Abstract Program Simulation

In general, we cannot compute the state collecting path semantics due to the finite but infeasibly large number of states in the finite automaton. We thus translate the problem from the set of concrete states S to an abstract domain ˆS with the partial order v.

We need to relate the abstract with the concrete domain to argue about the soundness of abstract state semantics with respect to the concrete state semantics. For this purpose we require a monotonestate concretization function γ : ˆS →2^S mapping

an abstract state to a set of concrete states. The monotonicity of γ guarantees that the partial order v on ˆS arranges abstract states according to their precision. So for any a, b ∈ ˆS with a v b it holds γ(a) ⊆ γ(b). The abstract state a is more precise than the abstract state b because it describes fewer concrete states. We require the state concretization function γ to be both execution-deterministic and action-deterministic to be able to determine whether an instruction is about to finish execution in an abstract hardware state.

Definition 3.6(Execution-Deterministic)

Let G = (V , v_s, E) be a CFG. A state concretization function γ : ˆS →2^S is execution-deterministic iff for any instruction v ∈ V and any abstract state ˆs ∈ ˆS it holds that all corresponding concrete states either do execute v, written ˆs B v, or do not execute v, written ˆs 7 v. This yields ˆs B v ⇔ ∀s ∈ γ(ˆs).s B v and ˆs 7 v ⇔ ∀s ∈ γ(ˆs).s 7 v.

Definition 3.7(Action-Deterministic)

Let G = (V , v_s, E) be a CFG and Λ be a non-empty alphabet of actions. A state concretiza-tion funcconcretiza-tion γ : ˆS →2^S is action-deterministic iff for any states ˆs, ˆt, ˆv, ˆw ∈ ˆS and any action λ ∈ Λ all corresponding concrete states are marked with the same action markers.

This yields ( ˆs, ˆt) ` λ ⇔ ∀s ∈ γ( ˆs), t ∈ γ( ˆt).(s, t) ` λ and ( ˆv, ˆw) a_ˆsλ ⇔ ∀v ∈ γ( ˆv), w ∈ γ( ˆw).∃s ∈ γ( ˆs).(v, w) a_sλ.

In this fashion we can determine for any abstract hardware state whether an instruc-tion is being executed. This requirement also ensures that the abstract hardware model keeps track of the progression of the instruction through the processor pipeline. Otherwise the abstract state cannot deterministically decide whether an instruction is being executed or not. Consequently, we require the abstract state transition function to discern between abstract states that arise from disjoint assumptions (e.g., cache hit or cache miss).

Because we partition the abstract state space by requiring γ to be execution- and action-deterministic, we lift the state concretization function γ to γ that accepts sets of abstract states. The function γ retains the monotonicity of γ.

We define γ : 2^Sˆ→2^S, where γ( ˆσ ) := S

ˆs∈ ˆσ

γ( ˆs) for any ˆσ ∈ 2^Sˆ.

Opposed to the concretization function γ, we can define a monotone state abstraction function α : 2^S → 2^Sˆ that computes for a set of concrete states σ ∈ 2^S the (best) corresponding abstract state set in 2^Sˆ. For soundness reasons the functions α and γ should be strongly adjoint (see Definition2.8 on page 20).

Definition 3.8(Abstract State Automaton)

An abstract state automaton is a pair ˆA= ( ˆS, τ_abs). The set ˆS denotes the set of abstract states. The function τ_abs: ˆS →2^Sˆ computes the cycle-wise evolution of abstract states.

3.2 Architectural Analysis

The abstract automaton corresponds to the finite state automaton A = (S, τ), if there exist strongly adjoint state abstraction and state concretization functions α and γ such that γ is execution- and action-deterministic and τ and τ_abs are locally consistent, i.e., for all abstract states ˆs ∈ ˆS it holds τ(γ( ˆs)) ⊆ γ(τ_abs( ˆs)). The abstract state transition function τ_abscomputes a safe approximation of hardware state transitions that can occur in any concrete state transition.

We use the abstract state automaton as a basis for the abstract simulation of the execution of a program. Due to the possible presence of timing anomalies and to entail the full system behavior the abstract state transition may compute several abstract successor states, i.e., |τ_abs( ˆs)| > 1 is possible for some ˆs ∈ ˆS. This is called split. Section3.2.4 on page 43investigates splits in more detail.

Given the abstract state automaton we can now formally define theabstract state transformer as follows.

Definition 3.9(Abstract State Transformer)

Let G = (V , v_s, E) be a CFG, γ an execution-deterministic state concretization func-tion, and ˆA= ( ˆS, τabs)be an abstract state automaton that corresponds to a finite state automaton.

An abstract state transformer step f_τ^B_abs : V → 2^Sˆ→2^Sˆcomputes the effect of instruc-tions on the transition level.

f_τ^B_abs(v)( ˆσ ) :=[

ˆs∈ ˆσ

{ˆt | ˆs B v ∧ ˆt ∈ τabs( ˆs) ∧ ˆt B v } ∪ { ˆs | ˆs 7 v ∨ ∃ˆt ∈ τabs( ˆs). ˆt 7 v }

For a given instruction v ∈ V , the abstract state transformer step eventually reaches a fixed point. Because γ is execution-deterministic and every instruction terminates eventually, there exists an n ∈ N such that f_τ^B_absⁿ(v)( ˆσ ) = f_τ^B_absⁿ⁺¹(v)( ˆσ ). Every abstract state ˆt ∈ f_τ^B_absⁿ(v)( ˆσ ) then describes a situation where v is about to leave the (abstract model of the) processor pipeline.

An abstract state transformer f_τabs : V → 2^Sˆ→2^Sˆ computes the effect of instructions hiding the intermediate abstract state transitions.

f_τabs(v)( ˆσ ) := f_τ^B_absⁿ(v)( ˆσ ) such that n ∈ N ∧ f_τ^B_absⁿ⁺¹(v)( ˆσ ) = f_τ^B_absⁿ(v)( ˆσ )

The abstract state transformer continues to follow abstract state transitions until a set of abstract states is computed where each of the states is about to finish the execution of the occurrence of the instruction v.

Before we formally defineabstract state collecting path semantics, we show that the ab-stract state transformer f_τabs is locally consistent with the state collecting transformer f_τcoll if γ is execution-deterministic and τ and τ_absare locally consistent.

Lemma 3.1(Local Consistency of Abstract State Transformer)

An abstract state transformer f_τabs : V → 2^Sˆ →2^Sˆ is locally consistent with the state collecting transformer f_τcoll : V → S → S if γ is execution-deterministic and τ and τ_abs are locally consistent.

Proof. Let ˆA = ( ˆS, τ_abs) be an abstract state automaton that corresponds to the finite state automaton A = (S, τ) and γ : ˆS →2^S be execution-deterministic. We prove that f_τ^B_abs is locally consistent with f_τ^B. Let G = (V , v_s, E) be a CFG, v ∈ V be an instruction The local consistency between f_τabs and f_τcoll follows by iterating this property.

By means of the abstract state transformer, we can then formally define theabstract state collecting path semantics.

Definition 3.10(Abstract State Collecting Path Semantics)

Let G = (V , v_s, E) be a CFG and f_τabs : V → 2^Sˆ→2^Sˆ be an abstract state transformer. The abstract state collecting path semantics [[π]]_τabs: 2^Sˆ→2^Sˆis defined as:

[[π]]_τabs=( id if π = 

f_τabs(v_n) ◦ [[π⁰]]_τabs if π = π⁰◦v_nis a path

The abstract state collecting path semantics computes the evolution of abstract states during the execution of a path through a program. Considering all paths through a program, the combined evolution of the abstract hardware states can be understood as a graph that contains all possible hardware decisions that can occur according to

3.2 Architectural Analysis

the abstract state automaton. Later we use this representation to determine whether the execution of a program exhibits a timing anomaly.

But first we argue about the soundness of the abstract state collecting path seman-tics.

Lemma 3.2(Soundness of Abstract State Collecting Path Semantics)

The abstract state collecting path semantics is a sound over-approximation of the state collecting path semantics, i.e., for all ˆσ ∈ 2^Sˆit holds ([[π]]_τcoll◦γ)( ˆσ ) ⊆ (γ ◦ [[π]]_τabs)( ˆσ )if γ is execution-deterministic and τ and τabsare locally consistent.

Proof. Proof by structural induction over the path π. Let ˆA = ( ˆS, τ_abs) be an ab-stract state automaton that corresponds to the finite state automaton A = (S, τ) and γ : ˆS →2^S be execution-deterministic. For the empty path, the claim is ob-viously true. For the induction step, we need to show that for any ˆσ ∈ 2^Sˆ it holds ([[π ◦ v_n]]_τcoll◦γ)( ˆσ ) ⊆ (γ ◦ [[π ◦ vn]]_τabs)( ˆσ ).

Let ˆσ ∈ 2^Sˆbe a set of abstract states:

([[π ◦ v_n]]_τcoll◦γ)( ˆσ ) = (f_τcoll(v_n) ◦ [[π]]_τcoll◦γ)( ˆσ ) |_Definition

⊆ (f_τcoll(v_n) ◦ γ ◦ [[π]]_τabs)( ˆσ ) |Induction hypothesis

⊆ (γ ◦ f_τabs(v_n) ◦ [[π]]_τabs)( ˆσ ) |_Lemma3.1

= (γ ◦ [[π ◦ v_n]]_τabs)( ˆσ ) |_Definition