RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation

Cache side channels constitute a persistent threat to crypto implementations. In particular, block ciphers are prone to attacks when implemented with a simple lookup-table approach. Implementing crypto as software evaluations of circuits avoids this threat but is very costly. We propose an approach that combines program analysis and circuit compilation to support the selective hardening of regular C implementations against cache side channels. We implement this approach in our toolchain RiCaSi. RiCaSi avoids unnecessary complexity and overhead if it can derive sufficiently strong security guarantees for the original implementation. If necessary, RiCaSi produces a circuit-based, hardened implementation. For this, it leverages established circuit-compilation technology from the area of secure computation. A final program analysis step ensures that the hardening is, indeed, effective.

[1]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES (Short Paper) , 2006, ICICS.

[2]  Helmut Veith,et al.  Secure two-party computations in ANSI C , 2012, CCS.

[3]  Yael Tauman Kalai,et al.  One-Time Programs , 2008, CRYPTO.

[4]  Giovanni De Micheli,et al.  Reducing the Multiplicative Complexity in Logic Networks for Cryptography and Security Applications , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[5]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[6]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[7]  Chester Rebeiro,et al.  A Cache Trace Attack on CAMELLIA , 2011, InfoSecHiComNet.

[8]  Pierre-Évariste Dagand,et al.  Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations , 2020, EUROCRYPT.

[9]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[10]  Mitsuru Matsui,et al.  Speci cation of Camellia | a 128-bit Block Cipher , 2001 .

[11]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[12]  Stefan Katzenbeisser,et al.  HyCC: Compilation of Hybrid Protocols for Practical Secure Computation , 2018, CCS.

[13]  Ahmad-Reza Sadeghi,et al.  Automated Synthesis of Optimized Circuits for Secure Computation , 2015, CCS.

[14]  Abhi Shelat,et al.  PCF: A Portable Circuit Format for Scalable Two-Party Secure Computation , 2013, USENIX Security Symposium.

[15]  Giovanni De Micheli,et al.  A Logic Synthesis Toolbox for Reducing the Multiplicative Complexity in Logic Networks , 2020, 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[16]  Corina S. Pasareanu,et al.  Symbolic Side-Channel Analysis for Probabilistic Programs , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[17]  Heiko Mantel,et al.  Transformational typing and unification for automatically correcting insecure programs , 2007, International Journal of Information Security.

[18]  Ahmad-Reza Sadeghi,et al.  Garbled Circuits for Leakage-Resilience: Hardware Implementation and Evaluation of One-Time Programs - (Full Version) , 2010, CHES.

[19]  Christian Weinert,et al.  Secure and Private Function Evaluation with Intel SGX , 2019, CCSW@CCS.

[20]  Heiko Mantel,et al.  Transforming Out Timing Leaks, More or Less , 2015, ESORICS.

[21]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[22]  Pierre-Évariste Dagand,et al.  Usuba: high-throughput and constant-time ciphers, by construction , 2019, PLDI.

[23]  Heiko Mantel,et al.  How Secure Is Green IT? The Case of Software-Based Energy Side Channels , 2018, ESORICS.

[24]  Geoffrey Smith,et al.  Vulnerability Bounds and Leakage Resilience of Blinded Cryptography under Timing Attacks , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[25]  Mahmut Kandemir,et al.  CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[26]  Georg Sigl,et al.  DATA - Differential Address Trace Analysis: Finding Address-based Side-Channels in Binaries , 2018, USENIX Security Symposium.

[27]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[28]  Tom Chothia,et al.  A Tool for Estimating Information Leakage , 2013, CAV.

[29]  Michael Zohner,et al.  ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation , 2015, NDSS.

[30]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[31]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[32]  Heiko Mantel,et al.  AVR Processors as a Platform for Language-Based Security , 2017, ESORICS.

[33]  Taesoo Kim,et al.  STEALTHMEM: System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[34]  Ahmad-Reza Sadeghi,et al.  TinyGarble: Highly Compressed and Scalable Sequential Garbled Circuits , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[36]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[37]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[38]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[39]  Samuel Weiser,et al.  Single Trace Attack Against RSA Key Generation in Intel SGX SSL , 2018, AsiaCCS.

[40]  Yu Ting Chen,et al.  A Survey and Evaluation of FPGA High-Level Synthesis Tools , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[41]  Goran Doychev,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017, PLDI.

[42]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[43]  Gorka Irazoqui Apecechea,et al.  S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES , 2015, 2015 IEEE Symposium on Security and Privacy.

[44]  Xiao Liu,et al.  CacheD: Identifying Cache-Based Timing Channels in Production Software , 2017, USENIX Security Symposium.

[45]  Laurent Mauborgne,et al.  Automatic Quantification of Cache Side-Channels , 2012, CAV.

[46]  Juliane Krämer,et al.  Bounding the Cache-Side-Channel Leakage of Lattice-Based Signature Schemes Using Program Semantics , 2017, FPS.

[47]  Sonia Belaïd,et al.  Tight Private Circuits: Achieving Probing Security with the Least Refreshing , 2018, IACR Cryptol. ePrint Arch..

[48]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[49]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[50]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[51]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[52]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[53]  Andrew Chi-Chih Yao,et al.  How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[54]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[55]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[56]  Heiko Mantel,et al.  A Systematic Study of Cache Side Channels Across AES Implementations , 2017, ESSoS.

[57]  David Evans,et al.  Obliv-C: A Language for Extensible Data-Oblivious Computation , 2015, IACR Cryptol. ePrint Arch..

[58]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[59]  Tao Wang,et al.  Cache Timing Attacks on Camellia Block Cipher , 2009, IACR Cryptol. ePrint Arch..

[60]  Jan Reineke,et al.  nanoBench: A Low-Overhead Tool for Running Microbenchmarks on x86 Systems , 2019, 2020 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).