constant time programming in fact what is fact
play

Constant-time programming in FaCT What is FaCT? Domain specific - PowerPoint PPT Presentation

Aug 09, 2023 •40 likes •420 views

Constant-time programming in FaCT What is FaCT? Domain specific language for writing constant-time code Whats the difference between a DSL and a general- purpose language? How do you use FaCT? Write your program in C Write your

  1. Constant-time programming in FaCT

  2. What is FaCT? Domain specific language for writing constant-time code ➤ What’s the difference between a DSL and a general- purpose language?

  3. How do you use FaCT? • Write your program in C • Write your constant-time parts in FaCT

  4. int main() { uint8_t cond = 1; uint32_t x = 42; uint32_t y = 137; printf("cond: %u, x: %u, y: %u\n", cond, x, y); conditional_swap(&x, &y, cond); printf("after swap:\n"); printf("cond: %u, x: %u, y: %u\n", cond, x, y); return 0; }

  5. void conditional_swap(uint32_t* x, uint32_t* y, bool cond) { if (cond) { uint32_t tmp = *x; *x = *y; *y = tmp; } } (in C, unsafe)

  6. export void conditional_swap(secret mut uint32 x, secret mut uint32 y, secret bool cond) { if (cond) { secret uint32 tmp = x; x = y; y = tmp; } } (in FaCT, unsafe)

  7. .fact FaCT .h .o

  8. What’s in the .h? #ifndef __HELLO_WORLD_H #define __HELLO_WORLD_H void conditional_swap( /*secret*/ uint32_t * x, /*secret*/ uint32_t * y, /*secret*/ uint8_t cond); #endif

  9. What’s in the .o? define void 
 @conditional_swap(i32* %_secret_x, ii32* %_secret_y, i1 %_secret_cond1) { entry: ... }

  10. What do FaCT functions look like? If you squint… kind of looks like C/Rust code export void conditional_swap(secret mut uint32 x, secret mut uint32 y, secret bool cond) { if (cond) { secret uint32 tmp = x; x = y; y = tmp; } }

  11. What do FaCT functions look like? • C-like ➤ statements + expressions ➤ block scoping, local variables ➤ C-like data types ➤ C-like control flow constructs: if-statement, for-loops

  12. What do FaCT functions look like? • With some differences… ➤ No floating point operations ➤ No types that have implicit bit-width ➤ No raw pointers ➤ No heap allocation

  13. How does FaCT help with CT? • Mutability is explicit! ➤ By default variables are constant ➤ Must declare variable mut to mutate variables! • E.g., ➤ Function args: ... fun(public mut uint32 y) { ... ➤ Local variables: secret mut uint8[20] x = ...

  14. How does this help with CT? Makes it easier to reason about what a function may do with a buffer argument

  15. 
 More importantly: secrecy is explicit! • Every value must be labeled secret/public ➤ Function arguments and return values: 
 public int32 
 conditional_assign(secret mut uint8[] x, 
 secret uint8[] y, secret bool assign) { ... } ➤ Local variables: 
 secret mut uint8[20] local = arrzeros(20); • FaCT propagates labels ➤ E.g., secret_x + public_y is labeled secret

  16. Wait a second! What about this? export void conditional_swap(secret mut uint32 x, secret mut uint32 y, secret bool cond) { if (cond) { secret uint32 tmp = x; x = y; y = tmp; } }

  17. How do labels help?

  18. What introduces timing channels? • Variable-time operators ➤ E.g., /, %, ||, && • Control flow ➤ If-statements, for-loops, early returns, function calls • Memory access patterns ➤ E.g., accessing memory based at secret index

  19. Labels to the rescue! • Labels are used to prevent information leaks ➤ At compile time, label/type checking algorithm ensures that you cannot leak data labeled secret ➤ E.g., the type checker disallows explicit assignment of secret data to public variables

  20. How else can we use labels? • Restrict usage of variable-time operators ➤ No secret operands to %, /, ||, or && • Restrict unsafe control flow ➤ No branching on secrets, no secret-bounded loops • Disallow leaky memory access patterns ➤ No indexing based on secret data

  21. Expressiveness :(

  22. Can we do better? • Yes! We can automatically transform statements that handle secrets to be constant time ➤ How? • Should we do this for every potentially unsafe pattern? ➤ A: yes, B: no

  23. What does FaCT disallow?

  24. No public assignments (in secret context) if (secret) pub = ... Is this fundamental? A: yes , B: no

  25. No calls to functions with public side-effects if (secret) fun(ref pub); Is this fundamental? A: yes, B: no

  26. No % or / on secret data! sec % pub, pub % sec, sec 1 % sec 2 Is this fundamental? A: yes, B: no

  27. No secret-bounded loops for (uint32 i=0; i < sec; i+=1) { ... } Is this fundamental? A: yes , B: no

  28. No memory access at secret index pub_arr[sec], sec_arr[sec] Is this fundamental? A: yes, B: no

  29. What about everything else? • Can use short circuit operators || and && • Can have control flow depend on secrets ➤ E.g., if-statements, return, function calls

  30. 
 
 
 
 
 Compiler automatically transforms code • If-statements transformed to execute both branches ➤ Goal: preserve semantics of normal if-statement ➤ Approach: keep track of control flow via a local variable (for each branch) 
 〚 〛 secret mut bool __branch1 = cond; if (cond) { 〚 s1; 〛 s1; ➡ } else { __branch1 = !__branch1; 〚 s2; 〛 s2; }

  31. Slightly more complicated example if (s) { if (s2) { public = 42; Doesn’t type check! ➡ } else { public = 17; } y = x + 2; }

  32. Back to example export void conditional_swap(secret mut uint32 x, secret mut uint32 y, secret bool cond) { if (cond) { secret uint32 tmp = x; x = y; y = tmp; export } void conditional_swap(secret mut uint32 x, } ➡ secret mut uint32 y, secret bool cond) { secret mut bool __branch1 = cond; { secret uint32 tmp = x; x = ct_select(y, x, __branch1); y = ct_select(tmp, y, __branch1); } __branch1 = !__branch1; {...} }

  33. Slightly more complicated example (the intuitive transformation) if (s) { if (s2) { x = ct_select( 〚 s && s2 〛 , 42, x); x = 42; ➡ } else { x = ct_select( 〚 s && !s2 〛 , 17, x); x = 17; y = ct_select(s, x + 2, y); } y = x + 2; }

  34. 
 
 
 
 
 What about early returns? • Goal: preserve semantics of early returns • Approach: ➤ keep track of control flow via a local variable ➤ keep track of return value 
 rval = ct_select( 〚 s && !returned 〛 , 42, rval); returned &= !s; if (s) { return 42; rval = ct_select(!returned, 17, rval); ➡ } returned &= true; return 17; return rval;

  35. 
 
 
 
 What about function calls? • Transform function side effects ➤ Depends on control flow state of caller • Pass the current control flow as an extra parameter 
 if (s) { ➡ fn(ref x, s); fn(ref x); } void fn(secret mut uint32 x, bool state) { void fn(secret mut uint32 x) { ➡ x = ct_select(state, 42, x); x = 42; } }

  36. Transforming C code to FaCT static int get_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { size_t i; if( NULL == input || NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); *data_len = 0; for( i = input_len; i > 0; i-- ) { if (input[i-1] != 0) { *data_len = i; return 0; } } return 0; }

  37. Transforming C code to FaCT export void get_zeros_padding( secret uint8 input[], secret mut uint32 data_len) { data_len = 0; for( uint32 i = len input; i > 0; i-=1 ) { if (input[i-1] != 0) { data_len = i; return; } } }

  38. What FaCT doesn’t do (yet) • OOB array access is possible ➤ Why is this bad? • Shifting beyond bit-width is possible ➤ Why is this bad? • Allows you to explicitly leave arrays uninitialized ➤ Why is this bad?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian Johannesmeyer, John Renner, Gary Soeller, Deian Stefan, Riad Wahby Timing side channels Crypto Constant-time programming with FaCT Strange Loop

1.63k views • 114 slides
FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, Deian Stefan Timing side channels Secret key Crypto Plaintext Encrypted FaCT SecDev 2017

652 views • 40 slides
What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n = The factorial function! Factorial in lambda calculus Wish for: fact = \n.(zero? n) 1 (times n (fact (pred n))); But: on right-hand side, fact is

471 views • 14 slides
Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible

Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible

Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible Assertive Community Treatment 2 3 FACT! F Families A - and C - Carers T - Tell all. 4 First National Project with a focus

383 views • 20 slides
CSE 341 : Programming Languages Lets fix the fact that our only example datatype so far was

CSE 341 : Programming Languages Lets fix the fact that our only example datatype so far was

Useful examples CSE 341 : Programming Languages Lets fix the fact that our only example datatype so far was silly Lecture 5 Enumerations, including carrying other data More Datatypes and Pattern Matching datatype suit = Club |

258 views • 6 slides
Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of FACT Wrap up FACT Phase I Planned Changes for FACT Phase II Considerations for FACT Phase II Align FACT Phase II with FDP Phase VII

323 views • 14 slides
Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps,

Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps,

Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps, DrPH ASTDD Data Coordinator The findings and conclusions in this presentation have not been formally disseminated by the Centers for Disease Control

557 views • 22 slides
Demystifying Monads Amanda Laucher ThoughtWorks Scientific Fact Functional programming is the

Demystifying Monads Amanda Laucher ThoughtWorks Scientific Fact Functional programming is the

Demystifying Monads Amanda Laucher ThoughtWorks Scientific Fact Functional programming is the best way to model every computer programming solution Shared Language Monads/Gonads, WTH? Dave Thomas speakerconf 2010 Monad Tutorial Fallacy

593 views • 43 slides
Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do

Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do

FACT ADVOCACY DAYS: A PREVIEW Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do we care? Big Challenges, Big Solutions Goals and Rationale for FACT Advocacy Days Logistics, Wrap up and

145 views • 11 slides
FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT

FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT

FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT Session Introductions 5 min Review Purpose, Goals, Timeline &amp; Progress 10 min Has anyone done something like this before? 5

416 views • 27 slides
61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact

61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact

61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact followed by relations. Expressions and their relations are Scheme lists. Simple fact (fact (append-to-form () ?x ?x)) Conclusion (fact

207 views • 10 slides
Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major

Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major

Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major component of the analysis in this assignment. Describe techniques used, and give a small number of examples with associated data ( no less than 3 ). For

203 views • 7 slides
Understanding Genesis 1:13 Time is in fact the hero of the plot given so much time,

Understanding Genesis 1:13 Time is in fact the hero of the plot given so much time,

Understanding Genesis 1:13 Time is in fact the hero of the plot given so much time, the impossible becomes possible, and the possible probable, and the probable virtually certain. One has only to wait: time itself performs

1.28k views • 81 slides
Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its

Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its

Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its determinant is not zero. detONE: 2 The 2 2 Case a b a b det = = ad bc c d c d We use both

435 views • 9 slides
An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1.

An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1.

An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1. What is FACT? 2. Why FACT? Why now? 3. What are we hoping to achieve? 4. How? Programme approach 5. How? Reporting and governance 6. How?

508 views • 23 slides
Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29

Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29

Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29 a fight ahead Grasshopper Bread Interpretation Interpretation 13:31-14:4 13:30; 14:8-9 Occupants stronger than Lord is stronger

449 views • 10 slides
Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3

Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3

Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3 Feedback Code Reviews Showing off code For the sake of common interest http://fabiensanglard.net/ prince_of_persia/index.php Attribution Much

575 views • 32 slides
Type Theo pe Theoris rists ts HA HATE Him Him! Learn this ONE WEIRD TRICK to fake dependent

Type Theo pe Theoris rists ts HA HATE Him Him! Learn this ONE WEIRD TRICK to fake dependent

Type Theo pe Theoris rists ts HA HATE Him Him! Learn this ONE WEIRD TRICK to fake dependent types in a language that doesnt support them LEARN THE TRUTH NOW Ryan Scott rgscott@indiana.edu github.com/RyanGlScott September 1, 2017

504 views • 31 slides
5/15/2019 Square Root - Direct Method Square Root - Direct Method In IEEE floating point standard

5/15/2019 Square Root - Direct Method Square Root - Direct Method In IEEE floating point standard

5/15/2019 Square Root - Direct Method Square Root - Direct Method In IEEE floating point standard a real number is To help the calculation of represented as : 1 2 the representation of R must be changed into = 1

167 views • 4 slides
Lecture 8: approximating the square root linear search l = [&quot;The Strokes&quot;, &quot;Bon

Lecture 8: approximating the square root linear search l = [&quot;The Strokes&quot;, &quot;Bon

Lecture 8: approximating the square root linear search l = [&quot;The Strokes&quot;, &quot;Bon Iver&quot;, &quot;Arcade Fire&quot;, &quot;The Black Keys&quot;, &quot;Pixies&quot;, &quot;The White Stripes&quot;, &quot;Neutral Milk Hotel&quot;,

199 views • 5 slides
COMPLEX IS EASY , ITS SIMPLE WHICH IS HARD SARAH TARAPOREWALLA TECH PRINCIPAL @sarahtarap

COMPLEX IS EASY , ITS SIMPLE WHICH IS HARD SARAH TARAPOREWALLA TECH PRINCIPAL @sarahtarap

COMPLEX IS EASY , ITS SIMPLE WHICH IS HARD SARAH TARAPOREWALLA TECH PRINCIPAL @sarahtarap @sarahtarap Lets Explore Complexity in the Real World 1 How does it happen? 2 The One About The Checkbox 3 The One About The Fortress 4

680 views • 56 slides
Admissible Digit Sets Jesse Hughes 1 , 2 Milad Niqui 2 1 Technical University of Eindhoven 2

Admissible Digit Sets Jesse Hughes 1 , 2 Milad Niqui 2 1 Technical University of Eindhoven 2

Digit sets Admissibility Admissible Digit Sets Jesse Hughes 1 , 2 Milad Niqui 2 1 Technical University of Eindhoven 2 Radboud University of Nijmegen September 28, 2004 Hughes, Niqui Admissible Digit Sets Digit sets Admissibility Outline

1.29k views • 103 slides
+ String Conditioning: Ten Minutes of Exercises 2011-2013 Daily Practice on the Violin, Viola,

+ String Conditioning: Ten Minutes of Exercises 2011-2013 Daily Practice on the Violin, Viola,

!&quot;#$%&amp;'()*+'($,-'.' /0$12'()%34$%5&quot;)'60#735,-''' ' ! &quot;#$%&amp;!'()*+!,-.#//!-*+!0(!12345!-/6.7382/9!:/&amp;!;30/#$6&amp;9!$75!&lt;752#$76/=! &gt;? -2737@! A? -.#//!B6$4/+!$!C$&amp;!D0E(!F$G(#!$75!(7/!H37(#I! J?

285 views • 5 slides
The Arpeggigon: A Functional Reactive Musical Automaton Demo, FARM 2017, 9 Sept., Oxford Henrik

The Arpeggigon: A Functional Reactive Musical Automaton Demo, FARM 2017, 9 Sept., Oxford Henrik

The Arpeggigon: A Functional Reactive Musical Automaton Demo, FARM 2017, 9 Sept., Oxford Henrik Nilsson Joint work with Guerric Chupin and Jin Zhan Functional Programming Laboratory, School of Computer Science University of Nottingham, UK The

485 views • 30 slides

More recommend