413 research outputs found
Robust Constant-Time Cryptography
The constant-time property is considered the security standard for
cryptographic code. Code following the constant-time discipline is free from
secret-dependent branches and memory accesses, and thus avoids leaking secrets
through cache and timing side-channels. The constant-time property makes a
number of implicit assumptions that are fundamentally at odds with the reality
of cryptographic code. Constant-time is not robust. The first issue with
constant-time is that it is a whole-program property: It relies on the entirety
of the code base being constant-time. But, cryptographic developers do not
generally write whole programs; rather, they provide libraries and specific
algorithms for other application developers to use. As such, developers of
security libraries must maintain their security guarantees even when their code
is operating within (potentially untrusted) application contexts. Constant-time
requires memory safety. The whole-program nature of constant-time also leads to
a second issue: constant-time requires memory safety of all the running code.
Any memory safety bugs, whether in the library or the application, will wend
their way back to side-channel leaks of secrets if not direct disclosure. And
although cryptographic libraries should (and are) written to be memory-safe, it
is unfortunately unrealistic to expect the same from every application that
uses each library. We formalize robust constant-time and build a RobustIsoCrypt
compiler that transforms the library code and protects the secrets even when
they are linked with untrusted code. Our evaluation with SUPERCOP benchmarking
framework shows that the performance overhead is less than five percent on
average
Axiomatic hardware-software contracts for security
We propose leakage containment models (LCMs)—novel axiomatic security contracts which support formally reasoning about the security guarantees of programs when they run on particular microarchitectures. Our core contribution is an axiomatic vocabulary for formalizing LCMs, derived from the established axiomatic vocabulary for formalizing processor memory consistency models. Using this vocabulary, we formalize microarchitectural leakage—focusing on leakage through hardware memory systems—so that it can be automatically detected in programs and provide a taxonomy for classifying said leakage by severity. To illustrate the efficacy of LCMs, we first demonstrate that our leakage definition faithfully captures a sampling of (transient and non-transient) microarchitectural attacks from the literature. Second, we develop a static analysis tool based on LCMs which automatically identifies Spectre vulnerabilities in programs and scales to analyze real-world crypto-libraries
High-Assurance Cryptography in the Spectre Era
International audienceHigh-assurance cryptography leverages methods from program verification and cryptography engineering to deliver efficient cryptographic software with machine-checked proofs of memory safety, functional correctness, provable security, and absence of timing leaks. Traditionally, these guarantees are established under a sequential execution semantics. However, this semantics is not aligned with the behavior of modern processors that make use of speculative execution to improve performance. This mismatch, combined with the high-profile Spectre-style attacks that exploit speculative execution, naturally casts doubts on the robustness of high-assurance cryptography guarantees. In this paper, we dispel these doubts by showing that the benefits of high-assurance cryptography extend to speculative execution, costing only a modest performance overhead. We build atop the Jasmin verification framework an end-to-end approach for proving properties of cryptographic software under speculative execution, and validate our approach experimentally with efficient, functionally correct assembly implementations of ChaCha20 and Poly1305, which are secure against both traditional timing and speculative execution attacks
StaticFixer: From Static Analysis to Static Repair
Static analysis tools are traditionally used to detect and flag programs that
violate properties. We show that static analysis tools can also be used to
perturb programs that satisfy a property to construct variants that violate the
property. Using this insight we can construct paired data sets of unsafe-safe
program pairs, and learn strategies to automatically repair property
violations. We present a system called \sysname, which automatically repairs
information flow vulnerabilities using this approach. Since information flow
properties are non-local (both to check and repair), \sysname also introduces a
novel domain specific language (DSL) and strategy learning algorithms for
synthesizing non-local repairs. We use \sysname to synthesize strategies for
repairing two types of information flow vulnerabilities, unvalidated dynamic
calls and cross-site scripting, and show that \sysname successfully repairs
several hundred vulnerabilities from open source {\sc JavaScript} repositories,
outperforming neural baselines built using {\sc CodeT5} and {\sc Codex}. Our
datasets can be downloaded from \url{http://aka.ms/StaticFixer}
Hardware-Software Codesign for Mitigating Spectre
Spectre attacks exploit control- and data-flow (mis)prediction on modern processors to transiently leak program secrets. Comprehensively mitigating Spectre leakage is hard, and doing so while preserving the program’s performance is even harder: no existing Spectre mitigations are widely deployed due to their high overhead or high complexity. We claim that a comprehensive, efficient, and low-complexity mitigation for Spectre attacks requires engaging in software-compiler-hardware co-design. In our talk, we will pitch such a co-designed Spectre mitigation that will be widely deployable at a low cost in security-critical applications. As a first step towards this goal, we have developed Serberus, a comprehensive and proven-correct Spectre mitigation for constant-time code that targets existing hardware. We are currently exploring lightweight hardware support to improve Serberus’ performance in other application domains
Penetrating Shields: A Systematic Analysis of Memory Corruption Mitigations in the Spectre Era
This paper provides the first systematic analysis of a synergistic threat
model encompassing memory corruption vulnerabilities and microarchitectural
side-channel vulnerabilities. We study speculative shield bypass attacks that
leverage speculative execution attacks to leak secrets that are critical to the
security of memory corruption mitigations (i.e., the shields), and then use the
leaked secrets to bypass the mitigation mechanisms and successfully conduct
memory corruption exploits, such as control-flow hijacking. We start by
systematizing a taxonomy of the state-of-the-art memory corruption mitigations
focusing on hardware-software co-design solutions. The taxonomy helps us to
identify 10 likely vulnerable defense schemes out of 20 schemes that we
analyze. Next, we develop a graph-based model to analyze the 10 likely
vulnerable defenses and reason about possible countermeasures. Finally, we
present three proof-of-concept attacks targeting an already-deployed mitigation
mechanism and two state-of-the-art academic proposals.Comment: 14 page
- …