Spectre Cache Analysis

Cache speculation analysis for detecting Spectre vulnerabilities related to cache timing side-channels.

Headers: include/Analysis/Spectre

Implementation: lib/Analysis/Spectre

Overview

The Spectre analysis module provides cache modeling and speculation analysis to detect potential cache-based side-channel vulnerabilities. It simulates cache behavior to identify cases where secret data may leak through cache timing differences.

Main Components

CacheModel

File: CacheModel.cpp

Models cache behavior with configurable parameters:

  • Cache line size: Size of each cache line (default: 16 bytes)

  • Number of cache lines: Total number of cache lines (default: 32)

  • Number of sets: Number of cache sets for set-associative caches

  • Associativity: Cache lines per set

Features:

  • Tracks which memory addresses are in cache

  • Simulates cache hits and misses

  • Records access patterns for analysis

  • Supports both must-hit and may-miss analysis modes

CacheSpecuAnalysis

File: CacheSpecuAnalysis.cpp

Performs speculative cache analysis to detect potential Spectre vulnerabilities.

Analysis Flow:

  1. Initialization: Builds cache model from function arguments and global variables

  2. Cache Simulation: Simulates cache behavior for memory accesses

  3. Speculative Analysis: Analyzes speculative execution paths

  4. Leak Detection: Identifies potential cache timing leaks

Key Methods:

  • InitModel() – Initializes cache model with function parameters and globals

  • SpecuSim() – Simulates speculative cache behavior between basic blocks

  • IsValueInCache() – Checks if a value is currently in cache

  • visitLoadInst() – Processes load instructions and updates cache state

Configuration:

The analysis supports several configuration options:

  • MissSpecuDepth: Maximum depth for speculative miss analysis

  • MergeOption: Option for merging cache states

  • Cache parameters: line size, number of lines, number of sets

Usage

The Spectre analysis is typically used as part of security analysis pipelines to detect cache-based side-channel vulnerabilities.

Typical use cases:

  • Detecting Spectre-variant vulnerabilities

  • Analyzing cache timing side-channels

  • Security auditing of cryptographic code

  • Verifying constant-time implementations

Dependencies:

  • Dominator Tree analysis

  • Post-Dominator Tree analysis

  • Alias Analysis

Limitations:

  • Analysis is intra-procedural (function-level)

  • Requires precise alias analysis for accurate results

  • Cache model is simplified compared to real hardware