canal a cache timing analysis framework via llvm
play

CANAL: A Cache Timing Analysis Framework via LLVM Transformation - PowerPoint PPT Presentation

Nov 06, 2022 •385 likes •638 views

ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang Software verification & analysis Checking Functional Model properties Checking Ex) Abstract assert(x > 1);

  1. ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang

  2. Software verification & analysis Checking Functional Model properties Checking Ex) Abstract assert(x > 1); Interpretation Symbolic Execution

  3. Software verification & analysis Non-functional Properties Model e.g. Cache behavior Checking Ex) Abstract The number of Interpretation cache misses? Symbolic Execution

  4. Software verification & analysis Model Checking You’d have to Abstract change each of Interpretation these tools to model cache behavior Symbolic Execution

  5. CANAL Model Checking Abstract Interpretation Symbolic LLVM-Transformation Execution 1. Now, cache (and other non-functional) properties can be handled by existing verifiers 2. General (not tool-specific) cache modeling framework

  6. Overview Memory Layout C/C++ Clang LLVM Instrumented Code Bitcode LLVM Pass LLVM Bitcode Code Instrumentation & Cache Computation Header Cache cSim.h Configure generator Verification tools (SMACK, KLEE, Crab- llvm etc.) Canal process

  7. Code instrumentation T = Y; (Inserted function calls below) __CSIM_Load (address set of “Y”, address tags of “Y”); __CSIM_Store (address set of “T”, address tags of “T”); Code instrumentation is done at the LLVM-Bitcode level

  8. Outline ▪ Motivation ▪ Code Instrumentation ▪ Usages ▪ Use CANAL as a simulator (omitted) ▪ Use CANAL with Symbolic execution tool ▪ Use CANAL with Static analysis tool ▪ Use CANAL with Software verification tool ▪ Conclusion

  9. Usage 1 – Symbolic execution tool CANAL Instrumented LLVM Bitcode Symbolic execution tools (e.g Klee) Check if there exist two inputs that lead to different cache stats (Side-channel leakage)

  10. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  11. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); Define symbolic inputs klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  12. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); Cache status initialization Input 1 call_program1(input1); Run program and get cache stats h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  13. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); Cache status initialization Input 2 call_program1(input2); h2 = __CSIM_num_hit; Run program and get cache stats m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2);

  14. Usage 1 – Symbolic execution tool (Cont’d) klee_make_symbolic(&input1); klee_make_symbolic(&input2); __CSIM_init_cache(); call_program1(input1); h1 = __CSIM_num_hit; m1 = __CSIM_num_miss; __CSIM_init_cache(); call_program1(input2); h2 = __CSIM_num_hit; m2 = __CSIM_num_miss; assert(h1 == h2 && m1 == m2); Check stats are the same

  15. Usage 2 – Software verification tool CANAL Instrumented LLVM Bitcode Software verification tool (e.g SMACK) Check if a memory read or write always leads to cach hit/miss (MUST hit/miss analysis)

  16. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert (h == true); Check: Read of buffer[2] always leads to cache hit?

  17. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[0] and buffer[16] are in different cache line buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert (h == true);

  18. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; buffer[2] will be the first cache line access when the branch was not taken. assert (h == true);

  19. Usage 2 – Software verification tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; x = buffer[2]; h = __CSIM_Load_ret; assert ( h == true); Read the cache status of the last Load/Store operation

  20. Usage 3 – Static analysis tool CANAL Instrumented LLVM Bitcode Static analysis tool (e.g Crab-llvm) Compute invariants over cache stats (e.g., min/max of cache hits/misses)

  21. Usage 3 – Static analysis tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; buffer[2] = 1; s_h = __CSIM_num_Store_hit; s_m = __CSIM_num_Store_miss; assert (s_h > 1); assert (s_m < 3); assert (s_h + s_m == 2);

  22. Usage 3 – Static analysis tool ( Con’d ) if (cond) buffer[0] = 1; else buffer[16] = 1; buffer[2] = 1; s_h = __CSIM_num_Store_hit; s_m = __CSIM_num_Store_miss; assert ( s_h > 1); assert ( s_m < 3); assert ( s_h + s_m == 2); Check invariants over the number of cache hits and misses.

  23. Conclusions • Proposed a unified framework for modeling cache behaviors through LLVM-transformation • CANAL can be used as a simulator without losing accuracy • CANAL can be used tougher with various software verification tools

  24. Thank you! https://github.com/canalcache/canal

Recommend

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique Daz 1,2 , Jaume Abella 2 , Enrico Mezzetti 2 , 4 Irune Agirre 3 , Mikel Azkarate-Askasua 3 , 2 Tullio Vardanega 4 , Francisco J. Cazorla 2,5 5 3

545 views • 25 slides
A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for

A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for

A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 1 / 25

293 views • 25 slides
Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research &amp; Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&amp;Time vs. MbedTLS AES on STM32

477 views • 20 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK

Towards a Framework for Responsible Timing Dr. Joo Geada CLK Design Automation CLK Confidential &amp; Proprietary 1 About CLKDA q Leaders in Variance Analysis market, technology, expertise q FX is the first transistor

428 views • 14 slides
LLVM: A Compila ilation Framework for Lifelong Progr for Lifelong Progr gram Analysis and gram

LLVM: A Compila ilation Framework for Lifelong Progr for Lifelong Progr gram Analysis and gram

Systems and Internet Infrastructure Security ity Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA LLVM: A Compila ilation Framework for Lifelong Progr for

573 views • 21 slides
Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr

Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr

Outline PhD thesis MSIL Motivation Introduction to LLVM LLVM MSIL code generator Plans for the future Reference Use of the LLVM framework for the MSIL code generation Artur PIETREK artur.pietrek@imag.fr VERIMAG Kalray (Montbonnot) DCS

350 views • 22 slides
1 Global Value Numbering Global Value Numbering (cont) How do we handle control flow? Idea

1 Global Value Numbering Global Value Numbering (cont) How do we handle control flow? Idea

LLVM Compiler Infrastructure Reuse Optimization Source: LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation by Lattner and Adve Idea Eliminate redundant operations in the dynamic execution of instructions

566 views • 5 slides
LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

A unique processor architecture meeting LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM devroom Compiling with LLVM High-Level Programming Language LLVM LLVM Front-end LLVM Assembly / IR LLVM

435 views • 22 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis Static timing analysis Measurement based timing analysis 2 Execution Time Analysis Will my brake-by-wire system actuate the brakes

1.31k views • 37 slides
llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1

llvm.mix multi-stage compiler-assisted specializer generator built on LLVM Eugene Sharygin 1 February 3, 2019 1 eush77@gmail.com Introduction llvm.mix Binding-Time Analysis Dynamic Control Examples Summary Interpreters and Compilers

1.33k views • 62 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

373 views • 21 slides
Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM There are two possible goals Run LLVM tools on OS Generate code for OS / CPU architecture Mission is to run LLVM on previously unsupported

603 views • 11 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric Tessier Introduction to Instrumentation 34c3 - Implementing an LLVM based DBI framework 2 What is Instrumentation? Transformation of a program

769 views • 65 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

599 views • 13 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

541 views • 18 slides
Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity Cache Analysis in Practice 2 Marc Moreno Maza The Ideal-Cache Model 3 University of Western Ontario, London, Ontario (Canada) Cache Complexity

632 views • 25 slides
Design and Implementation of a TriCore Backend for the LLVM Compiler Framework Studienarbeit

Design and Implementation of a TriCore Backend for the LLVM Compiler Framework Studienarbeit

Design and Implementation of a TriCore Backend for the LLVM Compiler Framework Studienarbeit Christoph Erhardt Friedrich-Alexander-Universit at Erlangen-N urnberg November 20, 2009 A TriCore Backend for LLVM (November 20, 2009) 1 25

716 views • 35 slides
rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

908 views • 53 slides
A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee ,

A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee ,

A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee , Iris Hui-Ru Jiang, Ting-You Yang National Chiao Tung University Outline Introduction Problem Formulation Proposed Algorithm

808 views • 36 slides
Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer

Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer

Cache-aware Scheduling and Performance Modeling with LLVM-Polly and Kerncraft Julian Hammer [RRZE] &lt;julian.hammer@fau.de&gt;, Johannes Doerfert [UdS] &lt;doerfert@cs.uni-saarland.de&gt;, Georg Hager [RRZE], Gerhard Wellein [RRZE] and

631 views • 35 slides
The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are LLVM, Clang, and Flang? How is LLVM Being Improved for HPC. What Facilities for Tooling Exist in LLVM? Opportunities for the Future!

572 views • 38 slides

More recommend