Hardware-Software Contracts for High Assurance with Applications to Side-Channel Security (POPL 2026 - POPL Research Papers)

Sun 11 - Sat 17 January 2026 Rennes, France

Track

POPL 2026

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+01:00) Brussels, Copenhagen, Madrid, Paris.

Use conference time zone: (GMT+01:00) Brussels, Copenhagen, Madrid, ParisSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 16 Jan 2026 09:00 - 10:00 at Nef - Keynote

Abstract

Hardware side-channel attacks occur when a victim program’s hardware resource usage is influenced by a secret, and an attacker observes this resource usage (e.g., via its effect on execution time) to infer the secret’s value. Hardware side-channel attacks were once thought to threaten only secret-processing code and to be mitigated by constant-time programming, which avoids passing secrets as inputs to certain unsafe instructions that leak their operands via hardware side channels. However, Spectre attacks reveal that transient execution of instructions along mispredicted code paths can leak victim secrets, even if they are never leaked or even accessed architecturally. These attacks bypass gold standard software-level security policies (e.g., constant-time programming and sandboxing), establishing hardware side-channel attacks as a threat to all programs that hold secrets in architectural state.

Hardware side-channel defenses in general, and Spectre defenses in particular, require cooperation between hardware and software. Our research studies what this cooperation should look like and how to design and verify the implementations of new hardware-software contracts that enable it. This talk will introduce three such contracts. First, I will present the ASP contract, which empowers programs at compile-time to restrict their runtime control-/data-flow, enabling Serberus—a hardware-enabled software defense against Spectre for current-generation hardware. Next, I will present the ProtISA contract, which empowers programs at compile-time to specify what architectural registers and memory bytes may hold secrets at each program point, enabling Protean—a software-enabled hardware defense against Spectre for next-generation hardware. Finally, I will present leakage functions, a set of which form a contract that characterizes how a microarchitecture’s hardware side-channels create observably-distinct executions for instructions as a function of unsafe instructions’ operands, enabling future probabilistic software-level and fine-grained hardware-level defenses against side-channel attacks.