FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San - - PowerPoint PPT Presentation

fact a dsl for timing sensitive computation
SMART_READER_LITE
LIVE PREVIEW

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San - - PowerPoint PPT Presentation

Oct 02, 2023 37 likes •1.26k views

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan What does this code do? for (i =

slide-1
SLIDE 1

FaCT: A DSL for Timing-Sensitive Computation

Sunjay Cauligi, UC San Diego

Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan

slide-2
SLIDE 2

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

What does this code do?

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1;

slide-3
SLIDE 3

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

What does this code do? What does this

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-4
SLIDE 4

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-5
SLIDE 5

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-6
SLIDE 6

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-7
SLIDE 7

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-8
SLIDE 8

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-9
SLIDE 9

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-10
SLIDE 10

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-11
SLIDE 11

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-12
SLIDE 12

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

It compares two buffers.

x: y:

slide-13
SLIDE 13

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

It compares two buffers.

x: y:

slide-14
SLIDE 14

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: 5ms for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-15
SLIDE 15

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: 5ms x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-16
SLIDE 16

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: 5ms x: y: for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-17
SLIDE 17

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

It compares two buffers.

x: y: 5ms x: y:

slide-18
SLIDE 18

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

x: y: 5ms x: y: 8ms for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-19
SLIDE 19

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0; pwd: guess: 5ms pwd: guess: 8ms

slide-20
SLIDE 20

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0; pwd: guess: 5ms pwd: guess: 8ms

slide-21
SLIDE 21

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

It compares two buffers.

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0; pwd: guess: 5ms pwd: guess: 8ms

Exiting early based on contents leak!

slide-22
SLIDE 22

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Must not exit early

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1; for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-23
SLIDE 23

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

Must not exit early

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1;

slide-24
SLIDE 24

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

Must not exit early

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1;

Constant-time code

slide-25
SLIDE 25

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

Must not exit early

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1;

Constant-time code

Timing is independent of secrets

slide-26
SLIDE 26

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is messy

for (j = 0; j < md_block_size; j++) { uint8_t b = data[j]; uint8_t is_past_c = is_block_a & constant_time_ge_8_s(j, c); uint8_t is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); b = constant_time_select_8(is_past_c, 0x80, b); b = b & ~is_past_cp1; b &= ~is_block_b | is_block_a; if (j >= md_block_size - md_length_size) { b = constant_time_select_8(is_block_b, length_bytes[j - (md_block_size - md_length_size)], b); } block[j] = b; }

slide-27
SLIDE 27

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is messy

for (j = 0; j < md_block_size; j++) { uint8_t b = data[j]; uint8_t is_past_c = is_block_a & constant_time_ge_8_s(j, c); uint8_t is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); b = constant_time_select_8(is_past_c, 0x80, b); b = b & ~is_past_cp1; b &= ~is_block_b | is_block_a; if (j >= md_block_size - md_length_size) { b = constant_time_select_8(is_block_b, length_bytes[j - (md_block_size - md_length_size)], b); } block[j] = b; }

N O T R E A D A B L E !

slide-28
SLIDE 28

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is hard to write

OpenSSL padding oracle attack

Canvel, et al. “Password Interception in a SSL/TLS Channel.” Crypto, Vol. 2729. 2003.

slide-29
SLIDE 29

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is hard to write

OpenSSL padding oracle attack

Canvel, et al. “Password Interception in a SSL/TLS Channel.” Crypto, Vol. 2729. 2003.

slide-30
SLIDE 30

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is hard to write

Lucky 13 timing attack

Al Fardan and Paterson. “Lucky thirteen: Breaking the TLS and DTLS record protocols.” Oakland 2013.

slide-31
SLIDE 31

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Constant-time code is hard to write

Further refinements

Removing all measurable timing differences

slide-32
SLIDE 32

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Goal: Write readable code

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1; for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-33
SLIDE 33

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Goal: Write readable code

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1; for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

slide-34
SLIDE 34

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Goal: Write readable code

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1; for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

FaCT

slide-35
SLIDE 35

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Goal: Write readable code

for (i = 0; i < n; i++) { d |= x[i] ^ y[i]; } return (1 & ((d - 1) >> 8)) - 1; for (i = 0; i < n; i++) { if (x[i] != y[i]) return -1; } return 0;

FaCT

Transforms readable code into constant-time code

slide-36
SLIDE 36

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-37
SLIDE 37

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-38
SLIDE 38

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; }

slide-39
SLIDE 39

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; } x = -secret & 19 | (secret-1) & x;

slide-40
SLIDE 40

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; } x = -secret & 19 | (secret-1) & x;

Slower but necessary

slide-41
SLIDE 41

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; } if (public) { y = 42; } x = -secret & 19 | (secret-1) & x; y = -public & 42 | (public-1) & y;

Slower but necessary

slide-42
SLIDE 42

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; } if (public) { y = 42; } x = -secret & 19 | (secret-1) & x; y = -public & 42 | (public-1) & y;

Slower and unnecessary! Slower but necessary

slide-43
SLIDE 43

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform everything?

if (secret) { x = 19; } if (public) { y = 42; }

Only transform if code leaks secret values

x = -secret & 19 | (secret-1) & x; y = -public & 42 | (public-1) & y;

Slower and unnecessary! Slower but necessary

slide-44
SLIDE 44

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Explicit secrecy in the type system

secret uint32 decrypt( secret uint32 key, public uint32 msg) { if (key > 40) { ... } ... }

slide-45
SLIDE 45

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Explicit secrecy in the type system

secret uint32 decrypt( secret uint32 key, public uint32 msg) { if (key > 40) { ... } ... }

slide-46
SLIDE 46

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Explicit secrecy in the type system

secret uint32 decrypt( secret uint32 key, public uint32 msg) { if (key > 40) { ... } ... }

We can detect secret leakage!

slide-47
SLIDE 47

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system detects leaks via...

  • Conditional branches
  • Early termination
  • Function side effects
  • Memory access patterns
  • Direct assignment
slide-48
SLIDE 48

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system detects leaks via...

  • Conditional branches
  • Early termination
  • Function side effects
  • Memory access patterns
  • Direct assignment

FaCT transforms these

slide-49
SLIDE 49

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • Conditional branches
  • Early termination
  • Function side effects
  • Memory access patterns
  • Direct assignment

Type system detects leaks via...

FaCT transforms these FaCT disallows these

slide-50
SLIDE 50

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-51
SLIDE 51

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-52
SLIDE 52

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transforming control flow

  • Conditional branches
  • Early termination
  • Function side effects
slide-53
SLIDE 53

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transforming control flow

  • Conditional branches
  • Early termination
  • Function side effects
slide-54
SLIDE 54

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform secret conditionals

if (s) { x = 40; } else { x = 19; y = x + 2; }

slide-55
SLIDE 55

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform secret conditionals

x = -s & 40 | (s-1) & x; if (s) { x = 40; } else { x = 19; y = x + 2; }

slide-56
SLIDE 56

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform secret conditionals

x = -s & 40 | (s-1) & x; if (s) { x = 40; } else { x = 19; y = x + 2; }

slide-57
SLIDE 57

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform secret conditionals

x = -s & 40 | (s-1) & x; if (s) { x = 40; } else { x = 19; y = x + 2; } x = (s-1) & 19 | -s & x; y = (s-1) & (x + 2) | -s & y;

slide-58
SLIDE 58

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Transform secret conditionals

x = -s & 40 | (s-1) & x; if (s) { x = 40; } else { x = 19; y = x + 2; } x = (s-1) & 19 | -s & x; y = (s-1) & (x + 2) | -s & y;

slide-59
SLIDE 59

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Secret returns are conditionals too

if (s) { return 40; }

slide-60
SLIDE 60

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Secret returns are conditionals too

if (s) { if (!done) { rval = 40; done = true; } } return rval; ... if (s) { return 40; }

slide-61
SLIDE 61

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Secret returns are conditionals too

if (s) { if (!done) { rval = 40; done = true; } } if (s) { return 40; }

slide-62
SLIDE 62

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Secret returns are conditionals too

if (s) { if (!done) { rval = 40; done = true; } } if (s) { return 40; }

slide-63
SLIDE 63

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Secret returns are conditionals too

if (s) { if (!done) { rval = 40; done = true; } } if (s) { return 40; }

rval = (-s & (done-1)) & 40 | ... done = (-s & (done-1)) & true | ...

slide-64
SLIDE 64

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-65
SLIDE 65

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-66
SLIDE 66

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Not all transformations are good

  • May produce inefficient code
  • May produce unsafe code
slide-67
SLIDE 67

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Not all transformations are good

  • May produce inefficient code
  • May produce unsafe code

Type system rejects such programs

slide-68
SLIDE 68

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Inefficient transformations

x = buffer[secret_index];

slide-69
SLIDE 69

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Inefficient transformations

for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[i]; } } x = buffer[secret_index];

slide-70
SLIDE 70

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Inefficient transformations

x = buffer[secret_index];

O(n) O(1)

for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[i]; } }

slide-71
SLIDE 71

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[i]; } }

Inefficient transformations

x = buffer[secret_index];

O(n) O(1)

slide-72
SLIDE 72

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[i]; } }

Inefficient transformations

x = buffer[secret_index];

O(n) O(1)

Reject if transformation is inefficient

slide-73
SLIDE 73

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Unsafe transformations

if (j < secret_len) { x = arr[j]; }

slide-74
SLIDE 74

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Unsafe transformations

x = -(j < secret_len) & arr[j] | ((j < secret_len)-1) & x; if (j < secret_len) { x = arr[j]; }

slide-75
SLIDE 75

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Unsafe transformations

x = -(j < secret_len) & arr[j] | ((j < secret_len)-1) & x; if (j < secret_len) { x = arr[j]; }

slide-76
SLIDE 76

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Unsafe transformations

x = -(j < secret_len) & arr[j] | ((j < secret_len)-1) & x;

What if j > len arr?

if (j < secret_len) { x = arr[j]; }

slide-77
SLIDE 77

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Unsafe transformations

x = -(j < secret_len) & arr[j] | ((j < secret_len)-1) & x;

What if j > len arr?

Out of bounds access!

if (j < secret_len) { x = arr[j]; }

slide-78
SLIDE 78

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system checks safety

Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe

slide-79
SLIDE 79

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system checks safety

Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe

slide-80
SLIDE 80

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system checks safety

Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe

slide-81
SLIDE 81

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system checks safety

Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe

slide-82
SLIDE 82

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Type system checks safety

Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe

slide-83
SLIDE 83

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-84
SLIDE 84

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • What to transform?
  • How to transform?
  • What not to transform?
  • Evaluation

Transforming to constant-time

slide-85
SLIDE 85

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Evaluating FaCT

  • Can FaCT express real code?
  • Is FaCT code as fast as C?
  • Is FaCT more readable than C?
slide-86
SLIDE 86

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Evaluating FaCT

  • Can FaCT express real code?
  • Is FaCT code as fast as C?
  • Is FaCT more readable than C?
slide-87
SLIDE 87

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code
slide-88
SLIDE 88

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code
slide-89
SLIDE 89

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code
slide-90
SLIDE 90

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code
slide-91
SLIDE 91

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code

.fact

  • bj

FaCT

slide-92
SLIDE 92

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

.c

Porting code to FaCT

  • Rewrite the whole library
  • Rewrite a function (and callees)
  • Rewrite a chunk of code

.fact

  • bj

clang linker

FaCT

Final binary

  • bj
slide-93
SLIDE 93

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library: donna curve25519
  • Rewrite a function (and callees): libsodium secretbox
  • Rewrite a chunk of code: OpenSSL ssl3/TLS record verification

.c .fact

  • bj

clang linker

FaCT

Final binary

  • bj
slide-94
SLIDE 94

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Porting code to FaCT

  • Rewrite the whole library: donna curve25519
  • Rewrite a function (and callees): libsodium secretbox
  • Rewrite a chunk of code: OpenSSL ssl3/TLS record verification

Lines of code donna secretbox ssl3 TLS

slide-95
SLIDE 95

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify

○ ○

  • Assume

○ ○

  • Extern
slide-96
SLIDE 96

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ ○

  • Assume

○ ○

  • Extern
slide-97
SLIDE 97

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○

  • Assume

○ ○

  • Extern

if (!declassify(crypto_verify(...)) return false;

slide-98
SLIDE 98

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume

○ ○

  • Extern

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-99
SLIDE 99

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume constraints for solver

○ ○

  • Extern

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-100
SLIDE 100

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume constraints for solver

○ Function preconditions ○

  • Extern

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-101
SLIDE 101

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume constraints for solver

○ Function preconditions ○ Invariants for mutable variables

  • Extern

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-102
SLIDE 102

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume constraints for solver

○ Function preconditions ○ Invariants for mutable variables

  • Extern function declarations

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-103
SLIDE 103

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Real code needs escape hatches

  • Declassify secrets to public

○ secretbox: ○ TLS:

  • Assume constraints for solver

○ Function preconditions ○ Invariants for mutable variables

  • Extern function declarations

○ OpenSSL: AES + SHA1 implementations

b = pmac[declassify(i)]; if (!declassify(crypto_verify(...)) return false;

slide-104
SLIDE 104

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Evaluating FaCT

  • Can FaCT express real code?
  • Is FaCT code as fast as C?
  • Is FaCT more readable than C?
slide-105
SLIDE 105

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Performance vs. C

  • Optimized with same optimization flags
  • Empirically tested to be constant-time
slide-106
SLIDE 106

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Performance vs. C

  • Optimized with same optimization flags
  • Empirically tested to be constant-time
slide-107
SLIDE 107

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Performance vs. C

  • Optimized with same optimization flags
  • Empirically tested to be constant-time
slide-108
SLIDE 108

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Performance vs. C

donna secretbox ssl3 TLS % Overhead

  • Optimized with same optimization flags
  • Empirically tested to be constant-time
slide-109
SLIDE 109

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Performance vs. C

  • Optimized with same optimization flags
  • Empirically tested to be constant-time

donna secretbox ssl3 TLS % Overhead

+4.6%

  • 5%
slide-110
SLIDE 110

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Evaluating FaCT

  • Can FaCT express real code?
  • Is FaCT code as fast as C?
  • Is FaCT more readable than C?
slide-111
SLIDE 111

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

User study: FaCT vs. C

  • 77 undergraduates
  • Understanding constant-time code
  • Writing constant-time code
slide-112
SLIDE 112

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

User study: FaCT vs. C

  • 77 undergraduates
  • Understanding constant-time code
  • Writing constant-time code
slide-113
SLIDE 113

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Understanding constant-time code

Mean score

Task 1 Task 2

message encoding long division

slide-114
SLIDE 114

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Understanding constant-time code

Task 1 Task 2

Mean score

+7.5% +25%

message encoding long division

slide-115
SLIDE 115

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Writing constant-time code

Task 3

# Correct submissions

Task 4 Task 5

secret memzero padding check padding removal

slide-116
SLIDE 116

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Task 3 Task 4

secret memzero padding check

Writing constant-time code

# Correct submissions

+27% +9.4% +42% Task 5

padding removal

slide-117
SLIDE 117

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Task 3 Task 4

secret memzero padding check

Writing constant-time code

# Correct submissions

+27% +9.4% +42% Task 5

padding removal

slide-118
SLIDE 118

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Evaluating FaCT

  • FaCT can express real code
  • FaCT code is as fast as C
  • FaCT is more readable than C
slide-119
SLIDE 119

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

  • DSL for writing readable constant-time code
  • Transform secret control flow to constant-time
  • Ensure transformations can be performed safely

Summary

https://fact.programming.systems

slide-120
SLIDE 120

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

slide-121
SLIDE 121

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

Comparing two buffers in FaCT

secret int32 crypto_verify_n( secret uint8[] x, secret uint8[] y) { assume(len x == len y); for (uint64 i from 0 to len x) { if (x[i] != y[i]) { return -1; } } return 0; }

slide-122
SLIDE 122

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi PLDI 2019

for (uint64 j from 0 to md_block_size) { secret mut uint8 b = 0; b = data[j]; if (is_block_a) { if (j == c) { b = 0x80; } else if (j > c) { b = 0; } } if (is_block_b) if (!is_block_a) { b = 0; } if (j >= md_block_size - md_length_size) { b = length_bytes[j - (md_block_size - md_length_size)]; } } block[j] = b; }

Message encoding in FaCT