Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng, Wenjie Xiong and Jakub Szefer Yale University New Haven, Connecticut {shuwen.deng,wenjie.xiong,jakub.szefer}@yale.edu ABSTRACT can then be used to leak secrets of a victim program, and this has Caches are one of the key features of modern processors as they been exploited by the various cache timing side-channel attacks, help to improve memory access timing through caching recently e.g., [1, 5, 7, 21, 30]. used data. However, due to the timing dierences between cache To address the security issues of cache timing side-channel at- hits and misses, numerous timing side-channels have been discov- tacks, numerous secure processor caches have been designed and ered and exploited in the past. In this paper, Computation Tree analyzed through simulation and probability analysis in attempt Logic is used to model execution paths of the processor cache logic, to prove that the proposed caches indeed prevent attacks [12, 13, and to derive formulas for paths that can lead to timing side-channel 26, 27, 33–36, 39, 40]. Furthermore, to reason about the dierent vulnerabilities. In total, 28 types of cache attacks are presented: 20 attacks, researchers have classied cache timing side-channels on types of which map to attacks previously categorized or discussed basis whether the attacks leverage cache hits or misses and whether in literature, and 8 types are new. Furthermore, to enable practical they are access-based or reuse-based, and whether the attacks lever- vulnerability checking, we present a new approach that limits the age internal or external interference [22, 41]. Especially, [41] made depth of the execution paths that need to be checked by the Com- use of nite-state machine to model cache architectures and used putation Tree Logic, allowing for use of bounded model checking mutual information to calculate potential side-channel leakage of for Computation Tree Logic based cache security verication using the modeled cache architectures. Meanwhile, [22] used probabilis- the new three-step single-cache-block-access model. tic information ow graph to model interaction between a victim and an attacker program, and used probability of an attack success CCS CONCEPTS to evaluate how well dierent caches can defend against timing side-channel attacks. • → Security and privacy Side-channel analysis and counter- In contrast to the existing work, this paper is the rst work to ; • → measures Theory of computation Modal and temporal explore Computation Tree Logic (CTL) [9, 10] to model execution ; Verication by model checking; logics paths of the processor cache logic, and to derive formulas for paths which indicate that there is a vulnerability to a potential attack. KEYWORDS Rather than trying to model or simulate attackers, this work explic- timing side-channel, caches, Computation Tree Logic itly enumerates all the possible execution paths that could lead to ACM Reference Format: an attack. CTL formulas are derived for these execution paths, and Shuwen Deng, Wenjie Xiong and Jakub Szefer. 2018. Cache Timing Side- these formulas can be used with existing tools to check if a specic Channel Vulnerability Checking with Computation Tree Logic. In HASP cache architecture is susceptible to one of the attacks. Especially, ’18: Hardware and Architectural Support for Security and Privacy, June 2, behavior of each single cache block can be modeled as a Kripke 2018, Los Angeles, CA, USA. ACM, New York, NY, USA, 8 pages. https: structure [23], which is used to describe the nite-state machine of //doi.org/10.1145/3214292.3214294 the cache logic. Given the CTL formulas, they can be used to verify if there is at least one path in the computation tree derived from 1 INTRODUCTION the Kripke structure that matches the formula, and if so, there is a With conventional processor caches, when a memory access is potential vulnerability in the design. made, rst, the memory address is checked to see if the data is in The execution paths in computation tree of a cache could be the cache, and if data is in the cache, it is called a cache hit, and data potentially innite. However, we show that any path corresponding is returned from the cache quickly. If data is not in the cache, it is a to an attack can be represented as a path with three single-cache- cache miss, and main memory is accessed to retrieve the data, which block accesses steps (step 0, step 1, and step 2 in Section 4). While takes longer amount of time. Because of this timing dierence, it is the computation tree is still large, it is now bounded in size and all possible to use timing of a program execution to determine if its the paths can be evaluated within this bounded computation tree memory accesses are hits or misses. Furthermore, when ushing or to nd potential vulnerabilities. evicting a cache block, the timing of these operations depends on Through explicit enumeration of all the possible paths and their whether the cache block originally had valid data, which can also analysis, we have derived CTL formulas for 28 types of cache at- reveal the state of the cache block. The dierent timing information tacks. Of these attacks, 20 types are in agreement with the existing cache attack categorizations presented in [22, 27, 41] or correspond Permission to make digital or hard copies of all or part of this work for personal or to known vulnerabilities. However, 8 of the types of attacks are classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation previously not detailed in literature. The 28 CTL formulas can be ap- on the rst page. Copyrights for components of this work owned by others than the plied to evaluate any cache architecture and can check, in bounded author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or time, if the cache is vulnerable to an attack. republish, to post on servers or to redistribute to lists, requires prior specic permission and/or a fee. Request permissions from [email protected]. HASP ’18, June 2, 2018, Los Angeles, CA, USA 1.1 Contributions © 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-6500-0/18/06...$15.00 This paper aims to help advance the eld of verication of proces- https://doi.org/10.1145/3214292.3214294 sor caches, and provides logic formulas that can be used to check HASP ’18, June 2, 2018, Los Angeles, CA, USA S. Deng et al. cache implementation against potential cache timing side-channel Table 1: Symbols of CTL formula syntax. vulnerabilities. Our contributions are: Symbol Description First use of CTL to model execution paths of the processor True logical true value • cache logic focusing on side-channel attacks. a an atomic proposition Development of a new, three-step single-cache-block-access φ, φ1, φ2 valid CTL formulas • model for modeling all possible vulnerabilities that can lead negation (unary op.) ¬ to timing side-channel attacks in caches. logical AND (binary op.) ^ Derivation of 28 types of cache side-channel attacks based logical OR (binary op.) _ • logical implication (binary op.) on the three-step single-cache-block-access model, including ) logical bi-implication (if and only if, binary op.) 8 types of attacks previously not described in the existing , literature in detail. A “for all” operator (along all paths, unary op.) Discussion of how to nd cache timing side-channel vul- E “exists” operator (along at least one path, unary op.) • nerabilities in real cache implementations by using the CTL X “next” operator (unary op.) formulas and bounded model checking. G “globally” operator (unary op.) F “eventually” operator (unary op.) 2 COMPUTATION TREE LOGIC (CTL) U “until” operator (binary op.) In this paper, we use Computation Tree Logic (CTL) [9, 10] to model For all paths next: Is inevitable: For all path invariantly: For all paths until: a a execution paths of the processor cache logic, and to derive formulas a a a a a a b for paths which can lead to attacks. CTL treats time as discrete and branching, where at each time step the system is in a dened state. a a a a a a b b It allows one to explore dierent execution paths that a system may (M, s)╞ AX a (M, s)╞ AF a (M, s)╞ AG a (M, s)╞ A[a U b] go through as it executes. The number of the paths depends on the Exists some paths next: Holds potentially: Potentially always: For some path until: nite state machine describing the system. The lengths of the paths a a can be innite, but bounded paths can be checked (c.f. bounded a a a model checking [6]). a a b CTL is one type of temporal logic: temporal logic is the logic that contains any system of rules and symbolisms to represent, and rea- (M, s)╞ EX a (M, s)╞ EF a (M, s)╞ EG a (M, s)╞ E[a U b] son about, propositions qualied in terms of time [14]. Propositions Figure 1: Example paths in computation trees that are true for the such as “there exists a path that property p holds starting at some corresponding CTL formulas. time step until a step where property q holds” enable describing a system along with changes in its state over time. allows for use of bounded trees. If the tree is bounded, a path πF There are also other forms of temporal logics, which include will have nite number of states, m, and the nite sequence of Linear Temporal Logic (LTL) [31] where at every moment in time states s0, s1,...,sm 1 of πF hold that 0 6 i < m, si * si+1 and − 8 there will only be one possible future that “actually takes place” [24].