Abstract interpretation under speculative execution

Analyzing the behavior of a program running on a processor that supports speculative execution is crucial for applications such as execution time estimation and side channel detection. Unfortunately, existing static analysis techniques based on abstract interpretation do not model speculative execution since they focus on functional properties of a program while speculative execution does not change the functionality. To fill the gap, we propose a method to make abstract interpretation sound under speculative execution. There are two contributions. First, we introduce the notion of virtual control flow to augment instructions that may be speculatively executed and thus affect subsequent instructions. Second, to make the analysis efficient, we propose optimizations to handle merges and loops and to safely bound the speculative execution depth. We have implemented and evaluated the proposed method in a static cache analysis for execution time estimation and side channel detection. Our experiments show that the new method, while guaranteed to be sound under speculative execution, outperforms state-of-the-art abstract interpretation techniques that may be unsound.

[1]  Jan Reineke,et al.  Fast and exact analysis for LRU caches , 2018, Proc. ACM Program. Lang..

[2]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[3]  Meng Wu,et al.  Eliminating timing side-channel leaks using program repair , 2018, ISSTA.

[4]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[5]  Gilles Barthe,et al.  Leakage Resilience against Concurrent Cache Attacks , 2014, POST.

[6]  Y. N. Srikant,et al.  Interdependent cache analyses for better precision and safety , 2012, Tenth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMCODE2012).

[7]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[8]  Reinhard Wilhelm,et al.  On Predicting Data Cache Behavior for Real-Time Systems , 1998, LCTES.

[9]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[10]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[11]  Tevfik Bultan,et al.  Symbolic path cost analysis for side-channel detection , 2018, ISSTA.

[12]  Chao Wang,et al.  Verifying and Quantifying Side-channel Resistance of Masked Software Implementations , 2019, ACM Trans. Softw. Eng. Methodol..

[13]  AbsInt Angewandte,et al.  Fast and Precise WCET Prediction by Separated Cache and Path Analyses , 1999 .

[14]  Jörn Schneider,et al.  Pipeline behavior prediction for superscalar processors by abstract interpretation , 1999, LCTES '99.

[15]  Patrick Schaumont,et al.  Formal Verification of Software Countermeasures against Side-Channel Attacks , 2014, ACM Trans. Softw. Eng. Methodol..

[16]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[17]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[18]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[19]  Chao Wang,et al.  Modular verification of interrupt-driven software , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[20]  Tevfik Bultan,et al.  Synthesis of Adaptive Side-Channel Attacks , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[21]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[22]  Gerard J. M. Smit,et al.  A mathematical approach towards hardware design , 2010, Dynamically Reconfigurable Architectures.

[23]  Wang Yi,et al.  Combining Abstract Interpretation with Model Checking for Timing Analysis of Multicore Software , 2010, 2010 31st IEEE Real-Time Systems Symposium.

[24]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[25]  Y. N. Srikant,et al.  WCET estimation for executables in the presence of data caches , 2007, EMSOFT '07.

[26]  Daniel A. Jiménez,et al.  Dynamic branch prediction with perceptrons , 2001, Proceedings HPCA Seventh International Symposium on High-Performance Computer Architecture.

[27]  Jürgen Teich,et al.  Time-Critical Systems Design: A Survey , 2018, IEEE Design & Test.

[28]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[29]  Chao Wang,et al.  Mitigating power side channels during compilation , 2019, ESEC/SIGSOFT FSE.

[30]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Meng Wu,et al.  Adversarial symbolic execution for detecting concurrency-related cache timing leaks , 2018, ESEC/SIGSOFT FSE.

[32]  Reinhard Wilhelm,et al.  Cache Behavior Prediction by Abstract Interpretation , 1996, Sci. Comput. Program..

[33]  Chao Wang,et al.  Thread-modular static analysis for relaxed memory models , 2017, ESEC/SIGSOFT FSE.

[34]  Edil S. T. Fernandes,et al.  The Effect of the Speculation Depth on the Performance of Superscalar Architectures , 1997, Euro-Par.

[35]  Chao Wang,et al.  CANAL: A Cache Timing Analysis Framework via LLVM Transformation , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[36]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[37]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[38]  Xianfeng Li,et al.  Modeling out-of-order processors for WCET analysis , 2006, Real-Time Systems.

[39]  Yun Liang,et al.  Timing Analysis of Concurrent Programs Running on Shared Cache Multi-Cores , 2009, RTSS.

[40]  Joxan Jaffar,et al.  Precise Cache Timing Analysis via Symbolic Execution , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[41]  Tom Chothia,et al.  Time Protection: The Missing OS Abstraction , 2018, EuroSys.

[42]  Lucian N. Vintan,et al.  Towards a high performance neural branch predictor , 1999, IJCNN'99. International Joint Conference on Neural Networks. Proceedings (Cat. No.99CH36339).

[43]  Sebastian Altmeyer,et al.  Static Timing Analysis for Hard Real-Time Systems , 2010, VMCAI.

[44]  Xianfeng Li,et al.  Accurate timing analysis by modeling caches, speculation and their interaction , 2003, DAC '03.

[45]  Chao Wang,et al.  Flow-sensitive composition of thread-modular abstract interpretation , 2016, SIGSOFT FSE.

[46]  Trevor N. Mudge,et al.  The effect of speculative execution on cache performance , 1994, Proceedings of 8th International Parallel Processing Symposium.

[47]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[48]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[49]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[50]  Antoine Mid The Octagon Abstract Domain , 2001 .

[51]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[52]  Fang Yu,et al.  String Analysis for Software Verification and Security , 2018, Springer International Publishing.

[53]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[54]  Samarjit Chakraborty,et al.  TIC: a scalable model checking based approach to WCET estimation , 2016, LCTES.

[55]  Reinhard Wilhelm,et al.  Efficient and Precise Cache Behavior Prediction for Real-Time Systems , 1999, Real-Time Systems.

[56]  Chao Wang,et al.  SCInfer: Refinement-Based Verification of Software Countermeasures Against Side-Channel Attacks , 2018, CAV.

[57]  R. M. Tomasulo,et al.  An efficient algorithm for exploiting multiple arithmetic units , 1995 .

[58]  Jan Reineke,et al.  Ascertaining Uncertainty for Efficient Exact Cache Analysis , 2017, CAV.

[59]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[60]  Yale N. Patt,et al.  A two-level approach to making class predictions , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.