ABSTRACT
We propose a method, based on program analysis and transformation, for eliminating timing side channels in software code that implements security-critical applications. Our method takes as input the original program together with a list of secret variables (e.g., cryptographic keys, security tokens, or passwords) and returns the transformed program as output. The transformed program is guaranteed to be functionally equivalent to the original program and free of both instruction- and cache-timing side channels. Specifically, we ensure that the number of CPU cycles taken to execute any path is independent of the secret data, and the cache behavior of memory accesses, in terms of hits and misses, is independent of the secret data. We have implemented our method in LLVM and validated its effectiveness on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total. Our experiments show the method is both scalable for real applications and effective in eliminating timing side channels.
- Botan: Crypto and TLS for C++11. https://github.com/randombit/botan/.Google Scholar
- Fair Evaluation of Lightweight Cryptographic Systems. https://www.cryptolux. org/index.php/FELICS.Google Scholar
- Libgcrypt. https://gnupg.org/software/libgcrypt/index.html.Google Scholar
- Libgcrypt. https://www.gnupg.org/software/libgcrypt/index.html.Google Scholar
- System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives. https://bench.cr.yp.to/supercop.html.Google Scholar
- The LLVM Compiler Infrastructure. http://llvm.org/.Google Scholar
- Johan Agat. Transforming out timing leaks. In ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 40–53, 2000. Google ScholarDigital Library
- Giovanni Agosta, Alessandro Barenghi, and Gerardo Pelosi. A code morphing methodology to automate power analysis countermeasures. In ACM/IEEE Design Automation Conference, pages 77–82, 2012. Google ScholarDigital Library
- Nadhem J. AlFardan and Kenneth G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy, pages 526–540, 2013. Google ScholarDigital Library
- Mário S. Alvim, Konstantinos Chatzikokolakis, Annabelle McIver, Carroll Morgan, Catuscia Palamidessi, and Geoffrey Smith. Additive and multiplicative notions of leakage, and their capacities. In IEEE Computer Security Foundations Symposium, pages 308–322, 2014. Google ScholarDigital Library
- Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei. Decomposition instead of self-composition for proving the absence of timing channels. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 362–375, 2017. Google ScholarDigital Library
- Aslan Askarov, Danfeng Zhang, and Andrew C. Myers. Predictive black-box mitigation of timing channels. In ACM Conference on Computer and Communications Security, pages 297–307, 2010. Google ScholarDigital Library
- Zelalem Birhanu Aweke and Todd M. Austin. Øzone: Efficient execution with zero timing leakage for modern microarchitectures. In IEEE International Symposium on Hardware Oriented Security and Trust, page 153, 2017.Google ScholarCross Ref
- Michael Backes and Boris Köpf. Formally bounding the side-channel leakage in unknown-message attacks. In European Symposium on Research in Computer Security, pages 517–532, 2008. Google ScholarDigital Library
- George Balatsouras and Yannis Smaragdakis. Structure-sensitive points-to analysis for C and C++. In International Symposium on Static Analysis, pages 84–104, 2016.Google ScholarCross Ref
- Lucas Bang, Abdulbaki Aydin, Quoc-Sang Phan, Corina S. Pasareanu, and Tevfik Bultan. String analysis for side channels with segmented oracles. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 193–204, 2016. Google ScholarDigital Library
- Gilles Barthe, Tamara Rezk, and Martijn Warnier. Preventing timing leaks through transactional branching instructions. Electr. Notes Theor. Comput. Sci., 153(2):33– 55, 2006. Google ScholarDigital Library
- Tiyash Basu and Sudipta Chattopadhyay. Testing cache side-channel leakage. In IEEE International Conference on Software Testing, Verification and Validation Workshops, pages 51–60, 2017.Google ScholarCross Ref
- Ali Galip Bayrak, Francesco Regazzoni, Philip Brisk, François-Xavier Standaert, and Paolo Ienne. A first step towards automatic application of power analysis countermeasures. In ACM/IEEE Design Automation Conference, pages 230–235, 2011. Google ScholarDigital Library
- Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In International Cryptology Conference, pages 513–525, 1997. Google ScholarDigital Library
- Nathan L. Binkert, Bradford M. Beckmann, Gabriel Black, Steven K. Reinhardt, Ali G. Saidi, Arkaprava Basu, Joel Hestness, Derek Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib Bin Altaf, Nilay Vaish, Mark D. Hill, and David A. Wood. The gem5 simulator. SIGARCH Computer Architecture News, 39(2):1–7, 2011. Google ScholarDigital Library
- Andrew Bortz and Dan Boneh. Exposing private information by timing web applications. In International Conference on World Wide Web, pages 621–628, 2007. Google ScholarDigital Library
- Benjamin A. Braun, Suman Jana, and Dan Boneh. Robust and efficient elimination of cache and timing side channels. CoRR, abs/1506.00189, 2015.Google Scholar
- David Brumley and Dan Boneh. Remote timing attacks are practical. Computer Networks, 48(5):701–716, 2005. Google ScholarCross Ref
- Sudipta Chattopadhyay. Directed automated memory performance testing. In International Conference on Tools and Algorithms for Construction and Analysis of Systems, pages 38–55, 2017. Google ScholarDigital Library
- Jia Chen, Yu Feng, and Isil Dillig. Precise detection of side-channel vulnerabilities using quantitative cartesian hoare logic. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 875–890, 2017. Google ScholarDigital Library
- Duc-Hiep Chu, Joxan Jaffar, and Rasool Maghareh. Precise cache timing analysis via symbolic execution. In IEEE Real-Time and Embedded Technology and Applications Symposium, pages 293–304, 2016.Google ScholarCross Ref
- David Cock, Qian Ge, Toby C. Murray, and Gernot Heiser. The last mile: An empirical study of timing channels on seL4. In ACM SIGSAC Conference on Computer and Communications Security, pages 570–581, 2014. Google ScholarDigital Library
- Bart Coppens, Ingrid Verbauwhede, Koen De Bosschere, and Bjorn De Sutter. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In IEEE Symposium on Security and Privacy, pages 45–60, 2009. Google ScholarDigital Library
- Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 238–252, 1977. Google ScholarDigital Library
- Stephen Crane, Andrei Homescu, Stefan Brunthaler, Per Larsen, and Michael Franz. Thwarting cache side-channel attacks through dynamic software diversity. In Annual Network and Distributed System Security Symposium, 2015.Google ScholarCross Ref
- Matthew Dellinger, Piyush Garyali, and Binoy Ravindran. Chronos linux: a besteffort real-time multiprocessor linux kernel. In ACM/IEEE Design Automation Conference, pages 474–479, 2011. Google ScholarDigital Library
- Daniel Dinu, Yann Le Corre, Dmitry Khovratovich, Leo Perrin, Johann Grobschadl, and Alex Biryukov. Triathlon of lightweight block ciphers for the internet of things. Cryptology ePrint Archive, Report 2015/209, 2015.Google Scholar
- Goran Doychev, Dominik Feld, Boris Köpf, Laurent Mauborgne, and Jan Reineke. CacheAudit: A tool for the static analysis of cache side channels. In USENIX Security, pages 431–446, 2013. Google ScholarDigital Library
- Goran Doychev, Boris Köpf, Laurent Mauborgne, and Jan Reineke. Cacheaudit: A tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur., 18(1):4:1–4:32, 2015. Google ScholarDigital Library
- Hassan Eldib and Chao Wang. Synthesis of masking countermeasures against side channel attacks. In International Conference on Computer Aided Verification, pages 114–130, 2014. Google ScholarDigital Library
- Hassan Eldib, Chao Wang, and Patrick Schaumont. SMT-based verification of software countermeasures against side-channel attacks. In International Conference on Tools and Algorithms for Construction and Analysis of Systems, pages 62–77, 2014.Google ScholarCross Ref
- Hassan Eldib, Chao Wang, Mostafa Taha, and Patrick Schaumont. QMS: Evaluating the side-channel resistance of masked software from source code. In ACM/IEEE Design Automation Conference, pages 209:1–6, 2014. Google ScholarDigital Library
- Hassan Eldib, Meng Wu, and Chao Wang. Synthesis of fault-attack countermeasures for cryptographic circuits. In International Conference on Computer Aided Verification, pages 343–363, 2016.Google ScholarCross Ref
- Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious rams. Journal of the ACM, 43(3):431–473, 1996. Google ScholarDigital Library
- Philipp Grabher, Johann Großschädl, and Dan Page. Cryptographic side-channels from low-power cache memory. In International Conference on Cryptography and Coding, pages 170–184, 2007. Google ScholarDigital Library
- David Gullasch, Endre Bangerter, and Stephan Krenn. Cache games–bringing access-based cache attacks on aes to practice. In IEEE Symposium on Security and Privacy, pages 490–505, 2011. Google ScholarDigital Library
- Shengjian Guo, Markus Kusano, and Chao Wang. Conc-iSE: Incremental symbolic execution of concurrent software. In IEEE/ACM International Conference On Automated Software Engineering, 2016. Google ScholarDigital Library
- Shengjian Guo, Markus Kusano, Chao Wang, Zijiang Yang, and Aarti Gupta. Assertion guided symbolic execution of multithreaded programs. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 854–865, 2015. Google ScholarDigital Library
- Shengjian Guo, Meng Wu, and Chao Wang. Symbolic execution of programmable logic controller code. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 326–336, 2017. Google ScholarDigital Library
- Shengjian Guo, Meng Wu, and Chao Wang. Adversarial symbolic execution for detecting concurrency-related cache timing leaks. 2018.Google Scholar
- Daniel Hedin and David Sands. Timing aware information flow security for a javacard-like bytecode. Electr. Notes Theor. Comput. Sci., 141(1):163–182, 2005. Google ScholarDigital Library
- Wei-Ming Hu. Reducing timing channels with fuzzy time. In IEEE Symposium on Security and Privacy, pages 8–20, 1991.Google ScholarCross Ref
- Zhen Hang Jiang, Yunsi Fei, and David R. Kaeli. A complete key recovery timing attack on a GPU. In IEEE International Symposium on High Performance Computer Architecture, pages 394–405, 2016.Google ScholarCross Ref
- Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. ArXiv e-prints, January 2018.Google Scholar
- Paul C Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference, pages 104–113. Springer, 1996. Google ScholarDigital Library
- Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In International Cryptology Conference, pages 388–397, 1999. Google ScholarDigital Library
- Boris Köpf and Markus Dürmuth. A provably secure and efficient countermeasure against timing attacks. In IEEE Computer Security Foundations Symposium, pages 324–335, 2009. Google ScholarDigital Library
- Boris Köpf and Heiko Mantel. Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec., 6(2-3):107–131, 2007. Google ScholarCross Ref
- Boris Köpf, Laurent Mauborgne, and Martín Ochoa. Automatic quantification of cache side-channels. In International Conference on Computer Aided Verification, pages 564–580, 2012. Google ScholarDigital Library
- Boris Köpf and Geoffrey Smith. Vulnerability bounds and leakage resilience of blinded cryptography under timing attacks. In IEEE Computer Security Foundations Symposium, pages 44–56, 2010. Google ScholarDigital Library
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown. ArXiv e-prints, January 2018.Google Scholar
- ISSTA’18, July 16–21, 2018, Amsterdam, Netherlands Meng Wu, Shengjian Guo, Patrick Schaumont, and Chao WangGoogle Scholar
- Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. Ghostrider: A hardware-software system for memory trace oblivious computation. ACM SIGARCH Computer Architecture News, 43(1):87–101, 2015. Google ScholarDigital Library
- Fangfei Liu, Qian Ge, Yuval Yarom, Frank Mckeen, Carlos Rozas, Gernot Heiser, and Ruby B Lee. Catalyst: Defeating last-level cache side channel attacks in cloud computing. In IEEE International Symposium On High Performance Computer Architecture, pages 406–418, 2016.Google ScholarCross Ref
- Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, 2007. Google ScholarDigital Library
- Heiko Mantel and Artem Starostin. Transforming out timing leaks, more or less. In European Symposium on Research in Computer Security, pages 447–467, 2015. Google ScholarDigital Library
- Jonathan K. Millen. Covert channel capacity. In IEEE Symposium on Security and Privacy, pages 60–66, 1987.Google ScholarCross Ref
- David Molnar, Matt Piotrowski, David Schultz, and David Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In International Conference on Information Security and Cryptology, pages 156–168. Springer, 2005. Google ScholarDigital Library
- Andrew Moss, Elisabeth Oswald, Dan Page, and Michael Tunstall. Compiler assisted masking. In International Conference on Cryptographic Hardware and Embedded Systems, pages 58–75, 2012. Google ScholarDigital Library
- Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham. Are aes x86 cache timing attacks still feasible? In ACM Workshop on Cloud computing security, pages 19–24, 2012. Google ScholarDigital Library
- Yoshitaka Nagami, Daisuke Miyamoto, Hiroaki Hazeyama, and Youki Kadobayashi. An independent evaluation of web timing attack and its countermeasure. In International Conference on Availability, Reliability and Security, pages 1319–1324, 2008. Google ScholarDigital Library
- Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: The case of AES. In Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings, pages 1–20, 2006. Google ScholarDigital Library
- Dan Page. Partitioned cache architecture as a side-channel defence mechanism.Google Scholar
- David J. Pearce, Paul H. J. Kelly, and Chris Hankin. Efficient field-sensitive pointer analysis for C. In ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering, 2004. Google ScholarDigital Library
- Quoc-Sang Phan, Lucas Bang, Corina S. Pasareanu, Pasquale Malacaria, and Tevfik Bultan. Synthesis of adaptive side-channel attacks. In IEEE Computer Security Foundations Symposium, pages 328–342, 2017.Google ScholarCross Ref
- Alessandra Di Pierro, Chris Hankin, and Herbert Wiklicky. Probabilistic timing covert channels: to close or not to close? Int. J. Inf. Sec., 10(2):83–106, 2011. Google ScholarDigital Library
- Ashay Rane, Calvin Lin, and Mohit Tiwari. Raccoon: closing digital side-channels through obfuscated execution. In USENIX Security Symposium, pages 431–446, 2015. Google ScholarDigital Library
- Sebastian Schinzel. An efficient mitigation method for timing side channels on the web. In International Workshop on Constructive Side-Channel Analysis and Secure Design, 2011.Google Scholar
- Bruce Schneier. Applied cryptography: protocols, algorithms, and source code in C. John Wiley & Sons, 2007.Google Scholar
- Claude E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27:379–423, 1948.Google ScholarCross Ref
- Geoffrey Smith. On the foundations of quantitative information flow. In International Conference on the Foundations of Software Science and Computational Structures, pages 288–302, 2009.Google ScholarCross Ref
- Marcelo Sousa and Isil Dillig. Cartesian hoare logic for verifying k-safety properties. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 57–69, 2016. Google ScholarDigital Library
- Raphael Spreitzer and Thomas Plos. On the applicability of time-driven cache attacks on mobile devices. In International Conference on Network and System Security, pages 656–662. Springer, 2013.Google Scholar
- Emil Stefanov, Marten Van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path ORAM: an extremely simple oblivious RAM protocol. In ACM SIGSAC Conference on Computer & Communications Security, pages 299–310, 2013. Google ScholarDigital Library
- Valentin Touzeau, Claire Maïza, David Monniaux, and Jan Reineke. Ascertaining uncertainty for efficient exact cache analysis. In International Conference on Computer Aided Verification, pages 22–40, 2017.Google ScholarCross Ref
- Bhanu C Vattikonda, Sambit Das, and Hovav Shacham. Eliminating fine grained timers in xen. In ACM workshop on Cloud computing security, pages 41–46, 2011. Google ScholarDigital Library
- Chao Wang and Patrick Schaumont. Security by compilation: an automated approach to comprehensive side-channel resistance. ACM SIGLOG News, 4(2):76– 89, 2017. Google ScholarDigital Library
- Shuai Wang, Pei Wang, Xiao Liu, Danfeng Zhang, and Dinghao Wu. CacheD: Identifying cache-based timing channels in production software. In USENIX Security Symposium, pages 235–252. USENIX Association, 2017. Google ScholarDigital Library
- Zhenghong Wang and Ruby B. Lee. New cache designs for thwarting software cache-based side channel attacks. In International Symposium on Computer Architecture, pages 494–505, 2007. Google ScholarDigital Library
- Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In USENIX Security Symposium, pages 719–732, 2014. Google ScholarDigital Library
- Danfeng Zhang, Aslan Askarov, and Andrew C Myers. Language-based control and mitigation of timing channels. In ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 99–110, 2012. Google ScholarDigital Library
- Jun Zhang, Pengfei Gao, Fu Song, and Chao Wang. SCInfer: Refinement-based verification of software countermeasures against side-channel attacks. In International Conference on Computer Aided Verification, 2018.Google ScholarCross Ref
Index Terms
- Eliminating timing side-channel leaks using program repair
Recommendations
Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
AbstractSide-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
How secure is your cache against side-channel attacks?
MICRO-50 '17: Proceedings of the 50th Annual IEEE/ACM International Symposium on MicroarchitectureSecurity-critical data can leak through very unexpected side channels, making side-channel attacks very dangerous threats to information security. Of these, cache-based side-channel attacks are some of the most problematic. This is because caches are ...
One-Sided Countermeasures for Side-Channel Attacks Can Backfire
WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile NetworksSide-channel attacks are currently one of the most powerful attacks against implementations of cryptographic algorithms. They exploit the correlation between the physical measurements (power consumption, electromagnetic emissions, timing) taken at ...
Comments