Constant-time foundations for the new spectre era

Cauligi, Sunjay; Disselkoen, Craig; Gleissenthall, Klaus v.; Tullsen, Dean M.; Stefan, Deian; Rezk, Tamara; Barthe, Gilles

doi:10.1145/3385412.3385970

Cited by 64 publications

(139 citation statements)

References 8 publications

Supporting

Mentioning

131

Contrasting

Order By: Relevance

“…By means of our tool, we have also discovered that a popular option [20] of gcc to generate position-independent code (PIC) may introduce Spectre-STL vulnerabilities. We also confirm, as already reported by Cauligi et al [5], that the stack protections added by compilers introduce Spectre violations in cryptographic primitives.…”

Section: Introductionsupporting

confidence: 91%

“…This behavior is exploited in Spectre attacks [1] which were made public in early 2018. Since then, Spectre attacks have drawn considerable attention from both industry and academy, with works that discovered new Spectre variants [2], new detection methods [3]- [5], and new countermesures [6]- [8]. To date, there are four known main variants of Spectre attacks [2].…”

Section: Introductionmentioning

confidence: 99%

“…Only one tool, Pitchfork [5], to analyze speculative constant-time, it must be adapted to consider the speculative behavior of the program. Symbolic analyzers for Spectre-PHT [3], [4], [12] and Spectre-STL [5] model the speculative behavior explicitly, by forking the execution to explore transient paths, which quickly leads to state explosion-especially for Spectre-STL which has to fork for each possible store and load interleaving. The adaptation of symbolic execution to constant-time-like properties, known as relational symbolic execution (RelSE), has proven very successful in terms of scalability and precision for binary level [16].…”

Section: Introductionmentioning

confidence: 99%

“…Speculation mechanisms at the root of BTB and RSB variants can, in principle, be mistrained to jump to arbitrary addresses [5], [29], which seems to be intractable for static analyzers (cf. Section VII).…”

Section: Introductionmentioning

confidence: 99%

“…However, the program is vulnerable to Spectre-PHT since an attacker can mistrain the branch predictor and leak secrets in transient execution. Speculative constant-time [5] is a recent security property that extends constant-time to take transient executions into account.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Daniel¹,

Bardin²,

Rezk³

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Spectre are microarchitectural attacks which were made public in January 2018. They allow an attacker to recover secrets by exploiting speculations. Detection of Spectre is particularly important for cryptographic libraries and defenses at the software level have been proposed. Yet, defenses correctness and Spectre detection pose challenges due on one hand to the explosion of the exploration space induced by speculative paths, and on the other hand to the introduction of new Spectre vulnerabilities at different compilation stages. We propose an optimization, coined Haunted RelSE, that allows scalable detection of Spectre vulnerabilities at binary level. We prove the optimization semantically correct w.r.t. the more naive explicit speculative exploration approach used in state-of-the-art tools. We implement Haunted RelSE in a symbolic analysis tool, and extensively test it on a wellknown litmus testset for Spectre-PHT, and on a new litmus testset for Spectre-STL, which we propose. Our technique finds more violations and scales better than state-of-the-art techniques and tools, analyzing real-world cryptographic libraries and finding new violations. Thanks to our tool, we discover that indexmasking-a standard defense for Spectre-PHT-and well-known gcc options to compile position independent executables introduce Spectre-STL violations. We propose and verify a correction to index-masking to avoid the problem. addresses the Store to Load (STL) variant (a.k.a Spectre-v4 [13]), which exploits the memory dependence predictor. Unfortunately, Pitchfork does not scale for analyzing Spectre-STL, even on small programs (cf. Table IV). Other variants are currently out-of-scope of static analyzers (see Sections II and VII). Goal and challenges. In this paper, we propose a novel technique to detect Spectre-PHT and Spectre-STL vulnerabilities and we implement it in a new static analyzer for binary code. Two challenges arise in the design of such an analyzer: C1 First, the details of the microarchitecture cannot be fully included in the analysis because they are not public in general and not easy to obtain. Yet the challenge is to find an abstraction powerful enough to capture side channels attacks due to microarchitectural state. C2 Second, exploration of all possible speculative executions does not scale because it quickly leads to state explosion. The challenge is how to optimize this exploration in order to make the analysis applicable to real code. Proposal. We tackle challenge C1 by targeting a relational security property coined in the literature as speculative constanttime [5], a property reminiscent of constant-time [14], widely used in cryptographic implementations. Speculative constanttime takes speculative executions into account without explicitly modeling intrincate microarchitectural details. However, it is well known that constant-time programming is not necessarily preserved by compilers [15], [16], so our analysis operates at binary level-besides, it is compiler-agnostic and does not require source code. For thi...

show abstract

Section: Introductionsupporting

confidence: 91%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Daniel¹,

Bardin²,

Rezk³

2021

Proceedings 2021 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

Verifying Secure Speculation in Isabelle/HOL

Griffin¹,

Dongol

2021

Formal Methods

View full text Add to dashboard Cite

Secure speculation is an information flow security hyperproperty that prevents transient execution attacks such as Spectre, Meltdown and Foreshadow. Generic compiler mitigations for secure speculation are known to be insufficient for eliminating vulnerabilities. Moreover, these mitigation techniques often overprescribe speculative fences, causing the performance of the programs to suffer. Recently Cheang et al. have developed an operational semantics of program execution capable of characterising speculative executions as well as a new class of information flow hyperproperties named TPOD that ensure secure speculation. This paper presents a framework for verifying TPOD using the Isabelle/HOL proof assistant by encoding the operational semantics of Cheang et al. We provide translation tools for automatically generating the required Isabelle/HOL theory templates from a C-like program syntax, which speeds up verification. Our framework is capable of proving the existence of vulnerabilities and correctness of secure speculation. We exemplify our framework by proving the existence of secure speculation bugs in 15 victim functions for the MSVC compiler as well as correctness of some proposed fixes.

show abstract

Semantic Foundations for Cost Analysis of Pipeline-Optimized Programs

et al. 2022

Self Cite

View full text Add to dashboard Cite

In this paper, we develop semantic foundations for precise cost analyses of programs running on architectures with multi-scalar pipelines and in-order execution with branch prediction. This model is then used to prove the correction of an automatic cost analysis we designed. The analysis is implemented and evaluated in an extant framework for high-assurance cryptography. In this field, developers aggressively handoptimize their code to take maximal advantage of micro-architectural features while looking for provable semantic guarantees.

show abstract

Constant-time foundations for the new spectre era

Cited by 64 publications

References 8 publications

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE

Verifying Secure Speculation in Isabelle/HOL

Semantic Foundations for Cost Analysis of Pipeline-Optimized Programs

Contact Info

Product

Resources

About