Spectre Cache Analysis

Cache speculation analysis for detecting Spectre vulnerabilities related to cache timing side-channels.

This page documents the dedicated lib/Security/Spectre subsystem inside Lotus’s unified security analysis tree.

Headers: include/Security/Spectre

Implementation: lib/Security/Spectre

Build target: Spectre

Overview

The Spectre module provides Spectre-v1-style speculative cache analysis. It models architectural and speculative cache state to detect execution patterns where speculation can expose secret-dependent cache behavior.

Main Components

CacheModel

Files: CacheModel.cpp and CacheSpecuAnalysis.h

Models cache behavior with configurable parameters:

• Cache line size: Size of each cache line (default: 16 bytes)

• Number of cache lines: Total number of cache lines (default: 32)

• Number of sets: Number of cache sets for set-associative caches

• Associativity: Cache lines per set

Features:

• Tracks abstract memory objects and cache-line occupancy

• Simulates cache hits and misses

• Records speculative versus architectural observations

• Supports merging, widening, and full-cache invalidation helpers

CacheSpecuAnalysis

Files: CacheSpecuAnalysis.cpp, CacheSpecuAnalysis.h

Performs speculative cache analysis to detect potential Spectre vulnerabilities.

Analysis Flow:

1. Initialization: Builds cache state from globals, stack objects, and arguments

2. Architectural Simulation: Computes per-block cache states for ordinary execution

3. Speculative Exploration: Follows branch-dependent speculative windows

4. Observation Comparison: Compares speculative and architectural cache observations

5. Finding Construction: Emits SpectreFinding records for suspicious divergences

Key Methods:

• InitModel(): Initializes the abstract cache model

• SpecuSim(): Explores speculative execution between blocks

• IsValueInCache(): Queries cache state for an instruction

• visitLoadInst(): Updates observations for load instructions

• getResult() / getFindings(): Access structured findings and counters

Configuration:

The analysis supports several configuration options:

• speculation depth

• merge behavior for abstract cache states

• cache parameters such as line size, line count, and set count

Result Model

The public header exposes structured result types:

• SpectreObservation for individual cache-relevant observations

• SpectreFinding for branch-local vulnerability evidence

• SpectreAnalysisResult for aggregated findings and hit/miss counters

Usage

The Spectre analysis is typically used in security auditing pipelines to detect cache-based speculative side-channel vulnerabilities.

Typical use cases:

• Detecting Spectre-variant vulnerabilities

• Analyzing cache timing side-channels

• Security auditing of sensitive low-level code

• Studying speculative divergence in cache behavior

Dependencies:

• Dominator Tree

• Post-Dominator Tree

• Alias Analysis

Limitations:

• Analysis is intra-procedural

• Requires precise alias analysis for accurate results

• Cache model is simplified compared to real hardware

• Focuses on Spectre-v1-style branch/speculation scenarios rather than all speculative-execution variants

Related Components

• Constant-Time Analysis documents the ConstantTime subsystem, which focuses on CT-LLVM-style constant-time checking.

• LIF documents the LIF subsystem for isochronous transformation and taint-driven mitigation.