FaCT: A Flexible, Constant-Time Programming Language

We argue that C is unsuitable for writing timingchannel free cryptographic code that is both fast and readable. Readable implementations of crypto routines would contain highlevel constructs like if statements, constructs that also introduce timing vulnerabilities. To avoid vulnerabilities, programmers must rewrite their code to dodge intuitive yet dangerous constructs, cluttering the codebase and potentially introducing new errors. Moreover, even when programmers are diligent, compiler optimization passes may still introduce branches and other sources of timing side channels. This status quo is the worst of both worlds: tortured source code that can still yield vulnerable machine code. We propose to solve this problem with a domainspecific language that permits programmers to intuitively express crypto routines and reason about secret values, and a compiler that generates efficient, timing-channel free assembly code.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Matt Fredrikson,et al.  J an 2 01 8 Verifying and Synthesizing Constant-Resource Implementations with Types , 2018 .

[3]  Wenke Lee,et al.  UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages , 2016, CCS.

[4]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[5]  John C. Mitchell,et al.  Oblivious Program Execution and Path-Sensitive Non-interference , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  Srinath T. V. Setty,et al.  Vale: Verifying High-Performance Cryptographic Assembly Code , 2017, USENIX Security Symposium.

[8]  George C. Necula,et al.  Translation validation for an optimizing compiler , 2000, PLDI '00.

[9]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[10]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[11]  Fernando Magno Quintão Pereira,et al.  Sparse representation of implicit flows with applications to side-channel detection , 2016, CC.

[12]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Sorin Lerner,et al.  Dead Store Elimination (Still) Considered Harmful , 2017, USENIX Security Symposium.

[15]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[16]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[17]  Ashay Rane,et al.  Raccoon: Closing Digital Side-Channels through Obfuscated Execution , 2015, USENIX Security Symposium.

[18]  Koen De Bosschere,et al.  Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[20]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[21]  Ingrid Verbauwhede,et al.  Dude, is my code constant time? , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[22]  Deian Stefan,et al.  Information-Flow Control for Programming on Encrypted Data , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[23]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[24]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[25]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[26]  Gilles Barthe,et al.  Preventing Timing Leaks Through Transactional Branching Instructions , 2006, QAPL.

[27]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[28]  Dawn Xiaodong Song,et al.  The Correctness-Security Gap in Compiler Optimization , 2015, 2015 IEEE Security and Privacy Workshops.