Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

Borrello, Pietro; D’Elia, Daniele Cono; Querzoni, Leonardo; Giuffrida, Cristiano

doi:10.1145/3460120.3484583

Cited by 26 publications

(27 citation statements)

References 63 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Finally, this study shows that the preservation of constant-time by compilers depends on multiple factors and cannot simply rely on enabling/disabling optimizations. Instead, compiler-based hardening [82,83] or property preservation [15] seem promising directions, in which Binsec/Rel could be used for validation. Experiments are performed on the programs introduced in Section 6.1 for bug-finding and bounded-verification (338 samples, 70k instructions).…”

Section: Conclusion (Rq2)mentioning

confidence: 99%

“…Aside from a posteriori analysis, correct-by-design approaches [106,107,108,13] require to reimplement cryptographic primitives from scratch. Program transformations have been proposed to automatically transform insecure programs into (variations of) constant-time programs [109,103,104,110,111,23,112,83,111,82,113]. In particular, Raccoon and Constantine consider a constant-time leakage model and seem promising, however they operate at LLVM level and do not protect against violations introduced by backend compiler passes.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Daniel

Bardin

Rezk

2023

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

This paper tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure . These properties are crucial for cryptographic implementations, but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel , for bug-finding and bounded-verification of constant-time and secret-erasure, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel , we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4148 and 1156 binaries respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling which might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary-level.

show abstract

Section: Conclusion (Rq2)mentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Daniel

Bardin

Rezk

2023

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

show abstract

“…We do not claim our list to be comprehensive, especially in this currently active field of research. In particular, we did not ask about Constantine [54], Pitchfork-angr [55], Cachefix [56], and ENCoVer [57], just to name a few.…”

Section: B Tools Included In the Surveymentioning

confidence: 99%

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

Jančár

Fourné

Braga

et al. 2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

“…Schwarzl et al [91] further optimized this approach but still observe runtime overheads of factor 1000 and more, even for comparably simple applications. Borrello et al [8] focused more on the protection of cryptographic implementations and still observe a runtime overhead of factor 3.17 to 5.07 on these relatively small examples. Hence, the problem of secret dependency on user input in large applications remains an open problem.…”

Section: Mitigationmentioning

confidence: 99%

“…Due to this significant influence of compilers on sidechannel leakage in binaries, they are also frequently used for new mitigation proposals against side-channel leakage [22], [77], [76], [17], [33], [16], [8].…”

Section: F Compiler-introduced Side Channelsmentioning

confidence: 99%

Layered Binary Templating: Efficient Detection of Compiler- and Linker-introduced Leakage

Schwarzl¹,

Kraft²,

Gruss³

2022

Preprint

View full text Add to dashboard Cite

Cache template attacks demonstrated automated leakage of user input in shared libraries. However, for large binaries, the runtime is prohibitively high. Other automated approaches focused on cryptographic implementations and media software but are not directly applicable to user input. Hence, discovering and eliminating all user input side-channel leakage on a cache-line granularity within huge code bases are impractical.In this paper, we present a new generic cache template attack technique, LBTA, layered binary templating attacks. LBTA uses multiple coarser-grained side channel layers as an extension to cache-line granularity templating to speed up the runtime of cache templating attacks. We describe LBTA with a variable number of layers with concrete side channels of different granularity, ranging from 64 B to 2 MB in practice and in theory beyond. In particular the software-level page cache side channel in combination with the hardware-level L3 cache side channel, already reduces the templating runtime by three orders of magnitude. We apply LBTAs to different software projects and thereby discover data deduplication and dead-stripping during compilation and linking as novel security issues. We show that these mechanisms introduce large spatial distances in binaries for data accessed during a keystroke, enabling reliable leakage of keystrokes. Using LBTA on Chromium-based applications, we can build a full unprivileged cache-based keylogger 1 . Our findings show that all user input to Chromium-based apps is affected and we demonstrate this on a selection of popular apps including Signal, Threema, Discord, and password manager apps like passky. As this is not a flaw of individual apps but the framework, we conclude that all apps that use the framework will also be affected, i.e., hundreds of apps.

show abstract

Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

Cited by 26 publications

References 63 publications

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks

Layered Binary Templating: Efficient Detection of Compiler- and Linker-introduced Leakage

Contact Info

Product

Resources

About