Instruction Caches in Static WCET Analysis of Artificially Diversified Software

Authors Joachim Fellmuth, Thomas Göthel, Sabine Glesner

Thumbnail PDF


  • Filesize: 470 kB
  • 23 pages

Document Identifiers

Author Details

Joachim Fellmuth
  • Technical University of Berlin, Berlin, Germany
Thomas Göthel
  • Technical University of Berlin, Berlin, Germany
Sabine Glesner
  • Technical University of Berlin, Berlin, Germany

Cite AsGet BibTex

Joachim Fellmuth, Thomas Göthel, and Sabine Glesner. Instruction Caches in Static WCET Analysis of Artificially Diversified Software. In 30th Euromicro Conference on Real-Time Systems (ECRTS 2018). Leibniz International Proceedings in Informatics (LIPIcs), Volume 106, pp. 21:1-21:23, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2018)


Artificial Software Diversity is a well-established method to increase security of computer systems by thwarting code-reuse attacks, which is particularly beneficial in safety-critical real-time systems. However, static worst-case execution time (WCET) analysis on complex hardware involving caches only delivers sound results for single versions of the program, as it relies on absolute addresses for all instructions. To overcome this problem, we present an abstract interpretation based instruction cache analysis that provides a safe yet precise upper bound for the execution of all variants of a program. We achieve this by integrating uncertainties in the absolute and relative positioning of code fragments when updating the abstract cache state during the analysis. We demonstrate the effectiveness of our approach in an in-depth evaluation and provide an overview of the impact of different diversity techniques on the WCET estimations.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Real-time systems software
  • WCET
  • static analysis
  • abstract interpretation
  • artificial diversity
  • cache analysis


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. C. Ballabriga and H. Casse. Improving the first-miss computation in set-associative instruction caches. In 2008 Euromicro Conference on Real-Time Systems, pages 341-350, July 2008. URL:
  2. Clément Ballabriga, Hugues Cassé, Christine Rochange, and Pascal Sainrat. OTAWA: An Open Toolbox for Adaptive WCET Analysis. In Software Technologies for Embedded and Ubiquitous Systems, pages 35-46. Springer, 2010. URL:
  3. Dirk Beyer and M Erkan Keremoglu. Cpachecker: A tool for configurable software verification. In International Conference on Computer Aided Verification, pages 184-190. Springer, 2011. Google Scholar
  4. Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. Jump-oriented programming: A new class of code-reuse attack. In ACM Symposium on Information, Computer and Communications Security, pages 30-40, 2011. URL:
  5. Hristo Bojinov, Dan Boneh, Rich Cannings, and Iliyan Malchev. Address space randomization for mobile devices. In Proceedings of the Fourth ACM Conference on Wireless Network Security, WiSec '11, pages 127-138, New York, NY, USA, 2011. ACM. URL:
  6. Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. When good instructions go bad: Generalizing return-oriented programming to risc. In Computer and Communications Security, pages 27-38, 2008. URL:
  7. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. Return-oriented programming without returns. In ACM Conf. on Computer and Communications Security, pages 559-572, 2010. URL:
  8. Patrick Cousot and Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pages 238-252. ACM, 1977. Google Scholar
  9. Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL '77, pages 238-252, New York, NY, USA, 1977. ACM. URL:
  10. Christoph Cullmann. Cache persistence analysis: Theory and practice. ACM Transactions on Embedded Computing Systems (TECS), 12(1s):40, 2013. Google Scholar
  11. Lucas Vincenzo Davi, Alexandra Dmitrienko, Stefan Nürnberger, and Ahmad-Reza Sadeghi. Gadge Me if You Can: Secure and Efficient Ad-hoc Instruction-level Randomization for x86 and ARM. In ACM SIGSAC Symposium on Information, Computer and Communications Security, pages 299-310, 2013. URL:
  12. EE Times. 2017 embedded market survey, 2017. URL:
  13. Heiko Falk and Helena Kotthaus. Wcet-driven cache-aware code positioning. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES), pages 145-154, Taipei, Taiwan, oct 2011. Google Scholar
  14. J. Fellmuth, P. Herber, T. F. Pfeffer, and S. Glesner. Securing real-time cyber-physical systems using wcet-aware artificial diversity. In 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), pages 454-461, Nov 2017. URL:
  15. Christian Ferdinand, Florian Martin, and Reinhard Wilhelm. Applying compiler techniques to cache behavior prediction. In Proceedings of the ACM SIGPLAN 1997 Workshop on Languages, Compilers, and Tools for Real-Time Systems, pages 37-46, 1997. Google Scholar
  16. Christian Ferdinand and Reinhard Wilhelm. Efficient and precise cache behavior prediction for real-time systems. Real-Time Systems, 17(2):131-181, 1999. Google Scholar
  17. S. Forrest, A. Somayaji, and D.H. Ackley. Building diverse computer systems. In Hot Topics in Operating Systems, pages 67-72, 1997. URL:
  18. Jan Gustafsson, Adam Betts, Andreas Ermedahl, and Björn Lisper. The Mälardalen WCET benchmarks - past, present and future. In 10th International Workshop on Worst-Case Execution Time Analysis (WCET 2010), pages 137-147, 2010. Google Scholar
  19. Sebastian Hahn and Daniel Grund. Relational cache analysis for static timing analysis. In Real-Time Systems (ECRTS), 2012 24th Euromicro Conference on, pages 102-111. IEEE, 2012. Google Scholar
  20. Jason Hiser, Anh Nguyen-Tuong, Michele Co, Mathew Hall, and Jack W Davidson. Ilr: Where'd my gadgets go? In Security and Privacy, pages 571-585, 2012. Google Scholar
  21. Bach Khoa Huynh, Lei Ju, and Abhik Roychoudhury. Scope-aware data cache analysis for wcet estimation. In Real-Time and Embedded Technology and Applications Symposium (RTAS), 2011 17th IEEE, pages 203-212. IEEE, 2011. Google Scholar
  22. C. Kil, Jinsuk Jim, C. Bookholt, J. Xu, and Peng Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In ACSAC, 2006. URL:
  23. P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. In IEEE Symposium on Security and Privacy, 2014. URL:
  24. Y. T. S. Li, S. Malik, and A. Wolfe. Cache modeling for real-time software: beyond direct mapped instruction caches. In 17th IEEE Real-Time Systems Symposium, pages 254-263, Dec 1996. URL:
  25. P. Lokuciejewski, H. Falk, and P. Marwedel. Wcet-driven cache-based procedure positioning optimizations. In 2008 Euromicro Conference on Real-Time Systems, pages 321-330, 2008. URL:
  26. Mingsong Lv, Nan Guan, Qingxu Deng, Ge Yu, and Wang Yi. Mcait-a timing analyzer for multicore real-time software. In ATVA, pages 414-417. Springer, 2011. Google Scholar
  27. Mingsong Lv, Nan Guan, Jan Reineke, Reinhard Wilhelm, and Wang Yi. A survey on static cache analysis for real-time systems. Leibniz Transactions on Embedded Systems, 3(1):05-1, 2016. Google Scholar
  28. Charlie Miller and Chris Valasek. Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015. Google Scholar
  29. Antoine Miné, Laurent Mauborgne, Xavier Rival, Jerome Feret, Patrick Cousot, Daniel Kästner, Stephan Wilhelm, and Christian Ferdinand. Taking Static Analysis to the Next Level: Proving the Absence of Run-Time Errors and Data Races with Astrée. In 8th European Congress on Embedded Real Time Software and Systems (ERTS 2016), Toulouse, France, 2016. URL:
  30. Frank Mueller, David B Whalley, and Marion Harmon. Predicting instruction cache behavior. In Proceedings of the ACM SIGPLAN Workshop on Language, Compiler and Tool Support for Real-Time Systems, 1994. Google Scholar
  31. V. Pappas, M. Polychronakis, and A.D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Security and Privacy (SP), pages 601-615, 2012. URL:
  32. PaX Team. PaX address space layout randomization (ASLR), 2003. Google Scholar
  33. Ahmad-Reza Sadeghi, Christian Wachsmann, and Michael Waidner. Security and privacy challenges in industrial internet of things. In Proceedings of the 52Nd Annual Design Automation Conference, DAC '15, pages 54:1-54:6, New York, NY, USA, 2015. ACM. URL:
  34. Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM conference on Computer and communications security, pages 552-561, 2007. Google Scholar
  35. L. Szekeres, M. Payer, Tao Wei, and D. Song. Sok: Eternal war in memory. In IEEE Symp. on Security and Privacy (SP), pages 48-62, 2013. URL:
  36. Henrik Theiling, Christian Ferdinand, and Reinhard Wilhelm. Fast and precise wcet prediction by separated cache and path analyses. Real-Time Systems, 18(2-3):157-179, 2000. URL:
  37. Richard Wartell, Vishwath Mohan, Kevin W Hamlen, and Zhiqiang Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Computer and communications security, pages 157-168, 2012. Google Scholar
  38. Yves Younan, Wouter Joosen, and Frank Piessens. Runtime Countermeasures for Code Injection Attacks Against C and C++ Programs. ACM Comput. Surv., 44:17:1-17:28, 2012. URL:
  39. Zhenkai Zhang and Xenofon Koutsoukos. Improving the precision of abstract interpretation based cache persistence analysis. SIGPLAN Not., 50(5):10:1-10:10, 2015. URL:
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail