Triggerflow: Regression Testing by Advanced Execution Path Inspection

Cryptographic libraries often feature multiple implementations of primitives to meet both the security needs of handling private information and the performance requirements of modern services when the handled information is public. OpenSSL, the de-facto standard free and open source cryptographic library, includes mechanisms to differentiate the confidential data and its control flow, including run-time flags, designed for hardening against timing side-channels, but repeatedly accidentally mishandled in the past. To analyze and prevent these accidents, we introduce Triggerflow, a tool for tracking execution paths that, assisted by source annotations, dynamically analyzes the binary through the debugger. We validate this approach with case studies demonstrating how adopting our method in the development pipeline would have promptly detected such accidents. We further show-case the value of the tooling by presenting two novel discoveries facilitated by Triggerflow: one leak and one defect.

[1]  Cesar Pereida García,et al.  "Make Sure DSA Signing Exponentiations Really are Constant-Time" , 2016, CCS.

[2]  Meng Wu,et al.  Eliminating timing side-channel leaks using program repair , 2018, ISSTA.

[3]  Xiao Liu,et al.  CacheD: Identifying Cache-Based Timing Channels in Production Software , 2017, USENIX Security Symposium.

[4]  Cesar Pereida García,et al.  Constant-Time Callees with Variable-Time Callers , 2017, USENIX Security Symposium.

[5]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[6]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[7]  Thomas Eisenbarth,et al.  MicroWalk: A Framework for Finding Side Channels in Binaries , 2018, ACSAC.

[8]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[9]  Yuval Yarom,et al.  Just a Little Bit More , 2015, CT-RSA.

[10]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[11]  Samuel Weiser,et al.  Single Trace Attack Against RSA Key Generation in Intel SGX SSL , 2018, AsiaCCS.

[12]  Ingrid Verbauwhede,et al.  Dude, is my code constant time? , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[13]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[14]  Mohammad Mannan,et al.  A Large-Scale Evaluation of High-Impact Password Strength Meters , 2015, TSEC.

[15]  Mahmut Kandemir,et al.  CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[16]  Georg Sigl,et al.  DATA - Differential Address Trace Analysis: Finding Address-based Side-Channels in Binaries , 2018, USENIX Security Symposium.

[17]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[18]  Ross J. Anderson,et al.  What You Get is What You C: Controlling Side Effects in Mainstream C Compilers , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[19]  David Pichardie,et al.  Verifying Constant-Time Implementations by Abstract Interpretation , 2019, ESORICS.

[20]  Cesar Pereida García,et al.  Cache-Timing Attacks on RSA Key Generation , 2019, IACR Cryptol. ePrint Arch..

[21]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[22]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[23]  David Naccache,et al.  Fault Attacks on Projective-to-Affine Coordinates Conversion , 2013, COSADE.

[24]  Goran Doychev,et al.  Rigorous analysis of software countermeasures against cache attacks , 2017, PLDI.

[25]  Cesar Pereida García,et al.  Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study , 2018, IACR Cryptol. ePrint Arch..

[26]  Deian Stefan,et al.  FaCT: A Flexible, Constant-Time Programming Language , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[27]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[28]  Billy Bob Brumley,et al.  Cache-Timing Attacks and Shared Contexts ? , 2011 .

[29]  Jan Reineke,et al.  CacheAudit: A Tool for the Static Analysis of Cache Side Channels , 2013, TSEC.

[30]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Sylvain Guilley,et al.  Cache-Timing Attacks Still Threaten IoT Devices , 2019, C2SI.

[32]  Mark Harman,et al.  Dependence clusters in source code , 2009, TOPL.

[33]  Isil Dillig,et al.  Precise Detection of Side-Channel Vulnerabilities using Quantitative Cartesian Hoare Logic , 2017, CCS.

[34]  Risto M. Hakala,et al.  Cache-Timing Template Attacks , 2009, ASIACRYPT.

[35]  Cesar Pereida García,et al.  Port Contention for Fun and Profit , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[36]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[37]  Srinath T. V. Setty,et al.  Vale: Verifying High-Performance Cryptographic Assembly Code , 2017, USENIX Security Symposium.

[38]  Michael Hicks,et al.  Decomposition instead of self-composition for proving the absence of timing channels , 2017, PLDI.

[39]  Jacques Stern,et al.  Projective Coordinates Leak , 2004, EUROCRYPT.