Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic

This paper presents Themis, an end-to-end static analysis tool for finding resource-usage side-channel vulnerabilities in Java applications. We introduce the notion of epsilon-bounded non-interference, a variant and relaxation of Goguen and Meseguer's well-known non-interference principle. We then present Quantitative Cartesian Hoare Logic (QCHL), a program logic for verifying epsilon-bounded non-interference. Our tool, Themis, combines automated reasoning in CHL with lightweight static taint analysis to improve scalability. We evaluate Themis on well known Java applications and demonstrate that Themis can find unknown side-channel vulnerabilities in widely-used programs. We also show that Themis can verify the absence of vulnerabilities in repaired versions of vulnerable programs and that Themis compares favorably against Blazer, a state-of-the-art static analysis tool for finding timing side channels in Java applications.

[1]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[2]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[3]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[4]  Simha Sethumadhavan,et al.  TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[5]  Mohammad Abdullah Al Faruque,et al.  Side Channels of Cyber-Physical Systems: Case Study in Additive Manufacturing , 2017, IEEE Des. Test.

[6]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[7]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[8]  Mira Mezini,et al.  Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[9]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[10]  Reiner Hähnle,et al.  Resource Analysis of Complex Programs with Cost Equations , 2014, APLAS.

[11]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[12]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[13]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[14]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[15]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[16]  Elaine Shi,et al.  GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation , 2015, ASPLOS.

[17]  Martin Hofmann,et al.  Static prediction of heap space usage for first-order functional programs , 2003, POPL '03.

[18]  Christel Baier,et al.  Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9035 , 2015 .

[19]  Jürgen Giesl,et al.  Analyzing Runtime and Size Complexity of Integer Programs , 2016, ACM Trans. Program. Lang. Syst..

[20]  Helmut Veith,et al.  A simple and scalable static analysis for bound analysis and amortized complexity analysis , 2014, Software Engineering.

[21]  Gilles Barthe,et al.  System-level Non-interference for Constant-time Cryptography , 2014, IACR Cryptol. ePrint Arch..

[22]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[23]  R.,et al.  A Classiication of Security Properties for Process Algebras a Classification of Security Properties for Process Algebras 1 , 2007 .

[24]  Zhong Shao,et al.  Type-Based Amortized Resource Analysis with Integers and Arrays , 2014, FLOPS.

[25]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[27]  Corina S. Pasareanu,et al.  Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[28]  Vitaly Shmatikov,et al.  Privacy-preserving deep learning , 2015, 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[29]  Amir Pnueli,et al.  CoVaC: Compiler Validation by Program Analysis of the Cross-Product , 2008, FM.

[30]  Andreas Haeberlen,et al.  Differential Privacy Under Fire , 2011, USENIX Security Symposium.

[31]  Zhong Shao,et al.  Compositional certified resource bounds , 2015, PLDI.

[32]  Helmut Veith,et al.  Complexity and Resource Bound Analysis of Imperative Programs Using Difference Constraints , 2017, Journal of Automated Reasoning.

[33]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[34]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[35]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[36]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[37]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[38]  Ashay Rane,et al.  Secure, Precise, and Fast Floating-Point Operations on x86 Processors , 2016, USENIX Security Symposium.

[39]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[40]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[41]  Martin Hofmann,et al.  Multivariate amortized resource analysis , 2012, TOPL.

[42]  Shuvendu K. Lahiri,et al.  Complexity and Algorithms for Monomial and Clausal Predicate Abstraction , 2009, CADE.

[43]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[44]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[45]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[46]  Sumit Gulwani,et al.  Bound Analysis of Imperative Programs with the Size-Change Abstraction , 2011, SAS.

[47]  Matt Fredrikson,et al.  J an 2 01 8 Verifying and Synthesizing Constant-Resource Implementations with Types , 2018 .

[48]  Zhou Li,et al.  Sidebuster: automated detection and quantification of side-channel leaks in web application development , 2010, CCS '10.

[49]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[50]  Stan Matwin,et al.  Privacy-Sensitive Information Flow with JML , 2005, CADE.

[51]  Rupak Majumdar,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 1997, Lecture Notes in Computer Science.

[52]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[53]  Ashay Rane,et al.  Raccoon: Closing Digital Side-Channels through Obfuscated Execution , 2015, USENIX Security Symposium.

[54]  Alexander Aiken,et al.  A Data Driven Approach for Algebraic Loop Invariants , 2013, ESOP.

[55]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[56]  Elvira Albert,et al.  Non-cumulative Resource Analysis , 2015, TACAS.

[57]  Onur Aciiçmez,et al.  A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL , 2008, CT-RSA.

[58]  Martin Hofmann,et al.  Amortized Resource Analysis with Polynomial Potential , 2010, ESOP.

[59]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[60]  Michael Hicks,et al.  Decomposition Instead of Self-Composition for k-Safety , 2016 .

[61]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[62]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[63]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[64]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[65]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[66]  Gilles Barthe,et al.  Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification , 2013, LFCS.

[67]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[68]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[69]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[70]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[71]  Ankush Das,et al.  Towards automatic resource bound analysis for OCaml , 2016, POPL.

[72]  Marco Gaboardi,et al.  Relational cost analysis , 2017, POPL.

[73]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[74]  Sumit Gulwani,et al.  SPEED: precise and efficient static estimation of program computational complexity , 2009, POPL '09.

[75]  Samir Genaim,et al.  On the Limits of the Classical Approach to Cost Analysis , 2012, SAS.