Cassandra: Efficient Enforcement of Sequential Execution for Cryptographic Programs (Extended Version)

TL;DR

Cassandra tackles the challenge of speculative execution leaks in constant-time cryptographic programs by enforcing strict sequential execution through a recording-and-replaying paradigm. It relies on upfront, highly compressed branch traces derived from the program's static control-flow and loop structure, stored and replayed by a Branch Trace Unit (BTU) to guide fetches without updating the traditional branch predictor. The approach yields a modest average performance improvement of $1.85\%$ over an unsafe baseline, while also reducing power by $2.73\%$ and incurring only $1.26\%$ area overhead, and it can be integrated with other defenses to provide comprehensive Spectre mitigation for crypto code. Key innovations include DNA-sequence-inspired $k$-mer compression of branch traces and a contract-informed hardware semantics that formalize Cassandra’s security guarantees for sequential crypto execution. The combination of rigorous trace compression, targeted hardware support, and careful security analysis positions Cassandra as a practical, low-overhead path to secure speculative-execution defenses in cryptographic software stacks.

Abstract

Constant-time programming is a widely deployed approach to harden cryptographic programs against side channel attacks. However, modern processors often violate the underlying assumptions of standard constant-time policies by transiently executing unintended paths of the program. Despite many solutions proposed, addressing control flow misspeculations in an efficient way without losing performance is an open problem. In this work, we propose Cassandra, a novel hardware/software mechanism to enforce sequential execution for constant-time cryptographic code in a highly efficient manner. Cassandra explores the radical design point of disabling the branch predictor and recording-and-replaying sequential control flow of the program. Two key insights that enable our design are that (1) the sequential control flow of a constant-time program is mostly static over different runs, and (2) cryptographic programs are loop-intensive and their control flow patterns repeat in a highly compressible way. These insights allow us to perform an upfront branch analysis that significantly compresses control flow traces. We add a small component to a typical processor design, the Branch Trace Unit, to store compressed traces and determine fetch redirections according to the sequential model of the program. Despite providing a strong security guarantee, Cassandra counterintuitively provides an average 1.85% speedup compared to an unsafe baseline processor, mainly due to enforcing near-perfect fetch redirections.

Figures (9)

• Figure 1: Branch analysis overview in Cassandra. Traces are per static branch.
• Figure 2: Cassandra branch analysis workflow example. Note, that the branches are analyzed separately and traces are generated per static branch; DNA sequences of branches are independent from each other.
• Figure 3: Overview of Cassandra microarchitecture. Crypto branches do not access or update the BPU.
• Figure 4: Elements in the Branch Trace Unit (BTU). Each entry of the Pattern Table, Trace Cache, and Checkpoint Table, consisting of 16 elements and corresponds to a static branch.
• Figure 5: (a) Transient register leak, (b) transient memory leak. Both cases are constant-time during sequential execution, but violated during transient execution.

Theorems & Definitions (4)

• Definition 1: Crypto control flow trace $\mathcal{C}$
• Definition 2: $\omega \approx \omega'$
• Definition 3: ${\mathbf{{\color{cassandraTheme }{\{\!\!|}}}} \cdot{\mathbf{{\color{cassandraTheme }{ |\!\!\} }}}} \vdash {\mathrm{{\color{contractColor }{\llbracket}}}} \cdot{\mathrm{{\color{contractColor }{\rrbracket}}}}$
• Theorem 1