Abstract-We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practical attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library.Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software.
Floating-point computation exhibits significant runtime variation based on input parameters with some inputs executing over 100 times slower. The timing differences are so severe that attacks have successfully broken privacy guarantees of real systems (e.g. browsers). My thesis presents a defense against floating-point timing variability called CTFP-Constant-Time Floating-Point. The CTFP approach avoids all known fast and slow paths by surrounding every operation with special code that guarantees no dangerous inputs or outputs are observed. CTFP provides five constant-time implementations that trade-off between performance and correctness. Through these implementations, CTFP provides a principled method for defending against floating-point timing attacks. x
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.