Much research effort has been put into automatic detection and mitigation of timing
channels. On the other hand, exploiting such a timing channel is still
a tedious process. However, actual attacks help to convince software
developers of the implications of timing channels in their software.

This leads to the question: How can we automate the construction of timing attacks?

We give some starting points in this research area by designing and
implementing two automatic attacks. Both attacks are designed by
inspecting manually created timing attacks and generalizing their
attack strategies. The first automatic attack is simply connecting
the paths through a program to the initial state by exploiting the
conditions of branches. The second automatic attack is specialized
to programs with exactly one while loop. For this we introduce
a generic equation for the running time of such a program. We exploit
solutions to the equation to reason about the initial program state.

We furthermore evaluate both attacks. Here, we discover that the
attacks work in a controlled environment but do no work on modern
systems. However, we can show that our automatic attacks
work on a legacy architecture, i.e. an 80286.

These evaluation results lead us to the conclusion that the timing
semantics we use for prediction of running times, which are based
on a popular research paper, do not model the reality accurately.
Thereby, we identify the need to do further research on timing
semantics to be able to create an automatic attack working on
modern systems.