Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic

Chen, Jia; Yu, Feng; Dillig, Işıl

doi:10.1145/3133956.3134058

Cited by 72 publications

(114 citation statements)

References 57 publications

Supporting

Mentioning

112

Contrasting

Order By: Relevance

“…Particularly for timing channels, small differences in computations may be imperceptible to an attacker and can thus not be exploited in practice. This problem was observed in various papers before [8], [14] and was formalized as checkingbounded non-interference in [14]: not only programs with zero interference can be accepted as secure, but also programs where the difference between observations is too small (below a threshold ) to be exploitable in practice. Thus the program is deemed to be secure if the following condition holds: ∀pub, sec 1 , sec 2 : |c(P pub, sec 1 ) − c(P pub, sec 2 )| < One can perform the above check by enumerating all the possible input combinations, measuring the resource consumption for each run, and performing the check for the two versions of the program, but this could become quickly intractable for most realistic programs.…”

Section: A Side-channel Analysismentioning

confidence: 99%

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Nilizadeh

Noller

Păsăreanu

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DIFFUZZ, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DIFFUZZ automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secretdependent paths. The methodology of DIFFUZZ is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of JAVA programs, and uses and extends the KELINCI and AFL fuzzers. We evaluate DIFFUZZ on a large number of JAVA programs and demonstrate that it can reveal unknown sidechannel vulnerabilities in popular applications. We also show that DIFFUZZ compares favorably against BLAZER and THEMIS, two state-of-the-art analysis tools for finding side-channels in JAVA programs.

show abstract

Section: A Side-channel Analysismentioning

confidence: 99%

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Nilizadeh

Noller

Păsăreanu

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Beyond power side channels, there are techniques for analyzing other types of side channels using logical reasoning [5,26,68], abstract interpretation [12,32], symbolic execution [7,21,48,59,60] and dynamic analysis [70]. As for mitigation, there are techniques that insert masking and other countermeasures either through compilers [1,13,56,73] or through program synthesis tools [19,34].…”

Section: Related Workmentioning

confidence: 99%

Mitigating power side channels during compilation

Wang

Sung

Wang

2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

The code generation modules inside modern compilers such as GCC and LLVM, which use a limited number of CPU registers to store a large number of program variables, may introduce sidechannel leaks even in software equipped with state-of-the-art countermeasures. We propose a program analysis and transformation based method to eliminate this side channel. Our method has a type-based technique for detecting leaks, which leverages Datalogbased declarative analysis and domain-specific optimizations to achieve high efficiency and accuracy. It also has a mitigation technique for the compiler's backend, more specifically the register allocation modules, to ensure that potentially leaky intermediate computation results are always stored in different CPU registers or spilled to memory with isolation. We have implemented and evaluated our method in LLVM for the x86 instruction set architecture. Our experiments on cryptographic software show that the method is effective in removing the side channel while being efficient, i.e., our mitigated code is more compact and runs faster than code mitigated using state-of-the-art techniques.

show abstract

“…Various works [13,5] use static analysis for side-channel detections based on noninterference notion. The work [13] defines ε bounded noninterference that requires the resource usage behavior of the program executed from the same public inputs differ at most ε.…”

Section: Related Workmentioning

confidence: 99%

“…Chen et al [13] use Hoare Logic [11] equipped with taint analysis [37] to detect side channels. These static techniques including [13] rely on the taint analysis that is computationally difficult for real-world Java applications.…”

Section: Related Workmentioning

confidence: 99%

Efficient Detection and Quantification of Timing Leaks with Neural Networks

Tizpaz-Niari

Černý

Sankaranarayanan

et al. 2019

Runtime Verification

View full text Add to dashboard Cite

Detection and quantification of information leaks through timing side channels are important to guarantee confidentiality. Although static analysis remains the prevalent approach for detecting timing side channels, it is computationally challenging for real-world applications. In addition, the detection techniques are usually restricted to "yes" or "no" answers. In practice, real-world applications may need to leak information about the secret. Therefore, quantification techniques are necessary to evaluate the resulting threats of information leaks. Since both problems are very difficult or impossible for static analysis techniques, we propose a dynamic analysis method. Our novel approach is to split the problem into two tasks. First, we learn a timing model of the program as a neural network. Second, we analyze the neural network to quantify information leaks. As demonstrated in our experiments, both of these tasks are feasible in practice -making the approach a significant improvement over the state-of-the-art side channel detectors and quantifiers. Our key technical contributions are (a) a neural network architecture that enables side channel discovery and (b) an MILP-based algorithm to estimate the side-channel strength. On a set of micro-benchmarks and real-world applications, we show that neural network models learn timing behaviors of programs with thousands of methods. We also show that neural networks with thousands of neurons can be efficiently analyzed to detect and quantify information leaks through timing side channels.

show abstract

Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic

Cited by 72 publications

References 57 publications

DifFuzz: Differential Fuzzing for Side-Channel Analysis

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Mitigating power side channels during compilation

Efficient Detection and Quantification of Timing Leaks with Neural Networks

Contact Info

Product

Resources

About