A Note On Side-Channels Resulting From Dynamic Compilation

Dynamic compilation systems are of fundamental importance to high performance execution of interpreted languages such as Java. These systems analyse the performance of an application at runtime and aggressively re-compile and optimise code which is deemed critical to performance. However, the premise that the code executed is not the same code as written by the programmer raises a number of important security concerns. In this paper we examine the specific problem that dynamic compilation, through transformation of the code, may introduce side-channel vulnerabilities where before there were none.

[1]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[2]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[3]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[5]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[6]  Stephen J. Fink,et al.  The Jalapeño virtual machine , 2000, IBM Syst. J..

[7]  Chandra Krintz,et al.  Using annotations to reduce dynamic optimization time , 2001, PLDI '01.

[8]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[9]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[10]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[11]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[12]  Matthew Arnold,et al.  Adaptive optimization in the Jalapeño JVM , 2000, OOPSLA '00.

[13]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[14]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[15]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[16]  Craig Chambers,et al.  Making pure object-oriented languages practical , 1991, OOPSLA 1991.

[17]  Elena Trichina,et al.  Implementation of Elliptic Curve Cryptography with Built-In Counter Measures against Side Channel Attacks , 2002, CHES.

[18]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[19]  Manuel Barbosa,et al.  On the Automatic Construction of Indistinguishable Operations , 2005, IACR Cryptol. ePrint Arch..

[20]  Silvio Micali,et al.  Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[21]  Alexandru Nicolau,et al.  Java annotation-aware just-in-time (AJIT) complilation system , 1999, JAVA '99.

[22]  L. Peter Deutsch,et al.  Efficient implementation of the smalltalk-80 system , 1984, POPL.

[23]  Manuel Barbosa,et al.  First Steps Toward a Cryptography-Aware Language and Compiler , 2005, IACR Cryptol. ePrint Arch..