Symbolic Verification of Cache Side-channel Freedom

TL;DR

This paper introduces CACHEFIX, a symbolic verification framework that automatically checks and patches programs to prevent cache timing side-channel attacks, combining formal verification with runtime monitoring.

Contribution

It presents a novel symbolic verification technique based on automated abstraction refinement of cache semantics for verifying and patching programs against cache side-channel vulnerabilities.

Findings

CACHEFIX verifies cache side-channel freedom in about 75 seconds on average.

It synthesizes patches within 20 minutes in most cases.

The approach effectively secures routines from cache timing attacks in evaluated libraries.

Abstract

Cache timing attacks allow third-party observers to retrieve sensitive information from program executions. But, is it possible to automatically check the vulnerability of a program against cache timing attacks and then, automatically shield program executions against these attacks? For a given program, a cache configuration and an attack model, our CACHEFIX framework either verifies the cache side-channel freedom of the program or synthesizes a series of patches to ensure cache side-channel freedom during program execution. At the core of our framework is a novel symbolic verification technique based on automated abstraction refinement of cache semantics. The power of such a framework is to allow symbolic reasoning over counterexample traces and to combine it with runtime monitoring for eliminating cache side channels during program execution. Our evaluation with routines from OpenSSL, libfixedtimefixedpoint, GDK and FourQlib libraries reveals that our CACHEFIX approach (dis)proves cache sidechannel freedom within an average of 75 seconds. Besides, in all except one case, CACHEFIX synthesizes all patches within 20 minutes to ensure cache side-channel freedom of the respective routines during execution.