FaCT: A Flexible, Constant-Time Programming Language

Cauligi, Sunjay; Soeller, Gary; Brown, Fraser; Johannesmeyer, Brian; Huang, Yunlu; Jhala, Ranjit; Stefan, Deian

doi:10.1109/secdev.2017.24

Cited by 37 publications

(46 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Independently, preservation of the constanttime policy by compilation is mentioned in [29], in the context of a translation from λow* to C* preserves constant-time. Cauligi et al [13] develop a domain specific language and a compiler that generates constant-time code, and use automated verification tools to check that the generated code is constanttime. Barthe et al [7] develop a general method for resultpreserving compilation, and use their method to improve the precision of a constant-time analysis at intermediate level.…”

Section: Simpllocalsmentioning

confidence: 99%

Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”

Barthe

Grégoire

Laporte

2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

114

View full text Add to dashboard Cite

Software-based countermeasures provide effective mitigation against side-channel attacks, often with minimal efficiency and deployment overheads. Their effectiveness is often amenable to rigorous analysis: specifically, several popular countermeasures can be formalized as information flow policies, and correct implementation of the countermeasures can be verified with state-of-the-art analysis and verification techniques. However, in absence of further justification, the guarantees only hold for the language (source, target, or intermediate representation) on which the analysis is performed. We consider the problem of preserving side-channel countermeasures by compilation for cryptographic "constant-time", a popular countermeasure against cache-based timing attacks. We present a general method, based on the notion of constant-timesimulation, for proving that a compilation pass preserves the constant-time countermeasure. Using the Coq proof assistant, we verify the correctness of our method and of several representative instantiations.

show abstract

Section: Simpllocalsmentioning

confidence: 99%

Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”

Barthe

Grégoire

Laporte

2018

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

114

View full text Add to dashboard Cite

show abstract

“…Beyond data oblivious code written for today's ISAs, there is a rich literature to improve algorithm/data structure [47], [79], [78], [77], [80], [81], [64], [82], [83], [66] performance in the software circuit abstraction. Additionally, there is rich literature to write (e.g., [65], [84]) and compile (e.g., [64], [85], [82]) programs to software circuits. An important observation is that, although many of these works target cryptographic backends such as garbled circuits, their underlying programming abstraction (software circuits) is very similar to the data oblivious abstraction.…”

Section: Related Workmentioning

confidence: 99%

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Hsiung²,

El'Hajj³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Blocking microarchitectural (digital) side channels is one of the most pressing challenges in hardware security today. Recently, there has been a surge of effort that attempts to block these leakages by writing programs data obliviously. In this model, programs are written to avoid placing sensitive data-dependent pressure on shared resources. Despite recent efforts, however, running data oblivious programs on modern machines today is insecure and low performance. First, writing programs obliviously assumes certain instructions in today's ISAs will not leak privacy, whereas today's ISAs and hardware provide no such guarantees. Second, writing programs to avoid data-dependent behavior is inherently high performance overhead. This paper tackles both the security and performance aspects of this problem by proposing a Data Oblivious ISA extension (OISA). On the security side, we present ISA design principles to block microarchitectural side channels, and embody these ideas in a concrete ISA capable of safely executing existing data oblivious programs. On the performance side, we design the OISA with support for efficient memory oblivious computation, and with safety features that allow modern hardware optimizations, e.g., out-of-order speculative execution, to remain enabled in the common case. We provide a complete hardware prototype of our ideas, built on top of the RISC-V out-of-order, speculative BOOM processor, and prove that the OISA can provide the advertised security through a formal analysis of an abstract BOOM-style machine. We evaluate area overhead of hardware mechanisms needed to support our prototype, and provide performance experiments showing how the OISA speeds up a variety of existing data oblivious codes (including "constant time" cryptography and memory oblivious data structures), in addition to improving their security and portability.

show abstract

“…Verifying the constant-time property (or detecting lack thereof) for a given implementation is considered one of the most important verification problems in cryptography [Almeida et al 2017[Almeida et al , 2016aBlazy et al 2017;Bond et al 2017;Cauligi et al 2017;Erbsen et al 2019;Zinzindohoué et al 2017]. To facilitate formal reasoning, these works typically represent this constant-time property using a leakage model [Boreale 2009] over a small-step semantics for a given language.…”

Section: Constant-time Programming Paradigmmentioning

confidence: 99%

“…We foresee CT-Wasm to be useful not only as a development language but also as target language for higher-level crypto languages. Since some of these language (e.g., HACL* [Zinzindohoué et al 2017] and FaCT [Cauligi et al 2017]) are already starting to target WebAssembly, it would be fruitful extending these projects to target CT-Wasm as a secure target language instead. At the same time, extending wasm2ct to (fully) automatically infer security annotations from base Wasm would potentially prove yet more useful-this would allow developers to compile C/C++ libraries such as libsodium [Denis, Frank 2018] to Wasm (e.g., with Emscripten [Zakai 2015]) and use wasm2ct to ensure they are secure.…”

Section: Future Workmentioning

confidence: 99%

CT-wasm: type-driven secure cryptography for the web ecosystem

Watt

Renner

Popescu

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

A significant amount of both client and server-side cryptography is implemented in JavaScript. Despite widespread concerns about its security, no other language has been able to match the convenience that comes from its ubiquitous support on the "web ecosystem"-the wide variety of technologies that collectively underpins the modern World Wide Web. With the introduction of the new WebAssembly bytecode language (Wasm) into the web ecosystem, we have a unique opportunity to advance a principled alternative to existing JavaScript cryptography use cases which does not compromise this convenience.We present Constant-Time WebAssembly (CT-Wasm), a type-driven, strict extension to WebAssembly which facilitates the verifiably secure implementation of cryptographic algorithms. CT-Wasm's type system ensures that code written in CT-Wasm is both information flow secure and resistant to timing side channel attacks; like base Wasm, these guarantees are verifiable in linear time. Building on an existing Wasm mechanization, we mechanize the full CT-Wasm specification, prove soundness of the extended type system, implement a verified type checker, and give several proofs of the language's security properties.We provide two implementations of CT-Wasm: an OCaml reference interpreter and a native implementation for Node.js and Chromium that extends Google's V8 engine. We also implement a CT-Wasm to Wasm rewrite tool that allows developers to reap the benefits of CT-Wasm's type system today, while developing cryptographic algorithms for base Wasm environments. We evaluate the language, our implementations, and supporting tools by porting several cryptographic primitives-Salsa20, SHA-256, and TEA-and the full TweetNaCl library. We find that CT-Wasm is fast, expressive, and generates code that we experimentally measure to be constant-time.

show abstract

FaCT: A Flexible, Constant-Time Programming Language

Cited by 37 publications

References 20 publications

Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”

Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

CT-wasm: type-driven secure cryptography for the web ecosystem

Contact Info

Product

Resources

About