Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors

Coppens, Bart; Verbauwhede, Ingrid; Bosschere, Koen De; Sutter, Bjorn De

doi:10.1109/sp.2009.19

Cited by 170 publications

(171 citation statements)

References 20 publications

Supporting

Mentioning

170

Contrasting

Unclassified

Order By: Relevance

“…By contrast, our approach only requires that the system's execution time be a function of the inputs to the system. Code transformations to eliminate the influence of secrets on the control flow of a program have been proposed in [25], [8], and they have been applied to eliminate timing leaks in code for modern multi-purpose processors. As shown in [25], the resulting performance overhead can be large compared to that introduced by blinding (and hence to that introduced by our countermeasure).…”

Section: Related Workmentioning

confidence: 99%

A Provably Secure and Efficient Countermeasure against Timing Attacks

Köpf¹,

Dürmuth

2009

2009 22nd IEEE Computer Security Foundations Symposium

129

View full text Add to dashboard Cite

We show that the amount of information about the key that an unknown-message attacker can extract from a deterministic side-channel is bounded from above by |O| log 2 (n + 1) bits, where n is the number of side-channel measurements and O is the set of possible observations. We use this bound to derive a novel countermeasure against timing attacks, where the strength of the security guarantee can be freely traded for the resulting performance penalty. We give algorithms that efficiently and optimally adjust this trade-off for given constraints on the side-channel leakage or on the efficiency of the cryptosystem. Finally, we perform a case-study that shows that applying our countermeasure leads to implementations with minor performance overhead and formal security guarantees.

show abstract

Section: Related Workmentioning

confidence: 99%

A Provably Secure and Efficient Countermeasure against Timing Attacks

Köpf¹,

Dürmuth

2009

2009 22nd IEEE Computer Security Foundations Symposium

129

View full text Add to dashboard Cite

show abstract

“…If the type system rejects a program because it has "uneven" branches, the program can still be transformed, for example by adding suitable "padding" instructions along shorter branches [2,9,10,28], by using "conditional execution" implemented via bit-masking and ternary choice [39] or by using if-conversion [15]. All of the above approaches are limited to situations where the instruction count is a proxy for actual performance, and do not protect against lower level, e.g., instruction cache attacks [1] or the data timing variation attacks we demonstrated.…”

Section: Related Workmentioning

confidence: 99%

On Subnormal Floating Point and Abnormal Timing

Andrysco

Kohlbrenner

Mowery

et al. 2015

2015 IEEE Symposium on Security and Privacy

115

119

View full text Add to dashboard Cite

Abstract-We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practical attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library.Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software.

show abstract

“…Furthermore, based on the conditional branching, the attack can in principle be mounted as a branch prediction attack [7]. Basically, it is easily possible to remove this vulnerability by using branch free code employing the techniques shown in [8,9]. But since implementing the countermeasure proposed by us in Sec.…”

Section: The Rsa-oaep Decoding Operation In Opensslmentioning

confidence: 99%

“…In order to achieve the goal of secret independent running time, we have to avoid secret based branching in the routine. To this end, techniques similar to those proposed in [8,9] should be used. Those techniques are based on replacing conditional statements with logical masking.…”

Section: The Solution: No Secret Dependent Branchingmentioning

confidence: 99%

Manger’s Attack Revisited

Strenzke

2010

Information and Communications Security

View full text Add to dashboard Cite

Abstract. In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing attack introduced by James Manger in CRYPTO 2001. We show the shortcomings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed countermeasures. Furthermore, we point out a new source of timing differences that has not been addressed previously. We also investigate a new class of related problems in the multi-precision integer arithmetic that in principle allows a variant of Manger's attack to be launched against RSA implementations on 8-bit and possibly 16-bit platforms.

show abstract

Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors

Cited by 170 publications

References 20 publications

A Provably Secure and Efficient Countermeasure against Timing Attacks

A Provably Secure and Efficient Countermeasure against Timing Attacks

On Subnormal Floating Point and Abnormal Timing

Manger’s Attack Revisited

Contact Info

Product

Resources

About