details from Verifier Implementations
TLDR
To decouple the implementations of verification algorithms from the details of source languages, and enable rapid prototyping on production code, SMACK is developed, a translator from the LLVM intermediate representation into the Boogie intermediate verification language (IVL).
Precise Cache Timing Analysis via Symbolic Execution
TLDR
This work presents a framework for WCET analysis of programs with emphasis on cache micro-architecture, and presents an experimental evaluation on well known benchmarks to show that systematic path-sensitivity in fact brings significant accuracy gains, and that the algorithm still scales well.
Eliminating timing side-channel leaks using program repair
TLDR
The method is implemented in LLVM and validated on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total, and ensures that the number of CPU cycles taken to execute any path is independent of the secret data.
Cache modeling for real-time software: beyond direct mapped instruction caches
TLDR
The complex extensions of this technique to deal with set associative instruction caches, data caches and unified caches are described, which provide a comprehensive solution to the problem of worst case performance analysis of software running on processors with caches.
CacheAudit: A Tool for the Static Analysis of Cache Side Channels
TLDR
The results obtained exhibit the influence of cache size, line size, associativity, replacement policy, and coding style on the security of the executables and include the first formal proofs of security for implementations with countermeasures such as preloading and data-independent memory access patterns.
Adversarial symbolic execution for detecting concurrency-related cache timing leaks
TLDR
This work develops a new method, named adversarial symbolic execution, that systematically explores both the feasible program paths and their interleavings while modeling the cache, and leverages an SMT solver to decide if there are timing leaks.
CMP $ im : A Pin-Based OnThe-Fly Multi-Core Cache Simulator
TLDR
This paper presents the use of binary instrumentation as an alternative to execution-driven and trace-driven simulation methodologies to explore the design space of a CMP memory hierarchy and presents CMP$im to characterize cache performance of single-threaded, multi- threaded, and multi-programmed workloads at the speeds of 4-10 MIPS.
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs
TLDR
A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.
Software Verification and Verifiable Witnesses - (Report on SV-COMP 2015)
TLDR
SV-COMP 2015, the fourth edition of the thorough comparative evaluation of fully-automatic software verifiers, reports effectiveness and efficiency results of the state of the art in software verification.
...
1
2
...