Ascertaining Uncertainty for Efficient Exact Cache Analysis

  • Valentin TouzeauEmail author
  • Claire Maïza
  • David Monniaux
  • Jan Reineke
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10427)


Static cache analysis characterizes a program’s cache behavior by determining in a sound but approximate manner which memory accesses result in cache hits and which result in cache misses. Such information is valuable in optimizing compilers, worst-case execution time analysis, and side-channel attack quantification and mitigation.

Cache analysis is usually performed as a combination of “must” and “may” abstract interpretations, classifying instructions as either “always hit”, “always miss”, or “unknown”. Instructions classified as “unknown” might result in a hit or a miss depending on program inputs or the initial cache state. It is equally possible that they do in fact always hit or always miss, but the cache analysis is too coarse to see it.

Our approach to eliminate this uncertainty consists in (i) a novel abstract interpretation able to ascertain that a particular instruction may definitely cause a hit and a miss on different paths, and (ii) an exact analysis, removing all remaining uncertainty, based on model checking, using abstract-interpretation results to prune down the model for scalability. We evaluated our approach on a variety of examples; it notably improves precision upon classical abstract interpretation at reasonable cost.


  1. 1.
    Bernstein, D.J.: Cache-timing attacks on AES (2005).
  2. 2.
    Canteaut, A., Lauradoux, C., Seznec, A.: Understanding cache attacks. Technical report 5881, INRIA, April 2006.
  3. 3.
    Cavada, R., et al.: The nuXmv symbolic model checker. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 334–342. Springer, Cham (2014). doi: 10.1007/978-3-319-08867-9_22 Google Scholar
  4. 4.
    Chattopadhyay, S., Roychoudhury, A.: Scalable and precise refinement of cache timing analysis via path-sensitive verification. Real-Time Syst. 49(4), 517–562 (2013). CrossRefzbMATHGoogle Scholar
  5. 5.
    Chu, D., Jaffar, J., Maghareh, R.: Precise cache timing analysis via symbolic execution. In: 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Vienna, Austria, 11–14 April 2016, pp. 293–304. IEEE Computer Society (2016).
  6. 6.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, 23–25 June 2008, pp. 51–65 (2008).
  7. 7.
    Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015). CrossRefGoogle Scholar
  8. 8.
    Falk, H., Altmeyer, S., Hellinckx, P., Lisper, B., Puffitsch, W., Rochange, C., Schoeberl, M., Sorensen, R.B., Wägemann, P., Wegener, S.: TACLeBench: a benchmark collection to support worst-case execution time research. In: 16th International Workshop on Worst-Case Execution Time Analysis, WCET 2016, Toulouse, France, 5 July 2016, pp. 2:1–2:10 (2016).
  9. 9.
    Ferdinand, C., Wilhelm, R.: Efficient and precise cache behavior prediction for real-time systems. Real-Time Syst. 17(2–3), 131–181 (1999)CrossRefGoogle Scholar
  10. 10.
    Lundqvist, T., Stenström, P.: Timing anomalies in dynamically scheduled microprocessors. In: 20th IEEE Real-Time Systems Symposium (RTSS) (1999)Google Scholar
  11. 11.
    Lv, M., Guan, N., Reineke, J., Wilhelm, R., Yi, W.: A survey on static cache analysis for real-time systems. Leibniz Trans. Embedded Syst. 3(1), 05:1–05:48 (2016). Google Scholar
  12. 12.
    Lv, M., Yi, W., Guan, N., Yu, G.: Combining abstract interpretation with model checking for timing analysis of multicore software. In: Proceedings of the 31st IEEE Real-Time Systems Symposium, RTSS 2010, San Diego, California, USA, 30 November–3 December 2010, pp. 339–349. IEEE Computer Society (2010).
  13. 13.
    Metta, R., Becker, M., Bokil, P., Chakraborty, S., Venkatesh, R.: TIC: a scalable model checking based approach to WCET estimation. In: Kuo, T., Whalley, D.B. (eds.) Proceedings of the 17th ACM SIGPLAN/SIGBED Conference on Languages, Compilers, Tools, and Theory for Embedded Systems, LCTES 2016, Santa Barbara, CA, USA, 13–14 June 2016, pp. 72–81. ACM (2016).
  14. 14.
    Monniaux, D., Gonnord, L.: Using bounded model checking to focus fixpoint iterations. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 369–385. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23702-7_27 CrossRefGoogle Scholar
  15. 15.
    Mowery, K., Keelveedhi, S., Shacham, H.: Are AES x86 cache timing attacks still feasible? In: Cloud Computing Security Workshop, pp. 19–24. ACM, New York (2012)Google Scholar
  16. 16.
    Reineke, J.: Caches in WCET analysis: predictability, competitiveness, sensitivity. Ph.D. thesis, Universität des Saarlandes (2008)Google Scholar
  17. 17.
    Reineke, J., et al.: A definition and classification of timing anomalies. In: 6th International Workshop on Worst-Case Execution Time Analysis (WCET), July 2006Google Scholar
  18. 18.
    Rival, X., Mauborgne, L.: The trace partitioning abstract domain. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(5), 26 (2007)CrossRefGoogle Scholar
  19. 19.
    Touzeau, V., Maiza, C., Monniaux, D., Reineke, J.: Ascertaining uncertainty for efficient exact cache analysis. Technical report TR-2017-2, VERIMAG (2017)Google Scholar
  20. 20.
    Wilhelm, R., Engblom, J., Ermedahl, A., Holsti, N., Thesing, S., Whalley, D.B., Bernat, G., Ferdinand, C., Heckmann, R., Mitra, T., Mueller, F., Puaut, I., Puschner, P.P., Staschulat, J., Stenström, P.: The worst-case execution-time problem - overview of methods and survey of tools. ACM Trans. Embedded Comput. Syst. 7(3) (2008). Article 36Google Scholar
  21. 21.
    Wulf, W.A., McKee, S.A.: Hitting the memory wall: implications of the obvious. SIGARCH Comput. Archit. News 23(1), 20–24 (1995). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Valentin Touzeau
    • 1
    • 2
    Email author
  • Claire Maïza
    • 1
    • 2
  • David Monniaux
    • 1
    • 2
  • Jan Reineke
    • 3
  1. 1.Univ. Grenoble Alpes, VERIMAGGrenobleFrance
  2. 2.CNRS, VERIMAGGrenobleFrance
  3. 3.Saarland UniversitySaarbrückenGermany

Personalised recommendations