Modern software systems frequently store and manipulate personal data, such as location, credit card information or medical history. Guaranteeing the confidentiality of such private data is necessary to protect the users of these systems. This aim is complicated by side channel attacks, which have been increasingly demonstrated as a practical threat to the secrecy of personal user information. Side channel attacks use non-functional properties of the program’s output such as time or memory consumption to obtain information about private data.
In this talk, I will give an introduction to side channel attacks, providing a brief overview of the field and highlighting key results. I will then discuss research aimed at automatically detecting and quantifying side channel vulnerabilities in software, focusing primarily on a static approach that combines symbolic execution, model counting, and information theory to quantify how susceptible a program is to side channel attacks. I will discuss some challenges to automated side channel detection and quantification and end by highlighting some promising future directions.