Quantitative evaluation of microarchitectural side channels faces two key challenges: inherent system noise and behavioral uncertainty arising from probabilistic attacks and defenses, compounded by the inability of conventional abstract models to capture fine-grained microprocessor behavior. This paper introduces statistical model checking (SMC) to this domain for the first time, enabling probabilistic verification directly on real hardware or cycle-accurate simulators—thereby avoiding security vulnerabilities missed due to model abstraction. Our approach integrates probabilistic experimentation with formal verification, supporting statistically sound optimization of stochastic countermeasures such as noise injection. Through three case studies, we demonstrate SMC’s rigor and practicality in vulnerability confirmation, defense efficacy assessment, and noise-parameter tuning. The results provide statistically guaranteed, quantitative decision support for side-channel security analysis and mitigation.

Rigorous quantitative evaluation of microarchitectural side channels is challenging for two reasons. First, the processors, attacks, and defenses often exhibit probabilistic behaviors. These probabilistic behaviors arise due to natural noise in systems (e.g., from co-running processes), probabilistic side channel attacks, and probabilistic obfuscation defenses. Second, microprocessors are extremely complex. Previous evaluation methods have relied on abstract or simplified models, which are necessarily less detailed than real systems or cycle-by-cycle simulators, and these models may miss important phenomena. Whereas a simple model may suffice for estimating performance, security issues frequently manifest in the details. We address this challenge by introducing Statistical Model Checking (SMC) to the quantitative evaluation of microarchitectural side channels. SMC is a rigorous statistical technique that can process the results of probabilistic experiments and provide statistical guarantees, and it has been used in computing applications that depend heavily on statistical guarantees (e.g., medical implants, vehicular computing). With SMC, we can treat processors as opaque boxes, and we do not have to abstract or simplify them. We demonstrate the effectiveness of SMC through three case studies, in which we experimentally show that SMC can evaluate existing security vulnerabilities and defenses and provide qualitatively similar conclusions with greater statistical rigor, while making no simplifying assumptions or abstractions. We also show that SMC can enable a defender to quantify the amount of noise necessary to have a desired level of confidence that she has reduced an attacker's probability of success to less than a desired threshold, thus providing the defender with an actionable plan for obfuscation via noise injection.