Paper 2012/034

Automatic Quantification of Cache Side-Channels

Boris Köpf, Laurent Mauborgne, and Martin Ochoa


The latency gap between caches and main memory has been successfully exploited for recovering sensitive input to programs, such as cryptographic keys from implementation of AES and RSA. So far, there are no practical general-purpose countermeasures against this threat. In this paper we propose a novel method for automatically deriving upper bounds on the amount of information about the input that an adversary can extract from a program by observing the CPU's cache behavior. At the heart of our approach is a novel technique for efficient counting of concretizations of abstract cache states that enables us to connect state-of-the-art techniques for static cache analysis and quantitative information-flow. We implement our counting procedure on top of the AbsInt TimingExplorer, one of the most advanced engines for static cache analysis. We use our tool to perform a case study where we derive upper bounds on the cache leakage of a 128-bit AES executable on an ARM processor with a realistic cache configuration. We also analyze this implementation with a commonly suggested (but until now heuristic) countermeasure applied, obtaining a formal account of the corresponding increase in security.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Cache AttacksQuantitative Information-flow AnalysisAES
Contact author(s)
boris koepf @ imdea org
2012-02-16: revised
2012-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Boris Köpf and Laurent Mauborgne and Martin Ochoa},
      title = {Automatic Quantification of Cache Side-Channels},
      howpublished = {Cryptology ePrint Archive, Paper 2012/034},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.