KLEESpectre

Spectre attacks disclosed in early 2018 expose data leakage scenarios via cache side channels. Specifically, speculatively executed paths due to branch mis-prediction may bring secret data into the cache which are then exposed via cache side channels even after the speculative execution is squashed. Symbolic execution is a well-known test generation method to cover program paths at the level of the application software. In this paper, we extend symbolic execution with modelingof cache and speculative execution. Our tool KLEESPECTRE, built on top of the KLEE symbolic execution engine, can thus provide a testing engine to check for the data leakage through cache side-channel as shown via Spectre attacks. Our symbolic cache model can verify whether the sensitive data leakage due to speculative execution can be observed by an attacker at a given program point. Our experiments show that KLEESPECTREcan effectively detect data leakage along speculatively executed paths and our cache model can further make the leakage detection much more precise.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[3]  Jan Reineke,et al.  Timing predictability of cache replacement policies , 2007, Real-Time Systems.

[4]  Gururaj Saileshwar,et al.  CleanupSpec: An "Undo" Approach to Safe Speculation , 2019, MICRO.

[5]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[6]  Sanjit A. Seshia,et al.  A Formal Approach to Secure Speculation , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[7]  Danfeng Zhang,et al.  Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation , 2019, USENIX Security Symposium.

[8]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[9]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[10]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[11]  Onur Aciiçmez,et al.  New Results on Instruction Cache Attacks , 2010, CHES.

[12]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[13]  Srinivas Devadas,et al.  DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[14]  Moinuddin K. Qureshi CEASER: Mitigating Conflict-Based Cache Attacks via Encrypted-Address and Remapping , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[15]  Christof Fetzer,et al.  SpecFuzz: Bringing Spectre-type vulnerabilities to the surface , 2019, USENIX Security Symposium.

[16]  Peter Schachte,et al.  State Joining and Splitting for the Symbolic Execution of Binaries , 2009, RV.

[17]  Tulika Mitra,et al.  oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis , 2018, ArXiv.

[18]  Deian Stefan,et al.  IODINE: Verifying Constant-Time Execution of Hardware , 2019, USENIX Security Symposium.

[19]  Christof Fetzer,et al.  You Shall Not Bypass: Employing data dependencies to prevent Bounds Check Bypass , 2018, ArXiv.

[20]  Corina S. Pasareanu,et al.  DifFuzz: Differential Fuzzing for Side-Channel Analysis , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[21]  DoychevGoran,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017 .

[22]  Meng Wu,et al.  Abstract interpretation under speculative execution , 2019, PLDI.

[23]  Mahmut Kandemir,et al.  CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[24]  Mario Werner,et al.  ScatterCache: Thwarting Cache Attacks via Cache Set Randomization , 2019, USENIX Security Symposium.

[25]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[26]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[27]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[28]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[29]  Craig Disselkoen,et al.  Constant-time foundations for the new spectre era , 2020, PLDI.

[30]  José González,et al.  Speculative execution via address prediction and data prefetching , 1997, ICS '97.

[31]  Roberto Guanciale,et al.  InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis , 2019, CCS.

[32]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[33]  Goran Doychev,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017, PLDI.

[34]  Zhiqiang Zuo,et al.  SPECUSYM: Speculative Symbolic Execution for Cache Timing Leak Detection , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[35]  Abhik Roychoudhury,et al.  Symbolic Verification of Cache Side-Channel Freedom , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[36]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[37]  Craig Disselkoen,et al.  The Code That Never Ran: Modeling Attacks on Speculative Evaluation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[38]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[39]  Guanhua Wang,et al.  oo7: Low-overhead Defense against Spectre Attacks via Program Analysis , 2018 .

[40]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.