Bounded Model Checking of Speculative Non-Interference

Spectre, a hardware vulnerability that breaks the isolation between applications, has received ample attention in recent years. Spectre-style attacks exploit speculative execution to leak information through micro-architectural side-channels, breaking down abstractions software developers relied on for decades. As these attacks are based on fundamental optimization techniques present in most modern micro-processors, salvation seems to lie in software-based countermeasures for now. Comprehensive software mitigation, however, has proved to be an exceptionally challenging task with ample of room for failure. To support the automated analysis of mitigation attempts, we present a technique that relies on Bounded Model Checking to detect violations of non-interference in speculative executions. Since off-the-shelf software model checking tools are nescient of micro-architectural state, we base our effort on an operational semantics of speculative executions of micro-assembly code. Our semantics is parameterized with micro-architectural components (such as the cache or the branch predictor), allowing for precise models of various side-channels. We evaluate our approach on widely used benchmark instances, report the detection of a zeroday vulnerability in the Linux kernel, and demonstrate that our approach is more exhaustive than symbolic simulation (with comparable computational effort).