Information-Flow Preservation in Compiler Optimisations

Besson, Frédéric; Dang, Alexandre; Jensen, Thomas

doi:10.1109/csf.2019.00023

Cited by 9 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Implementing a constant-time policy, either by hand or through means of an automated method, does not guarantee that such a policy will remain valid on the binary level. This is because compilers typically apply several transformations onto the input code and some of them might destroy properties that are present in previous phases of the compilation [Barthe et al, 2018;Namjoshi, 2017, 2018;Besson et al, 2019]. In the context of information leak, [Barthe et al, 2018] proposed a general method for proving that a compiler optimization preserves the constant-time property of a program.…”

Section: Constant-time Preservationmentioning

confidence: 99%

Memory-Safe Elimination of Side Channels

Soares

Magno

Pereira

2021

2021 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)

View full text Add to dashboard Cite

Agradeço ao professor Luís Fabrício Wanderley Góes, meu orientador durante a graduação. Foi por meio dele que passei a conhecer o professor Fernando Magno Quintão Pereira, que hoje é meu orientador no mestrado. Ao professor Fernando, por todo o suporte e por todos os ensinamentos durante estes últimos dois anos. É, certamente, uma grande fonte de inspiração, como pesquisador, professor, orientador e como pessoa. Sem ele, nada do que foi desenvolvido neste projeto seria possível. Aos meus colegas do Laboratório de Compiladores (LaC), pelas experiências tanto profissionais quanto pessoais. Em especial, ao Michael Canesche, que teve participação direta e foi de suma importância para a realização dos experimentos apresentados neste trabalho. A todos os professores, tanto atuais quanto passados, que contribuíram para que pudesse chegar até aqui. Por fim, agradeço ao Conselho Nacional de Desenvolvimento Científico e Tecnológico (CNPq), pelo suporte financeiro dado ao longo destes dois anos. "I'm not crazy. My mother had me tested."(Sheldon Cooper) ResumoUm programa é dito isócrono se seu tempo de execução não depende de informações sensíveis. Isocronicidade é uma propriedade essencial em implementações criptográficas, posto que programas isócronos não apresentam vazamento de informações relacionadas a seus tempos de execução. Nesta dissertação, nós demonstramos como adaptar para o contexto de resistência à canais laterais um algoritmo de linearização parcial de grafos de fluxo de controle que foi, inicialmente, concebido para maximizar o desempenho em programas vetorizados. Esta transformação é correta: dada uma instância das entradas públicas, o programa parcialmente linearizado sempre executa a mesma sequência de instruções, independente das entradas secretas. Caso o programa original seja publicamente seguro, os acessos à cache de dados serão indistinguíveis no código transformado. Esta transformação é, também, ótima: todo desvio dependente de dados secretos é linearizado; nenhum desvio que dependa apenas de dados públicos é linearizado. Assim, a transformação preserva laços que dependem de informações públicas. Se todos os desvios que saem de um laço dependem de dados sensíveis, o programa modificado não terminará. Nossa transformação estende trabalhos recentes de maneiras não triviais. Ela é capaz de lidar com construções como "goto", "break", "switch" e "continue", que não estão presentes na linguagem de domínicio específico FaCT (2018). Assim como a ferramenta Constantine (2021), nossa transformação garante invariância de operações, mas sem necessitar de informações provenientes da execução dos programas. Além disso, em contraste com SC-Eliminator (2018), nossa técnica é capaz de lidar com programas contendo laços sem limites conhecidos em tempo de compilação.

show abstract

Section: Constant-time Preservationmentioning

confidence: 99%

Memory-Safe Elimination of Side Channels

Soares

Magno

Pereira

2021

2021 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)

View full text Add to dashboard Cite

show abstract

“…However, the proof techniques used for showing both kinds of results are remarkably close. Besson et al [Besson et al 2019] present another approach, for specific compilation passes.…”

Section: Related Workmentioning

confidence: 99%

Formal verification of a constant-time preserving C compiler

Barthe

Blazy

Grégoire

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs that do not perform secret-dependent branches and memory accesses. This mitigation, known as łcryptographic constant-timež, is adopted by several popular cryptographic libraries. This paper focuses on compilation of cryptographic constant-time programs, and more specifically on the following question: is the code generated by a realistic compiler for a constant-time source program itself provably constant-time? Surprisingly, we answer the question positively for a mildly modified version of the CompCert compiler, a formally verified and moderately optimizing compiler for C. Concretely, we modify the CompCert compiler to eliminate sources of potential leakage. Then, we instrument the operational semantics of CompCert intermediate languages so as to be able to capture cryptographic constant-time. Finally, we prove that the modified CompCert compiler preserves constant-time. Our mechanization maximizes reuse of the CompCert correctness proof, through the use of new proof techniques for proving preservation of constant-time. These techniques achieve complementary trade-offs between generality and tractability of proof effort, and are of independent interest. CCS Concepts: • Security and privacy → Logic and verification.

show abstract

Section: Related Workmentioning

confidence: 99%

“…The problem of (non-)preservation of secret-erasure by compilers is well known [19,16,17,18,15]. To remedy it, a notion of information flow-preserving program transformation has been proposed [17] but this approach requires to compile programs using CompCert [124] and does not apply to already compiled binaries. Finally, preservation of erasure functions by compilers has been studied manually [18], and we further this line of work by proposing an extensible framework for automating the process.…”

Section: Related Workmentioning

confidence: 99%

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Daniel

Bardin

Rezk

2023

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

This paper tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure . These properties are crucial for cryptographic implementations, but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel , for bug-finding and bounded-verification of constant-time and secret-erasure, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel , we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4148 and 1156 binaries respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling which might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary-level.

show abstract

Information-Flow Preservation in Compiler Optimisations

Cited by 9 publications

References 29 publications

Memory-Safe Elimination of Side Channels

Memory-Safe Elimination of Side Channels

Formal verification of a constant-time preserving C compiler

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Contact Info

Product

Resources

About