Speculative Symbolic Execution for Cache Timing Leak Detection
Total Page:16
File Type:pdf, Size:1020Kb
SpecuSym: Speculative Symbolic Execution for Cache Timing Leak Detection Shengjian Guo∗ Yueqi Chen∗ Peng Li, Yueqiang Cheng Baidu Security Penn State University Baidu Security [email protected] [email protected] {lipeng28,chengyueqiang}@baidu. com Huibo Wang Meng Wu Zhiqiang Zuo Baidu Security Ant Financial Services Group State Key Lab. for Novel Software [email protected] [email protected] Technology, Nanjing University [email protected] ABSTRACT leverage the distinct cache physical symptoms, i.e., the cache visit- CPU cache is a limited but crucial storage component in modern ing latencies of various program executions, to penetrate the con- processors, whereas the cache timing side-channel may inadver- fidentiality of the victims. On exploiting the vulnerable software tently leak information through the physically measurable timing implementations, adversaries can extract the application secrets variance. Speculative execution, an essential processor optimiza- [16, 36, 60, 69], infer the neural network structure [30, 40, 41, 79], tion, and a source of such variances, can cause severe detriment or even dump the kernel data [42, 46, 52, 75]. on deliberate branch mispredictions. Despite static analysis could A timing side-channel generally serves as the intermediate car- qualitatively verify the timing-leakage-free property under specula- rier through which private data could inadvertently disclose to tive execution, it is incapable of producing endorsements including observers who can elaborately measure the timing information inputs and speculated flows to diagnose leaks in depth. This work of certain operations. One particular instance is the cache timing proposes a new symbolic execution based method, SpecuSym, for side-channel, which leaks data by the variance of the cache visit- precisely detecting cache timing leaks introduced by speculative ing latency. State-of-the-art program repair method [77] mitigates execution. Given a program (leakage-free in non-speculative exe- cache timing leaks by enforcing constant execution time for all cution), SpecuSym systematically explores the program state space, secret relevant operations. However, this strong mitigation may models speculative behavior at conditional branches, and accumu- still get compromised by the thread-level concurrency [38] or the lates the cache side effects along with subsequent path explorations. instruction-level parallelism like speculative execution [44]. During the dynamic execution, SpecuSym constructs leak predi- Speculative execution [44] is a microarchitectural optimization cates for memory visits according to the specified cache model in modern processors. It primarily increases the CPU instruction and conducts a constraint-solving based cache behavior analysis to pipeline throughput by beforehand scheduling instructions under inspect the new cache behaviors. We have implemented SpecuSym predicted branches, which prevents control hazards from stalling atop KLEE and evaluated it against 15 open-source benchmarks. the pipeline. Despite its essential importance, the cache side ef- Experimental results show that SpecuSym successfully detected fects caused by prediction errors could engender severe detriment from 2 to 61 leaks in 6 programs under 3 different cache settings through the cache timing side-channel [15, 43, 46, 75]. and identified false positives in 2 programs reported by recent work. Program analysis for speculative execution is by no means a new research domain. Previous efforts mainly researched safe and effi- cient execution [22, 35, 64], worst-case execution time estimation 1 INTRODUCTION [50, 51], concurrency bug prediction [21, 49], and Spectre vulner- CPU cache is a limited but crucial storage area on modern processor ability detection [35, 58, 71]. Wu et al. [78] recently proposed a chips. It primarily relieves the speed disparity between the rapid dedicated static analysis of timing-leakage-free property under processors and the slow main memory, by buffering recently used speculative execution. However, this abstract interpretation based arXiv:1911.00507v2 [cs.CR] 14 Feb 2020 data for faster reuse. Cache timing side-channel attacks [26, 47] method [78] qualitatively answers the yes or no question — it is incapable of generating input and speculative flows to diagnose leaks in depth. Moreover, the over-approximation nature inevitably ∗Both authors contributed equally to this research. Yueqi Chen worked on this project while he interned at Baidu USA. results in false positives, which desires a more precise method. To this end, we propose a new symbolic execution based method, SpecuSym, for detecting cache timing leaks caused by speculative Permission to make digital or hard copies of all or part of this work for personal or execution. Figure 1 displays the overall flow of SpecuSym. Given a classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation program P, which is timing-leakage-free in non-speculative execu- on the first page. Copyrights for components of this work owned by others than ACM tion, the sensitive input presented in symbol, and the insensitive must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, input, SpecuSym leverages symbolic execution to explore P’s state to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. space systematically. Meanwhile, it models speculative execution ICSE ’20, May 23–29, 2020, Seoul, Republic of Korea at conditional branches (cf. 1 ) and accumulates cache side effects © 2020 Association for Computing Machinery. along with subsequent executions (cf. 2 ). Based on a cache model, ACM ISBN 978-1-4503-7121-6/20/05...$15.00 https://doi.org/10.1145/3377811.3380428 ICSE ’20, May 23–29, 2020, Seoul, Republic of Korea Guo et al. 1 Section 4 states the core contributions and optimizations. Then we Speculative Symbolic Execution Modeling conduct experiments in Section 5 and discuss the related work in Sensitive Input Section 6. Finally, we conclude our work in Section 7. 3 4 Leakage-free Symbolic Cache New Timing Program P Execution Behavior Analysis Leak Witnesses 2 MOTIVATION This section motivates our work with an example. By studying its Insensitive 2 leakage-free cache behavior under non-speculative execution and Plain Input Cache the new leaks caused by speculative execution, we position how State Modeling SpecuSym should facilitate leak detection. P Figure 1: Overall flow of SpecuSym. 2.1 Program and the Cache Mapping Figure 2(a) shows a program snippet P whose execution time re- mains stationary in non-speculative execution but varies in terms SpecuSym constructs leak predicates for memory visits and con- of the sensitive input when running under speculative execution. ducts a constraint-solving based cache behavior analysis (cf. 3 ) to Listed at line 2, P has 4 local variables as S, x, v1, and v2. Op- generate the leak witnesses (cf. 4 ). erating these variables, e.g., the implicit memory read of x (line Our new method has three significant challenges. The first chal- 6) and the explicit store to v1 (line 7), may lead to memory access. lenge comes from the modeling of speculative behaviors. Classic The remaining variable i (line 3) is a register variable that incurs symbolic executors [17, 62] neither support speculative execution no memory access. Also, variable x is the sensitive input, and any nor are cache-aware since they primarily concentrate on the func- form of revealing its value turns to be a leak. tional correctness rather than reasoning the implicit program prop- We leverage a fully associative cache C for the analysis purpose erties. The second challenge derives from the cache state mainte- of P, as shown in Figure 2(b). It is an extreme case of the N-way nance. Due to the symbolic nature, a symbolic memory address associative cache where the memory address of a variable in P may correspond to multiple concrete addresses. Updating the cache may map to any cache line of C, subjecting to the line availability status after each memory operation unquestionably leads to an and the replacement policy. Here we assume C adopts the Least explosive number of different cache states. The last challenge stems Recently Used (LRU) policy, which always evicts the least used line from the analysis cost. Processors may trigger multiple branch mis- once C has been entirely occupied. predictions during program execution. Indiscriminately covering Cache C consists of 256 cache lines, and each line has exactly 1- all possibilities introduces not only tremendous constraint solving byte size. Local variables are mapped to C according to the program overhead but also many unnecessary cases. execution order and their sizes; e.g., in Figure 2(b) array S maps To overcome the first challenge, we design a new modeling al- from cache lines #1 to #254 because of the array traverse in the while gorithm in symbolic execution, which satisfies both feasibility and loop (lines 4-5), and each 1-byte array item successively occupies a high-fidelity. In essence, it utilizes the stateful exploration tomimic full cache line. Then variable x associates with line #255. Next, v1 the speculative behaviors and isolates memory changes in auxil- fills the last available line (line #256) if x>128 satisfies; thus, the iary states from the normal symbolic states. To tackle the second