Even in absence of vulnerabilities at the software level, a program may be subject to information disclosure vulnerabilities that are caused by the inner level of abstractions it relies on. A side-channel attack observes side effects of the underlying levels of abstractions to infer the processed data. This means that, for example, in the case of cryptographic implementations of provably secure algorithms, free of bugs, a side-channel attack may infer the secret keys used in the algorithm. In contrast to traditional attacks, which target, e.g., algorithms, protocols, or implementation errors, side-channel attacks assume bug-free and correct implementations.
In the era of microarchitectural side channels, vendors scramble to deploy mitigations for transient execution attacks but leave traditional side-channel attacks against sensitive software (e.g., crypto programs) to be fixed by developers by means of constant-time programming (i.e., absence of secret-dependent code/data patterns). Unfortunately, writing constant-time code by hand is hard, as evidenced by the many flaws discovered in production side-channel resistant code.
Building on recent research I authored in the area I plan to tackle the ambitious goal of developing program transformations to automatically harden applications against side-channels and transient execution attacks, by transforming the code during compilation to ensure that the program does not expose any information on the secret data that is computing on.
Security researchers have proposed and implemented several mitigations to achieve constant time guarantees. These solutions target specific subsets of such guarantees or do not take into consideration transient execution attacks. Moreover, they usually incur too much overhead to be applied to real-world software. Therefore, combining different tools, to sum up, the guarantees they provide is not feasible, and there is the need for a comprehensive solution to protect software against side-channel and transient execution attacks [20, 21, 22, 23].
Such a solution would lighten the burden on developers of designing and implementing applications that are both bug-free and that do not leak secrets in unintended ways.
- Impact and benefits -
Along with memory corruption vulnerabilities, side-channel and transient execution attacks are one of the main concerns for sensitive applications like cryptographic implementation, whose security is based on the confidentiality of the processed data.
Moreover, Secure Multiparty Computations rely on constant-time guarantees to ensure the confidentiality of user data is maintained even on untrusted systems. SGX relies on the constant time behaviour of programs, to avoid leaking information on the program executions to the untrusted operating system. All these environments are helpless without strong constant time guarantees, and developers are expected to not break them [18].
However, is incredibly difficult to provide secure implementations without breaking such guarantees [20, 21, 22, 23].
Speculative execution of modern processors also complicates the situation, making the developers need to reason on paths that are only speculatively executed, but that may leak user data. This easily becomes infeasible, even for the most experienced developer [19].
Developing a framework that automatically ensures constant time guarantees, would allow developers to focus just on the correctness and memory safety guarantees while developing their projects.
- Dissemination -
I plan to publish the results of my work in top tier international security venues (S&P, CCS, NDSS, USENIX), to share the results with the scientific community, and contribute to the advancement of the state of the art in the field. The software will be released as open-source, to allow researchers to build on my work.
[18] Intel. 2020. Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations.
[19] Sunjay Cauligi, Craig Disselkoen, Klaus v. Gleissenthall, Dean Tullsen, Deian Stefan, Tamara Rezk, and Gilles Barthe. Constant-time foundations for the new spectre era. PLDI 2020
[20] Diego F. Aranha, Felipe Rodrigues Novaes, Akira Takahashi, Mehdi Tibouchi, and Yuval Yarom. LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage. CCS 2020
[21] Daniel Moghimi, Jo Van Bulck, Nadia Heninger, Frank Piessens, and Berk Sunar. CopyCat: Controlled Instruction-Level Attacks on Enclaves. USENIX 2020
[22] Console Hacking. (Dec. 2010). https://fahrplan.events.ccc.de/congress/2010/Fahrplan/events/4087.en.html
[23] Bitcoin - Android Security Vulnerability. https://bitcoin.org/en/alert/2013-08-11-android