Side-channel attacks have been successful in breaking cryptographic protections of systems, by using secret-dependent variations of non-functional properties such as timing or traffic volume. Countermeasures against side-channel attacks usually attempt to eliminate or reduce these variations, which may lead to performance penalties such as increases in the running time of programs, or in the traffic volume they induce. This thesis investigates the trade-off between the security of side-channel countermeasures, and their cost in terms of performance penalties. For this, we seek rigorous answers to two research questions:Q1: How to choose a balance between the security guarantees and the performance penalties of side-channel countermeasures? Q2: How to measure the security of side-channel countermeasures on practical systems? This thesis develops tools that enable the security quantification and the choice of practical countermeasures against side-channel attacks. These tools include the necessary formal models, as well as algorithms and software tools to allow the automatic evaluation of practical systems.In addressing Q1, we develop the first systematic approach for choosing side-channel countermeasures. We do this in a game-theoretic model, where a defender chooses a protection against an adversary who performs an attack. We apply this approach for reasoning about countermeasures against timing attacks, i.e., attacks where an adversary can exploit secret-dependent execution time of programs. We identify cases where leaky countermeasures are preferable to leak-free, constant-time implementations, as they offer better performance without sacrificing security.In addressing Q2, we develop the first tools for the automatic formal quantification of the security of side-channel countermeasures in practical systems. We do this for two types of attacks: cache attacks, where an adversary exploits secret-dependent timing differences due to the use of the CPU cache, and web-traffic attacks, where an adversary exploits secret-dependent differences in the volume of encrypted traffic.To capture cache attacks, we develop the tool CacheAudit, which performs static analysis of x86 binaries, and quantifies their security with respect to cache adversaries. Using CacheAudit, we analyze implementations of AES from the PolarSSL library, as well as of the finalists of the eSTREAM stream cipher competition, and we reason about the effects of architectural features such as cache size and replacement policy to side-channel leakage. Furthermore, we devise novel techniques that provide support for bit-level and symbolic reasoning about pointers in the presence of dynamic memory allocation, which we apply for reasoning about the effectiveness of several widely deployed side-channel countermeasures from the libgcrypt and OpenSSL libraries.To capture web-traffic attacks, we develop scalable algorithms that enable the formal quantification of web-traffic leakage, as well as the generating of provable protections. We apply these algorit...