Symbolic path cost analysis for side-channel detection

Brennan, Tegan; Saha, Seemanta; Bultan, Tevfik; Păsăreanu, Corina S.

doi:10.1145/3213846.3213867

Cited by 22 publications

(8 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CoCoChannel [12] uses static analysis for finding sidechannel vulnerabilities and presents a comparison with THEMIS and BLAZER on the same benchmarks, showing better scalability. While CoCoChannel also found discrepancies in the THEMIS and BLAZER benchmarks, the approach still fails to report vulnerabilities for the repaired versions in, e.g., loopAndBranch and jetty.…”

Section: Related Workmentioning

confidence: 99%

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Nilizadeh

Noller

Păsăreanu

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Side-channel attacks allow an adversary to uncover secret program data by observing the behavior of a program with respect to a resource, such as execution time, consumed memory or response size. Side-channel vulnerabilities are difficult to reason about as they involve analyzing the correlations between resource usage over multiple program paths. We present DIFFUZZ, a fuzzing-based approach for detecting side-channel vulnerabilities related to time and space. DIFFUZZ automatically detects these vulnerabilities by analyzing two versions of the program and using resource-guided heuristics to find inputs that maximize the difference in resource consumption between secretdependent paths. The methodology of DIFFUZZ is general and can be applied to programs written in any language. For this paper, we present an implementation that targets analysis of JAVA programs, and uses and extends the KELINCI and AFL fuzzers. We evaluate DIFFUZZ on a large number of JAVA programs and demonstrate that it can reveal unknown sidechannel vulnerabilities in popular applications. We also show that DIFFUZZ compares favorably against BLAZER and THEMIS, two state-of-the-art analysis tools for finding side-channels in JAVA programs.

show abstract

Section: Related Workmentioning

confidence: 99%

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Nilizadeh

Noller

Păsăreanu

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…For timing side channels, many analysis and verification techniques [6,9,10,25,45,46,53,62] have been developed, including the one proposed by Chen et al [11], which uses Cartesian Hoare Logic [51] to prove that timing leaks of a program are bounded. Antonopoulos et al [5] also developed a method for proving the absence of timing channels.…”

Section: Related Workmentioning

confidence: 99%

Abstract interpretation under speculative execution

Wang

2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Analyzing the behavior of a program running on a processor that supports speculative execution is crucial for applications such as execution time estimation and side channel detection. Unfortunately, existing static analysis techniques based on abstract interpretation do not model speculative execution since they focus on functional properties of a program while speculative execution does not change the functionality. To fill the gap, we propose a method to make abstract interpretation sound under speculative execution. There are two contributions. First, we introduce the notion of virtual control flow to augment instructions that may be speculatively executed and thus affect subsequent instructions. Second, to make the analysis efficient, we propose optimizations to handle merges and loops and to safely bound the speculative execution depth. We have implemented and evaluated the proposed method in a static cache analysis for execution time estimation and side channel detection. Our experiments show that the new method, while guaranteed to be sound under speculative execution, outperforms state-of-the-art abstract interpretation techniques that may be unsound.CCS Concepts • Software and its engineering → Formal software verification; Compilers; • Security and privacy → Cryptanalysis and other attacks. SpeculativeAbstract Interpretation Architectural Parameters (cache config., speculation depth) Control Flow Analysis

show abstract

“…Beyond power side channels, there are techniques for analyzing other types of side channels using logical reasoning [5,26,68], abstract interpretation [12,32], symbolic execution [7,21,48,59,60] and dynamic analysis [70]. As for mitigation, there are techniques that insert masking and other countermeasures either through compilers [1,13,56,73] or through program synthesis tools [19,34].…”

Section: Related Workmentioning

confidence: 99%

Mitigating power side channels during compilation

Wang

Sung

Wang

2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

View full text Add to dashboard Cite

The code generation modules inside modern compilers such as GCC and LLVM, which use a limited number of CPU registers to store a large number of program variables, may introduce sidechannel leaks even in software equipped with state-of-the-art countermeasures. We propose a program analysis and transformation based method to eliminate this side channel. Our method has a type-based technique for detecting leaks, which leverages Datalogbased declarative analysis and domain-specific optimizations to achieve high efficiency and accuracy. It also has a mitigation technique for the compiler's backend, more specifically the register allocation modules, to ensure that potentially leaky intermediate computation results are always stored in different CPU registers or spilled to memory with isolation. We have implemented and evaluated our method in LLVM for the x86 instruction set architecture. Our experiments on cryptographic software show that the method is effective in removing the side channel while being efficient, i.e., our mitigated code is more compact and runs faster than code mitigated using state-of-the-art techniques.

show abstract

Symbolic path cost analysis for side-channel detection

Abstract: performance against state-of-the-art tools as well as its effectiveness and scalability on a set of sizable, realistic Java server-client and peer-to-peer applications.

Cited by 22 publications

References 28 publications

DifFuzz: Differential Fuzzing for Side-Channel Analysis

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Abstract interpretation under speculative execution

Mitigating power side channels during compilation

Contact Info

Product

Resources

About