SpecSafe: Detecting cache side channels in a speculative world

Robert Brotzman, Danfeng Zhang, Mahmut Taylan Kandemir, Gang Tan

Research output: Contribution to journalArticlepeer-review

4 Scopus citations

Abstract

The high-profile Spectre attack and its variants have revealed that speculative execution may leave secret-dependent footprints in the cache, allowing an attacker to learn confidential data. However, existing static side-channel detectors either ignore speculative execution, leading to false negatives, or lack a precise cache model, leading to false positives. In this paper, somewhat surprisingly, we show that it is challenging to develop a speculation-aware static analysis with precise cache models: a combination of existing works does not necessarily catch all cache side channels. Motivated by this observation, we present a new semantic definition of security against cache-based side-channel attacks, called Speculative-Aware noninterference (SANI), which is applicable to a variety of attacks and cache models. We also develop SpecSafe to detect the violations of SANI. Unlike other speculation-aware symbolic executors, SpecSafe employs a novel program transformation so that SANI can be soundly checked by speculation-unaware side-channel detectors. SpecSafe is shown to be both scalable and accurate on a set of moderately sized benchmarks, including commonly used cryptography libraries.

Original languageEnglish (US)
Article number129
JournalProceedings of the ACM on Programming Languages
Volume5
Issue numberOOPSLA
DOIs
StatePublished - Oct 2021

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'SpecSafe: Detecting cache side channels in a speculative world'. Together they form a unique fingerprint.

Cite this