canal a cache timing analysis framework via llvm
play

CANAL: A Cache Timing Analysis Framework via LLVM Transformation - PowerPoint PPT Presentation

Nov 06, 2022 •385 likes •638 views

ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang Software verification & analysis Checking Functional Model properties Checking Ex) Abstract assert(x > 1);

  1. ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang

  2. Software verification & analysis Checking Functional Model properties Checking Ex) Abstract assert(x > 1); Interpretation Symbolic Execution

  3. Software verification & analysis Non-functional Properties Model e.g. Cache behavior Checking Ex) Abstract The number of Interpretation cache misses? Symbolic Execution

  4. Software verification & analysis Model Checking You’d have to Abstract change each of Interpretation these tools to model cache behavior Symbolic Execution

  5. CANAL Model Checking Abstract Interpretation Symbolic LLVM-Transformation Execution 1. Now, cache (and other non-functional) properties can be handled by existing verifiers 2. General (not tool-specific) cache modeling framework

  6. Overview Memory Layout C/C++ Clang LLVM Instrumented Code Bitcode LLVM Pass LLVM Bitcode Code Instrumentation & Cache Computation Header Cache cSim.h Configure generator Verification tools (SMACK, KLEE, Crab- llvm etc.) Canal process

  7. Code instrumentation T = Y; (Inserted function calls below) __CSIM_Load (address set of “Y”, address tags of “Y”); __CSIM_Store (address set of “T”, address tags of “T”); Code instrumentation is done at the LLVM-Bitcode level

  8. Outline ▪ Motivation ▪ Code Instrumentation ▪ Usages ▪ Use CANAL as a simulator (omitted) ▪ Use CANAL with Symbolic execution tool ▪ Use CANAL with Static analysis tool ▪ Use CANAL with Software verification tool ▪ Conclusion

  9. Usage 1 – Symbolic execution tool CANAL Instrumented LLVM Bitcode Symbolic execution tools (e.g Klee) Check if there exist two inputs that lead to different cache stats (Side-channel leakage)

  10. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  11. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); Define symbolic inputs klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  12. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); Cache status initialization Input 1 call_program1(input1); Run program and get cache stats h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  13. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); Cache status initialization Input 2 call_program1(input2); h2 = __CSIM_num_hit; Run program and get cache stats m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  14. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2); Check stats are the same

  15. Usage 2 – Software verification tool CANAL Instrumented LLVM Bitcode Software verification tool (e.g SMACK) Check if a memory read or write always leads to cach hit/miss (MUST hit/miss analysis)

  16. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert (h == true); Check: Read of buffer[2] always leads to cache hit?

  17. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[0] and buffer[16] are in different cache line buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert (h == true);

  18. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; buffer[2] will be the first cache line access when the branch was not taken. assert (h == true);

  19. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert ( h == true); Read the cache status of the last Load/Store operation

  20. Usage 3 – Static analysis tool CANAL Instrumented LLVM Bitcode Static analysis tool (e.g Crab-llvm) Compute invariants over cache stats (e.g., min/max of cache hits/misses)

  21. Usage 3 – Static analysis tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; buffer[2] = 1; s_h = __CSIM_num_Store_hit; s_m = __CSIM_num_Store_miss; assert (s_h > 1); assert (s_m < 3); assert (s_h + s_m == 2);

  22. Usage 3 – Static analysis tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; buffer[2] = 1; s_h = __CSIM_num_Store_hit; s_m = __CSIM_num_Store_miss; assert ( s_h > 1); assert ( s_m < 3); assert ( s_h + s_m == 2); Check invariants over the number of cache hits and misses.

  23. Conclusions • Proposed a unified framework for modeling cache behaviors through LLVM-transformation • CANAL can be used as a simulator without losing accuracy • CANAL can be used tougher with various software verification tools

  24. Thank you! https://github.com/canalcache/canal

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique Daz 1,2 , Jaume Abella 2 , Enrico Mezzetti 2 , 4 Irune Agirre 3 , Mikel Azkarate-Askasua 3 , 2 Tullio Vardanega 4 , Francisco J. Cazorla 2,5 5 3

545 views • 25 slides
A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for

A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for

A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 1 / 25

293 views • 25 slides
Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&amp;Time vs. MbedTLS AES on STM32

477 views • 20 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK Confidential &amp; Proprietary 1 About CLKDA q Leaders in Variance Analysis market, technology, expertise q FX is the first transistor

428 views • 14 slides
LLVM: A Compila ilation Framework for Lifelong Progr for Lifelong Progr gram Analysis and gram

LLVM: A Compila ilation Framework for Lifelong Progr for Lifelong Progr gram Analysis and gram

Systems and Internet Infrastructure Security ity Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA LLVM: A Compila ilation Framework for Lifelong Progr for

573 views • 21 slides
Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr

Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr

Outline PhD thesis MSIL Motivation Introduction to LLVM LLVM MSIL code generator Plans for the future Reference Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr VERIMAG Kalray (Montbonnot) DCS

350 views • 22 slides
1 Global Value Numbering Global Value Numbering (cont) How do we handle control flow? Idea

1 Global Value Numbering Global Value Numbering (cont) How do we handle control flow? Idea

LLVM Compiler Infrastructure Reuse Optimization Source: LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation by Lattner and Adve Idea Eliminate redundant operations in the dynamic execution of instructions

566 views • 5 slides
LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

A unique processor architecture meeting LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM devroom Compiling with LLVM High-Level Programming Language LLVM LLVM Front-end LLVM Assembly / IR LLVM

434 views • 22 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis Static timing analysis Measurement based timing analysis 2 Execution Time Analysis Will my brake-by-wire system actuate the brakes

1.31k views • 37 slides
llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1 February 3, 2019 1 eush77@gmail.com Introduction llvm.mix Binding-Time Analysis Dynamic Control Examples Summary Interpreters and Compilers

1.33k views • 62 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM There are two possible goals Run LLVM tools on OS Generate code for OS / CPU architecture Mission is to run LLVM on previously unsupported

603 views • 11 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric Tessier Introduction to Instrumentation 34c3 - Implementing an LLVM based DBI framework 2 What is Instrumentation? Transformation of a program

769 views • 65 slides
The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov acs, and WCET Analysis

The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov acs, and WCET Analysis

The Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov acs, and WCET Analysis Jakob Zwirchmayr Motivation Armin Biere, Jens Knoop, Laura Kov acs,

1.38k views • 49 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Pushdown Automata Context Free Languages IV Input tape 1 2 Pushdown Automata 3 5 4 State

Pushdown Automata Context Free Languages IV Input tape 1 2 Pushdown Automata 3 5 4 State

Pushdown Automata Context Free Languages IV Input tape 1 2 Pushdown Automata 3 5 4 State machine Stack Plan for today Pushdown Automata Introduction to Pushdown Automata The stack The stack has its own alphabet

335 views • 8 slides
Potential &amp; Field Potential &amp; Field Chapter 30. Reading Quizzes Chapter 30. Reading

Potential &amp; Field Potential &amp; Field Chapter 30. Reading Quizzes Chapter 30. Reading

Chapter 30 Potential &amp; Field Potential &amp; Field Chapter 30. Reading Quizzes Chapter 30. Reading Quizzes 2 1 What quantity is represented by What quantity is represented by the symbol ? the symbol ? A. Electronic potential A.

392 views • 17 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides

More recommend