# Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic

Shuwen Deng, Wenjie Xiong and Jakub Szefer Yale University

> HASP June 2, 2018





cache enables fast access to the data



timing latency  $\leftrightarrow$  cache hit & miss

fast access slow access

# Cache Timing Side-Channel Attacks Yale

- For load/store instruction, time differs between hits and misses
- For flush instruction, time depends on data existence
- Attacker's Goal: get information of the address of victim's sensitive data by observing the timing difference
- Threat Model:
  - An attacker (A) shares the same cache with a victim (V)
  - The attacker cannot directly access the cache state machine
  - The attacker can observe the timing of the victim or itself
  - The attacker can combine timing observation with some other knowledge
    - The attacker knows some source code of the victim
    - The attacker can force victim to execute a specific function
- E.g. Flush + Reload Attack



1- Attacker primes each cache set

2- Victim accesses critical data

3- Attacker probes each cache set (measure time)



specific process

(measure time)



#### Spectre & Meltdown Attack





#### speculative executions

- Variant 1: Bounds Check
- Variant 2: Branch Target Injection
- Variant 3: Rogue Data Cache
  - Variant 3a: Rogue System Register
- Variant 4: Speculative Store
- timing side-channel in the cache







- Uses speculative executions
- Leverages timing side-channel in the cache



#### Develop Cache Access Model

Three-step single-cacheblock-access model construction Analyze Timing Vulnerabilities

Exhaustive search for possible attacks based on threestep model Use Computation Tree Logic (CTL)

Model execution paths of the processor cache focusing on sidechannel attacks

#### Three-Step Single-Cache-Block-Access Model Yale

#### We use three steps to model all possible cache



| condition | description                                                                              |  |  |  |  |
|-----------|------------------------------------------------------------------------------------------|--|--|--|--|
| $V_1/A_1$ | A specific known memory location.                                                        |  |  |  |  |
| $V_x$     | A piece of memory containing data from a range of victim's memory addresses is accessed. |  |  |  |  |
| $V_R/A_R$ | single-cache-block access to "remove" the cache block contents                           |  |  |  |  |
| *         | Attacker has no knowledge about memory location                                          |  |  |  |  |

### Vulnerability Examples

Yale





 $- EF(E(E(A_1 UV_x)UA_1))$ 

## **Vulnerability Examples**







| л <i>х</i> | 1                                                                                        |
|------------|------------------------------------------------------------------------------------------|
| condition  | description                                                                              |
| $V_1/A_1$  | A specific known memory location.                                                        |
| $V_{x}$    | A piece of memory containing data from a range of victim's memory addresses is accessed. |
| $V_R/A_R$  | single-cache-block access to "remove" the cache block contents                           |
|            |                                                                                          |

#### Soundness of Three-Step Model

#### Why three-step model can cover all?

- One cache access
  - Interference does not exist
- Two cache accesses
  - Same as three-step model with Step0 to be "  $\star$  "
- More than three cache accesses
  - {··· ··· } can be divided into two parts

$$- \{\cdots \dashrightarrow A_R \dashrightarrow A_R \dashrightarrow A_R \cdots \}, \{\cdots \dashrightarrow A_R \dashrightarrow V_R \dashrightarrow V_R \cdots \}, \{\cdots \dashrightarrow A_1 \dashrightarrow V_1 \dashrightarrow V_1 \dashrightarrow V_1 \dashrightarrow V_x \dashrightarrow V_x \dashrightarrow V_x \cdots \}, \dots \text{ can be reduced to } \{\cdots \dashrightarrow A_R \dashrightarrow V_1 \dashrightarrow V_1 \dashrightarrow V_R \dashrightarrow V_R \cdots \}, \{\cdots \dashrightarrow V_1 \dashrightarrow V_1 \cdots \}, \{\cdots \dashrightarrow V_x \cdots \}, \{\cdots \cdots V_x \cdots \}, \dots, \text{ respectively}$$

Yale

- {···· ···  $(A_R/V_R / A_1 / V_1) \cdot V_x \cdot A_R/V_R / A_1 / V_1) \cdot V_x \cdot A_1 / V_1) \cdot V_x \cdot A_1 / V_1) \cdot V_x \cdot A_1 / V_1$  maps to effective vulnerabilities represented by three-step model

### Soundness of Three-step Model (b) Yale

- More than three cache accesses
  - {··· ··· } can be divided into two parts
  - $\{\cdots \dashrightarrow A_R \dashrightarrow A_R \dashrightarrow A_R \cdots \}, \{\cdots \dashrightarrow A_R \dashrightarrow V_R \dashrightarrow V_R \cdots \}, \dots, \{\cdots \dashrightarrow A_1 \dashrightarrow V_1 \dashrightarrow V_1 \cdots \}, \dots, \{\cdots \dashrightarrow V_x \dashrightarrow V_x \dashrightarrow V_x \cdots \} \text{ can be reduced to } \{\cdots \dashrightarrow A_R \dashrightarrow V_1 \cdots \}, \{\cdots \dashrightarrow V_R \dashrightarrow V_R \cdots \}, \dots, \{\cdots \dashrightarrow V_1 \dashrightarrow V_1 \cdots \}, \dots, \{\cdots \dashrightarrow V_x \cdots \}, \dots, \{\cdots \cdots V_x \cdots \}, \dots \}$
  - {···· ··· ( $A_R/V_R / A_1 / V_1$ ) ····  $V_x$  ···· ( $A_R/V_R / A_1 / V_1$ ) ···· } maps to known vulnerabilities represented by three-step model

### **Exhaustive Vulnerability Search**

 Explicit enumeration of all the possible three steps (6x5x5=150)

Vale

- Identify 28 types of cache attacks
  - 20 types already known or categorized
  - 8 types previously not in literature
- Can be applied to evaluate any cache architecture with CTL logic

### Vulnerability Exhaustive List



| <b>S0</b>             | S1                    | S2         | Recognized name    | Categor<br>ization | <b>S</b> 0            | S1         | S2                    | Recognized name     | Catego<br>rization |
|-----------------------|-----------------------|------------|--------------------|--------------------|-----------------------|------------|-----------------------|---------------------|--------------------|
| $V_x$                 | $A_R$                 | $V_x$      |                    | Type A             | $V_{\chi}$            | $V_x$      | $A_R$                 | Flush+Flush         | Type O             |
| $V_x$                 | V <sub>R</sub>        | $V_x$      |                    | Туре В             | $A_R$                 | $V_{\chi}$ | $V_R$                 | Flush+Flush         | Type P             |
| $A_R$                 | <i>A</i> <sub>1</sub> | $V_x$      |                    | Туре С             | $V_R$                 | $V_x$      | $V_R$                 | Flush+Flush         | Type Q             |
| V <sub>R</sub>        | $A_1$                 | $V_x$      |                    | Type D             | $V_{\chi}$            | $V_x$      | $V_R$                 | Flush+Flush         | Type R             |
| <i>A</i> <sub>1</sub> | <i>A</i> <sub>1</sub> | $V_x$      |                    | Type E             | $A_R$                 | $V_{\chi}$ | $A_1$                 | Flush(Evict)+Reload | Type S             |
| $V_1$                 | $A_1$                 | $V_x$      |                    | Type F             | $V_R$                 | $V_{\chi}$ | $A_1$                 | Flush(Evict)+Reload | Туре Т             |
| $V_{\chi}$            | <i>A</i> <sub>1</sub> | $V_x$      | Evict+Time         | Type G             | <i>A</i> <sub>1</sub> | $V_{\chi}$ | $A_1$                 | Prime+Probe         | Type U             |
| $A_R$                 | $V_1$                 | $V_x$      | Cache Collision    | Туре Н             | <i>V</i> <sub>1</sub> | $V_x$      | <i>A</i> <sub>1</sub> |                     | Type V             |
| $V_R$                 | <i>V</i> <sub>1</sub> | $V_x$      | Cache Collision    | Type I             | $V_{\chi}$            | $V_{\chi}$ | $A_1$                 | Flush(Evict)+Reload | Type W             |
| $A_1$                 | <i>V</i> <sub>1</sub> | $V_{\chi}$ | Cache Collision    | Type J             | $A_R$                 | $V_{\chi}$ | <i>V</i> <sub>1</sub> | Cache Collision     | Туре Х             |
| $V_1$                 | <i>V</i> <sub>1</sub> | $V_x$      | Cache Collision    | Type K             | V <sub>R</sub>        | $V_{\chi}$ | <i>V</i> <sub>1</sub> | Cache Collision     | Type Y             |
| $V_{\chi}$            | <i>V</i> <sub>1</sub> | $V_{\chi}$ | Bernstein's attack | Type L             | <i>A</i> <sub>1</sub> | $V_x$      | <i>V</i> <sub>1</sub> |                     | Type Z             |
| $A_R$                 | $V_{x}$               | $A_R$      | Flush+Flush        | Туре М             | <i>V</i> <sub>1</sub> | $V_{\chi}$ | <i>V</i> <sub>1</sub> | Bernstein's attack  | Type AA            |
| V <sub>R</sub>        | $V_{\chi}$            | $A_R$      | Flush+Flush        | Type N             | $V_{\chi}$            | $V_{\chi}$ | <i>V</i> <sub>1</sub> | Cache Collision     | Type AB            |

# Vulnerability Examples

Yale







New Type V Attack

$$- V_1 \dashrightarrow V_x \dashrightarrow A_1$$





Treats time as discrete and branching Can explore different execution paths

- Boolean operators:  $\neg \varphi, \varphi \lor \psi, \varphi \land \psi, ...$
- Temporal modalities:

18



# Three-Step Model in CTL logic

Yale

For a single cache block, model execution paths that represent vulnerabilities to attacks:



19

#### **Bounded Computation Tree**



three-step model:





- hardware design of secure caches
- cache state machine modeling
- checking of vulnerability in CTL logic
- improve CTL modeling

### Summary



Develop Cache Access Model

Three-step single-cacheblock-access model construction Analyze Timing Vulnerabilities

Exhaustive search for possible attacks based on threestep model Use Computation Tree Logic (CTL)

Model execution paths of the processor cache focusing on sidechannel attacks

- cache state machine modeling
- checking of vulnerability in CTL logic
- improve CTL modeling

Thank you!



#### back up slides

## Soundness of Three-step Model (a) Yale

- One cache access
  - Interference does not exist
- Two cache accesses
  - Same as three-step model with Step0 to be "  $\star$  "
  - None of them can form an attack
- Three cache accesses
  - Exhaustive vulnerability Search and effective vulnerabilities derived

### Soundness of Three-step Model (b) Yale

- More than three cache accesses

  - $\{\cdots \dashrightarrow A_R \dashrightarrow A_R \dashrightarrow A_R \cdots \}, \{\cdots \dashrightarrow A_R \dashrightarrow V_R \dashrightarrow V_R \cdots \}, \{\cdots \dashrightarrow A_1 \dashrightarrow V_1 \dashrightarrow V_1 \dashrightarrow V_1 \dashrightarrow V_x \dashrightarrow V_x \dashrightarrow V_x \cdots \}, \dots \text{ can be reduced to} \\ \{\cdots \dashrightarrow A_R \dashrightarrow V_1 \{\cdots \cdots \}, \{\cdots \cdots V_R \dashrightarrow V_R \cdots \}, \{\cdots \cdots V_1 \cdots V_1 \cdots \}, \{\cdots \cdots V_x \cdots \}, \dots, \text{ respectively}$
  - {···· ··· ( $A_R/V_R / A_1 / V_1$ ) ····  $V_x$  ···· ( $A_R/V_R / A_1 / V_1$ ) ···· } maps to effective vulnerabilities represented by threestep model