Verifying Constant-Time Implementations by Abstract Interpretation

Constant-time programming is an established discipline to secure programs against timing attackers. Several real-world secure C libraries such as NaCl, mbedTLS, or Open Quantum Safe, follow this discipline. We propose an advanced static analysis, based on state-of-the-art techniques from abstract interpretation, to report time leakage during programming. To that purpose, we analyze source C programs and use full context-sensitive and arithmetic-aware alias analyses to track the tainted flows.

[1]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[2]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[3]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[4]  Gilles Barthe,et al.  System-level Non-interference for Constant-time Cryptography , 2014, IACR Cryptol. ePrint Arch..

[5]  Ingrid Verbauwhede,et al.  Dude, is my code constant time? , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[6]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[7]  Jérôme Feret,et al.  Static Analysis of Digital Filters , 2004, ESOP.

[8]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[9]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[10]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[11]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[12]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[13]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[14]  Khawaja Amer Hayat,et al.  Password Interception in a SSL/TLS Channel , 2004 .

[15]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Benjamin Grégoire,et al.  Jasmin: High-Assurance and High-Speed Cryptography , 2017, CCS.

[17]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[18]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[19]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[20]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[21]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[22]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[23]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[24]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[25]  Andrew W. Appel,et al.  Verification of a Cryptographic Primitive: SHA-256 , 2015, TOPL.

[26]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  Gilles Barthe High-Assurance Cryptography: Cryptographic Software We Can Trust , 2015, IEEE Security & Privacy.

[28]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[29]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[30]  Deian Stefan,et al.  FaCT: A Flexible, Constant-Time Programming Language , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[31]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[32]  Andrew W. Appel,et al.  Verified Correctness and Security of mbedTLS HMAC-DRBG , 2017, CCS.

[33]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[34]  Srinath T. V. Setty,et al.  Vale: Verifying High-Performance Cryptographic Assembly Code , 2017, USENIX Security Symposium.

[35]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[36]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[37]  G. Edward Suh,et al.  FPGA-Based Remote Power Side-Channel Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[38]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.

[39]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[40]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[41]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[42]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[43]  David Pichardie,et al.  An abstract memory functor for verified C static analyzers , 2016, ICFP.

[44]  Roger M. Needham,et al.  TEA, a Tiny Encryption Algorithm , 1994, FSE.