Automatically eliminating speculative leaks from cryptographic code with blade

We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Jaisook Landauer,et al.  A lattice of information , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[3]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[4]  Toon Verwaest,et al.  Spectre is here to stay: An analysis of side-channels and speculative execution , 2019, ArXiv.

[5]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[6]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[7]  Ravi Sahita,et al.  Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity , 2019, HASP@ISCA.

[8]  Roderick Bloem,et al.  Efficient Information-Flow Verification Under Speculative Execution , 2019, ATVA.

[9]  Meng Wu,et al.  Abstract interpretation under speculative execution , 2019, PLDI.

[10]  Dean M. Tullsen,et al.  Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization , 2019, ASPLOS.

[11]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[12]  Eric V. Denardo,et al.  Flows in Networks , 2011 .

[13]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[14]  Alexander Aiken,et al.  Constraint-Based Program Analysis (Abstract) , 1996, SAS.

[15]  Benjamin Grégoire,et al.  Formal Verification of a Constant-Time Preserving C Compiler : 3 by theoretical justifications : in [ , 2019 .

[16]  Berk Sunar,et al.  LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Tulika Mitra,et al.  oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis , 2018, ArXiv.

[18]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[19]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[20]  Charles Reis,et al.  Site Isolation: Process Separation for Web Sites within the Browser , 2019, USENIX Security Symposium.

[21]  Berk Sunar,et al.  Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis , 2020, USENIX Security Symposium.

[22]  Sanjit A. Seshia,et al.  A Formal Approach to Secure Speculation , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[23]  Rami Gökhan Kici,et al.  Replication package for article: Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade , 2020, Artifact Digital Object Group.

[24]  Karthikeyan Bhargavan,et al.  Formally Verified Cryptographic Web Applications in WebAssembly , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[25]  Craig Disselkoen,et al.  Constant-time foundations for the new spectre era , 2020, PLDI.

[26]  Benjamin Grégoire,et al.  Jasmin: High-Assurance and High-Speed Cryptography , 2017, CCS.

[27]  Flemming Nielson,et al.  Flow Logics for Constraint Based Analysis , 1998, CC.

[28]  Michael Schwarz,et al.  ConTExT: A Generic Approach for Mitigating Spectre , 2020, NDSS.

[29]  Nael B. Abu-Ghazaleh,et al.  Spectre Returns! Speculation Attacks Using the Return Stack Buffer , 2018, IEEE Design & Test.

[30]  Craig Disselkoen,et al.  The Code That Never Ran: Modeling Attacks on Speculative Evaluation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[32]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[33]  Josep Torrellas,et al.  Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data , 2019, IEEE Micro.

[34]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[35]  Christian Rossow,et al.  ret2spec: Speculative Execution Using Return Stack Buffers , 2018, CCS.

[36]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[37]  Deian Stefan,et al.  CT-wasm: type-driven secure cryptography for the web ecosystem , 2018, Proc. ACM Program. Lang..

[38]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[39]  Roberto Guanciale,et al.  InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis , 2019, CCS.

[40]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[41]  Yuan Xiao,et al.  SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution , 2018, ArXiv.

[42]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[43]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[44]  Josep Torrellas,et al.  InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[45]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[46]  Babak Falsafi,et al.  SMoTherSpectre: Exploiting Speculative Execution through Port Contention , 2019, CCS.

[47]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[48]  Thomas F. Wenisch,et al.  Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution , 2018 .

[49]  Benjamin Grégoire,et al.  FaCT: a DSL for timing-sensitive computation , 2019, PLDI.