JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation

Side-channel vulnerabilities in software are caused by an observable imbalance in resource usage across different program paths. We show that just-in-time (JIT) compilation, which is crucial to the runtime performance of modern interpreted languages, can introduce timing side channels in cases where the input distribution to the program is non-uniform. Such timing channels can enable an attacker to infer potentially sensitive information about predicates on the program input.We define three attack models under which such side channels are harnessable and five vulnerability templates to detect susceptible code fragments and predicates. We also propose profiling algorithms to generate the representative statistical information necessary for the attacker to perform accurate inference.We systematically evaluate the strength of these JIT-based side channels on the java.lang.String, java.lang.Math, and java.math.BigInteger classes from the Java standard library, and on the JavaScript built-in objects String, Math, and Array. We carry out our evaluation using two widely adopted, open-source, JIT-enhanced runtime engines for the Java and JavaScript languages: the Oracle HotSpot Java Virtual Machine and the Google V8 JavaScript engine, respectively.Finally, we demonstrate a few examples of JIT-based side channels in the Apache Shiro security framework and the GraphHopper route planning server, and show that they are observable over the public Internet.

[1]  Tevfik Bultan,et al.  Synthesis of Adaptive Side-Channel Attacks , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[2]  Peter Chapman,et al.  Automated black-box detection of side-channel vulnerabilities in web applications , 2011, CCS '11.

[3]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Ahmad-Reza Sadeghi,et al.  JITGuard: Hardening Just-in-time Compilers with SGX , 2017, CCS.

[5]  Tevfik Bultan,et al.  Symbolic path cost analysis for side-channel detection , 2018, ISSTA.

[6]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1960, Commun. ACM.

[7]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[8]  K. De Bosschere,et al.  Adaptive Compiler Strategies for Mitigating Timing Side Channel Attacks , 2020, IEEE Transactions on Dependable and Secure Computing.

[9]  Donald E. Knuth,et al.  An empirical study of FORTRAN programs , 1971, Softw. Pract. Exp..

[10]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[12]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[13]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[14]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[15]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[16]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[17]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[18]  Zhou Li,et al.  Sidebuster: automated detection and quantification of side-channel leaks in web application development , 2010, CCS '10.

[19]  Philip S. Abrams,et al.  An APL machine , 1970 .

[20]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  Gilbert Joseph Hansen,et al.  Adaptive systems for the dynamic run-time optimization of programs. , 1974 .

[22]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[23]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[24]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[25]  Soo-Mook Moon,et al.  Javascript ahead-of-time compilation for embedded web platform , 2015, 2015 13th IEEE Symposium on Embedded Systems For Real-time Multimedia (ESTIMedia).

[26]  Dan Page,et al.  A Note On Side-Channels Resulting From Dynamic Compilation , 2006, IACR Cryptol. ePrint Arch..

[27]  Per Larsen,et al.  Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , 2015, NDSS.

[28]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[29]  Koen De Bosschere,et al.  Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[30]  Michael Hicks,et al.  Decomposition Instead of Self-Composition for k-Safety , 2016 .

[31]  Bart Coppens,et al.  Compiler mitigations for time attacks on modern x86 processors , 2012, TACO.

[32]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[33]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[34]  John Aycock,et al.  A brief history of just-in-time , 2003, CSUR.

[35]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[36]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[37]  Ruben Buchatskiy,et al.  Augmenting JavaScript JIT with ahead-of-time compilation , 2015, 2015 Computer Science and Information Technologies (CSIT).

[38]  Cliff Click,et al.  The Java HotSpot Server Compiler , 2001, Java Virtual Machine Research and Technology Symposium.

[39]  L. Peter Deutsch,et al.  Efficient implementation of the smalltalk-80 system , 1984, POPL.