Author: Shengjian (Daniel) Guo
Email : [email protected]

This repository contains artifacts for the FSE'18 paper "Adversarial Symbolic Execution for Detecting Concurrency-Related Cache Timing Leaks". It consists of following files:

• The SymSC symbolic execution tool for the cache side-channel leak detection.
• The benchmarks used in Table 3, Table 4 and Table 5 in our paper.
• The scripts running these benchmarks for the experimental data collection.
• The supporting documents (README.md, INSTALL.md, LICENSE and CONTACT.md).

Please prepare a clean Ubuntu 12.04 64-bit Desktop Operating System. You can either download an iso file from http://releases.ubuntu.com/12.04/, or use the VirtualBox to run a prepared Ubuntu image from https://www.osboxes.org/ubuntu/.

Assume you’ve already installed the Ubuntu system successfully. Then clone the repository to your own computer. Here we just assume you checkout it to your home directory.

cd
git clone [email protected]:DanielGuoVT/symsc.git

Next, please refer to the INSTALL.md to install our tool.

After the installation, please go to the benchmark directory and compile the benchmarks:

csc
../build/gyp_testing_targets
../build/make_all

Some benchmarks have the same name in our paper and they are differentiated by the name-suffixes as following:

I also created five script files (also in the benchmark directory) for the experimental data collection.
You can directly run them (no parameters required) to generate data tables:

genTable3.sh： generates table3.csv which provides the data  for Table 3 in the paper.  
genTable4-precise.sh： generate the data (table4-precise.csv) for the “Precise” columns in Table 4.  
genTable4-twostep.sh： generate the data (table4-twostep.csv) for the “Two-Step” columns in Table 4.  
genTable5-precise.sh： generate the data (table5-precise.csv) for the “Precise” columns in Table 5.  
genTable5-twostep.sh： generate the data (table5-twostep.csv) for the “Two-Step” columns in Table 5.  

If any execution of a benchmark goes wrong, you can simply enter the benchmark directory and re-run it individually.
E.g., assume “aes” goes wrong, then you please run it again with the following commands:

csc
cd aes

For the precise approach with fixed-address please run:

cp aes.c.precise aes.c
./usc-run  -precise  -fixed  -max-time=96000

For the precise approach with symbolic-address please run:

cp aes.c.precise aes.c
./usc-run  -precise  -max-time=96000

For the two-step approach with fixed-address please run:

cp aes.c.twostep aes.c
./usc-run  -fixed  -max-time=96000

For the two-step approach with symbolic-address please run:

cp aes.c.twostep aes.c
./usc-run  -max-time=96000

Note: Important options:

• -max-time option specifies timeout time for an execution in second. The side-channel analysis is extremely heavy in symbolic-address mode, and I set 1600 minutes as the timeout threshold in experiment.
• In the provided 5 scripts, you can also freely alternate the -max-time value to set global timeout threshold for each benchmark.
• Please assign the virtual machine as much computing resources as possible to finish all the executions.

For each execution, our tool generates several log files for the execution information:

• log.precise-fixed: log file for the precise approach with fixed-address.
• log.precise-symbolic: log file for the precise approach with symbolic-address.
• log.twostep-fixed: log file for the two-step approach with fixed-address.
• log.twostep-symbolic: log file for the two-step approach with symbolic-address.
• log.Inter: the number of the generated interleavings.
• log.Fail: the number of failed 1st-step tries in the two-step approach.
• log.Test: the number of valid tests.
• log.maxaccs: the actual number of memory accesses during execution.
• log.time: the execution start/end time.
• log.ks: the size of the symbolic key in execution.

All the benchmarks are pre-configured with gyp and the path of the global gyp file is:

/path/to/cloud9_root/src/testing_targets/build/all_llvm.gyp