This work addresses a critical security challenge wherein microarchitectural defense mechanisms, when integrated, may introduce novel vulnerabilities—termed Microarchitectural Defense Assumption Violations (MDAVs)—due to conflicting assumptions, thereby enabling covert channels and other security risks. To systematically identify and mitigate such issues, the authors propose a two-stage screening methodology: first constructing a compositional formal model using bounded model checking, followed by concrete validation via an event-driven simulator. Central to this approach is Maestro, a novel modeling framework that ensures semantic composability, achieves a 15× reduction in code size, and enables high-fidelity simulation with over 100× speedup and zero performance overhead. By integrating GEM5 with formal verification, the method successfully uncovers eight real-world MDAV instances and demonstrates that the repaired designs effectively eliminate these attack vectors.

There has been a plethora of microarchitectural-level attacks leading to many proposed countermeasures. This has created an unexpected and unaddressed security issue where naive integration of those defenses can potentially lead to security vulnerabilities. This occurs when one defense changes an aspect of a microarchitecture that is crucial for the security of another defense. We refer to this problem as a microarchitectural defense assumption violation} (MDAV). We propose a two-step methodology to screen for potential MDAVs in the early-stage of integration. The first step is to design and integrate a composed model, guided by bounded model checking of security properties. The second step is to implement the model concretely on a simulator and to evaluate with simulated attacks. As a contribution supporting the first step, we propose an event-based modeling framework, called Maestro, for testing and evaluating microarchitectural models with integrated defenses. In our evaluation, Maestro reveals MDAVs (8), supports compact expression (~15x Alloy LoC ratio), enables semantic composability and eliminates performance degradations (>100x). As a contribution supporting the second step, we use an event-based simulator (GEM5) for investigating integrated microarchitectural defenses. We show that a covert channel attack is possible on a naively integrated implementation of some state-of-the-art defenses, and a repaired implementation using our integration methodology is resilient to the attack.