fact a dsl for timing sensitive computation
play

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi, Gary - PowerPoint PPT Presentation

Mar 16, 2023 •22 likes •262 views

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan Presented by Mengjia Yan MIT 6.888 Fall 2020

  1. FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan Presented by Mengjia Yan MIT 6.888 Fall 2020 Based on slides from Sunjay Cauligi

  2. Goal: Constant-Time Code • Constant-time code: timing is independent of secrets • Variable-time instruction • Memory accesses • Conditional branches • Early termination if (sec) x = a; } else { x = b; } 2

  3. Motivation: Constant-Time Code is Messy • Existing techniques include using bitmasks, CMOVs, ORAM, etc. • The problem: • Manually optimized code is messy/unreadable/difficult to reason about correctness • Automatically obfuscated code incurs high performance overhead if (sec) x = (sec & a) | (~mask & b) x = a; } else { (sec) CMOV x = a x = b; (!sec) CMOV x = b } Rane et. al. Raccoon: closing digital side-channels through obfuscated execution. SEC’15 3

  4. Threat Model • Attacker can observe execution time of target programs • Not concretely stated in the paper • Instruction execution “trace” should be independent from secrets • However, execution time is determined by micro-arch states • Thus, miss a computer architecture model, characterized by which kinds of instructions can leak information and which can not, e.g., arithmetic instructions 4

  5. Overview • A DSL for writing readable constant-time code • Transform secret control flow to constant-time • Transform code that leaks secret via early return, conditional branch • Reject programs that leak secret via memory accesses, loop iterations, variable-time instructions • Ensure transformations can be performed safely 5

  6. A DSL Trade-offs Among An example: Expressiveness To address the imprecision problem of static information flow analysis, remove pointers and disallow recursive typed references Security Performance 6

  7. Strengths (Potential Long-term Impacts) • Provide a great abstraction • For SW developers, easy to write constant-time programs • For compiler developers, use different techniques to achieve the constant- time goal • ctselect compiles to a series of bitmasks or the CMOV instruction on x86_64 • For HW people, performance optimization for execution on public data • Well-defined typing systems for information flow tracking and formal verification • A user study to show how easy to write programs using FaCT 7

  8. A Controversial Contribution • Reject programs that leak secret via memory accesses, loop iterations, variable-time instructions • Put the pressure on programmers. What about AES? Is it really a good trade-off? • How much time is spent on manually fixing these problems? O(1) O(n) for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[ secret_index ]; x = buffer[i]; } } 8

  9. Limitations/Questions • Impacts of compiler optimizations of FaCT generated code • Security evaluation using deduct is not sufficient • More information about generated binary sizes may help reason about the performance improvements • It would be helpful to elaborate more on the trade-offs/reasons for picking the specific design choice in the paper Reparaz et al. Dude, is my code constant time? DATE’17 9

  10. FaCT Technique Details

  11. Explicit Secrecy and Information Flow Tracking • How to handle st(sec_val, pub_addr) ? secret uint32 decrypt( secret uint32 decrypt( secret uint32 key, secret uint32 key, public uint32 msg) { public uint32 msg) { if (key > 40) { if (key > 40) { ... ... } } ... ... } } 11

  12. Type system detects leaks via... • Conditional branches FaCT transforms these • Early termination • Function side effects • Memory access patterns FaCT disallows these • Direct assignment • … 12

  13. Transform Secret Conditionals if (s) { x = -s & 40 | (s-1) & x; x = 40; } else { x = (s-1) & 19 | -s & x; x = 19; y = (s-1) & (x + 2) | -s & y; y = x + 2; } 13

  14. Transform Secret Returns if (s) { if (s) { rval = (-s & (done-1)) & 40 | ... return 40; done = (-s & (done-1)) & true | ... if (!done) { } rval = 40; done = true; } } 14

  15. Transform Conditional Functions void foo(secret mut uint32 x) { void foo(secret mut uint32 x, secret bool x = 5; callCtx) { } x = ctselect(callCtx, 5, x); ... if (sec) { } foo(x); ... } foo(x, sec); 15

  16. Unsafe transformations if (j < secret_len) { x = -(j < secret_len) & arr[j] x = arr[j]; | ((j < secret_len)-1) & x; } What if j > len arr ? Out of bounds access! Check for out-of-bounds accesses; Solve constraints using Z3 16

  17. Porting code to FaCT • Rewrite the whole library • Rewrite a function (and callees) • Rewrite a chunk of code FaCT obj .fact clang linker Final binary .c obj 17

  18. Real Code Needs Escape Aatches • Declassify secrets to public • secretbox: if (! declassify (crypto_verify(...)) return false; • TLS: b = pmac[ declassify (i)]; • Assume constraints for solver • Function preconditions • Invariants for mutable variables • Extern function declarations • OpenSSL: AES + SHA1 implementations 18

  19. Performance Evaluation • Optimized with same optimization flags • Empirically tested to be constant-time +4.6% % Overhead -5% donna secretbox ssl3 TLS

  20. Understanding constant-time code Task 1 Task 2 message encoding long division +7.5% Mean score +25%

  21. Writing constant-time code Task 3 Task 4 Task 5 secret memzero padding check padding removal +27% # Correct submissions +9.4% +42%

  22. Discussion Questions on HW/SW • Given modern computers have execution units that may not be constant time (specifically division), even a static flow of instructions may not execute with constant total time. What would it take to make sure said execution units operate in a constant time? Division is rare in crypt, so maybe just avoiding it altogether? • What other processor optimizations exist that will make constant-time operation hard or impossible? • If a given piece of code is made timing-insensitive, is it possible for power side- channels to still be present? 22

  23. Discussion Questions on Code Transformation • Would a lower level solution to the constant time problem be more effective? • Could we further extend such constant-time reasoning to the optimizer to formally verify the entire compilation flow? • Is there a more efficient way for the front-end compiler to operate than return statements -> conditionals and then conditionals -> constant time code? 23

  24. Discussion Questions on Usage • Are there any cryptographic constructs which are unable to be expressed in FaCT? • Has there been any further user studies done? If so, what have they shown? If not, what could we expect to see? • How well do secrets propagate through the type system in practice? For example, if I as an inexperience cryptographer produce a cipher where I mark my salt, my key, and my plaintext as secret, is this sufficient? Is it overkill? 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan What does this code do? for (i =

1.26k views • 122 slides
Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Workload-sensitive Timing Behavior Anomaly Detection in Large Software Systems Workload-sensitive Timing Behavior Anomaly Detection in Large Software Systems Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation

690 views • 12 slides
Timing-Sensitive Information-Flow Security Danfeng Zhang , Yao Wang, G. Edward Suh and Andrew C.

Timing-Sensitive Information-Flow Security Danfeng Zhang , Yao Wang, G. Edward Suh and Andrew C.

A Hardware Design Language for Timing-Sensitive Information-Flow Security Danfeng Zhang , Yao Wang, G. Edward Suh and Andrew C. Myers Cornell University ASPLOS 2015 Information Security via Isolation memory memory memory space 1 space 2

692 views • 35 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Coherence Spaces for Resource-Sensitive Computation in Analysis K e i M a t s u mo t o

Coherence Spaces for Resource-Sensitive Computation in Analysis K e i M a t s u mo t o

Coherence Spaces for Resource-Sensitive Computation in Analysis K e i M a t s u mo t o ( R I M S , K y o t o U n i v e r s i t y ) 1 Background C o mp u t a b l e a n a l y s i s s t u d

917 views • 55 slides
What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n = The factorial function! Factorial in lambda calculus Wish for: fact = \n.(zero? n) 1 (times n (fact (pred n))); But: on right-hand side, fact is

471 views • 14 slides
FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, Deian Stefan Timing side channels Secret key Crypto Plaintext Encrypted FaCT SecDev 2017

652 views • 40 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian Johannesmeyer, John Renner, Gary Soeller, Deian Stefan, Riad Wahby Timing side channels Crypto Constant-time programming with FaCT Strange Loop

1.63k views • 114 slides
Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed Presidents Executive Council on 13 Jan: recommended to proceed with deploying a Sensitive Data Manager tool on all UND owned computers to

321 views • 6 slides
Value-Sensitive Design Informatics 161: Group 2 Overview What is Value Sensitive Design

Value-Sensitive Design Informatics 161: Group 2 Overview What is Value Sensitive Design

Value-Sensitive Design Informatics 161: Group 2 Overview What is Value Sensitive Design (VSD)? Definition of values HUSH Tripartite Methodology Conceptual HORIZON Empirical Technical What is VSD? Design approach

647 views • 25 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

540 views • 18 slides
FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem Ben Hedia ERTS 2020 Toulouse Outline of the talk Motivations and goals Timing anomalies in Worst-Case Timing Reasoning An example of a timing

286 views • 16 slides
Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before Doing Implementation Strategies and Directives Congestion and Complexity Advanced Physical Optimization Create Good Timing Constraints

658 views • 31 slides
X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion &amp; &amp; inst

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion &amp; &amp; inst

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion &amp; &amp; inst strumen mentation DONG Y Yongw ngwei Center fo r for r Parti rticle A Astroph trophysics Ins nstitute o of High Ene igh Energy P gy

437 views • 15 slides
Application: Semantic Role Labeling CS 6956: Deep Learning for NLP Overview What is semantic

Application: Semantic Role Labeling CS 6956: Deep Learning for NLP Overview What is semantic

Application: Semantic Role Labeling CS 6956: Deep Learning for NLP Overview What is semantic role labeling? The state-of-the-art before neural networks Neural models for semantic roles 1 Overview What is semantic role labeling?

930 views • 66 slides
Applying Signal Detection Theory to Multi-Level Modeling: When Accuracy Isn't Always

Applying Signal Detection Theory to Multi-Level Modeling: When Accuracy Isn't Always

Applying Signal Detection Theory to Multi-Level Modeling: When Accuracy Isn't Always Accurate December 5 th , 2011 Scott Fraundorf &amp; Jason Finley Outline Why do we need SDT? Sensitivity vs. Response Bias Example SDT

941 views • 59 slides
5/2/2018 II Youth Coaching Conference National Youth Sport Institute Singapore What Youth

5/2/2018 II Youth Coaching Conference National Youth Sport Institute Singapore What Youth

5/2/2018 II Youth Coaching Conference National Youth Sport Institute Singapore What Youth Coaches Can Learn from Olympic Serial Winning Coaches Sergio Lara-Bercial Senior Research Fellow LBU &amp; ICCE s.lara-bercial@leedsbeckett.ac.uk

551 views • 6 slides
TIP OF THE ICEBERG F I R S T Q U A R T E R 2 0 1 7 C O N F E R E N C E C A L L &amp; W

TIP OF THE ICEBERG F I R S T Q U A R T E R 2 0 1 7 C O N F E R E N C E C A L L &amp; W

AT T H E TIP OF THE ICEBERG F I R S T Q U A R T E R 2 0 1 7 C O N F E R E N C E C A L L &amp; W E B C A S T May 3, 2017 Forward-Looking Statements Disclaimer This presentation contains forward-looking information within the

706 views • 37 slides
North American CO 2 Fluxes, Inflow, and Uncertainties Estimated Using Atmospheric Measurements

North American CO 2 Fluxes, Inflow, and Uncertainties Estimated Using Atmospheric Measurements

North American CO 2 Fluxes, Inflow, and Uncertainties Estimated Using Atmospheric Measurements from the North American Carbon Program A.E. Andrews, K. Thoning, M. Mountain, M. Trudeau, K. Masarie, J. Benmergui, T. Nehrkorn, D. Worthy, E.J.

818 views • 42 slides
Describing objects in visual scenes Is visual salience like conversational salience? Micha Elsner

Describing objects in visual scenes Is visual salience like conversational salience? Micha Elsner

Describing objects in visual scenes Is visual salience like conversational salience? Micha Elsner Hannah Rohde, Alasdair Clarke Department of Linguistics The Ohio State University University of Edinburgh Describe the person in the box so

881 views • 30 slides
Design for screening, emulation and calibration

Design for screening, emulation and calibration

Design for screening, emulation and calibration http://personalpages.manchester.ac.uk/staff/alexis.boukouvalas/ Joint work with Dan Cornford, Milan Stehl k, J.P. Gosling and H. Maruri-Aguilar beamer-aston-logo Design for screening,

401 views • 39 slides
How to (Correctly) Invoke Wagner Sonia Bogos; Serge Vaudenay EPFL How to (Correctly) Invoke

How to (Correctly) Invoke Wagner Sonia Bogos; Serge Vaudenay EPFL How to (Correctly) Invoke

Rump Session 2016 How to (Correctly) Invoke Wagner Sonia Bogos; Serge Vaudenay EPFL How to (Correctly) Invoke Mozart Wagner New Results on LPN Solvers Sonia Bogos and Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE

120 views • 9 slides

More recommend