fact
play

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, - PowerPoint PPT Presentation

Jan 23, 2023 •243 likes •652 views

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, Deian Stefan Timing side channels Secret key Crypto Plaintext Encrypted FaCT SecDev 2017

  1. FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, Deian Stefan

  2. Timing side channels Secret key Crypto Plaintext Encrypted FaCT SecDev 2017 Sunjay Cauligi

  3. Timing side channels Secret key Crypto Plaintext Encrypted Timing differences Leaked via timing FaCT SecDev 2017 Sunjay Cauligi

  4. Writing secure code ● Check for valid padding PKCS #7 padding ○ Each padding byte holds length of padding ○ ● Replace padding with null bytes ● Buffer contents should be secret That includes padding! ○ 5 bytes of padding 49 45 ... 63 44 65 76 05 05 05 05 05 FaCT SecDev 2017 Sunjay Cauligi

  5. Writing secure code int32_t remove_padding( uint8_t* buf, uint32_t buflen) { uint8_t padlen = buf[buflen-1]; uint32_t i; for (i = 0; i < padlen; i++) { if (buf[buflen-i-1] != padlen) return -1; buf[buflen-i-1] = 0; } return padlen; } 10μs 10μs 10μs 10μs 10μs 49 45 ... 63 44 65 76 00 00 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  6. Writing secure code int32_t remove_padding( uint8_t* buf, It’s dangerous to uint32_t buflen) { return early! uint8_t padlen = buf[buflen-1]; uint32_t i; for (i = 0; i < padlen; i++) { if (buf[buflen-i-1] != padlen) return -1; buf[buflen-i-1] = 0; Use this instead. } return padlen; Padding oracle! } 10μs 10μs 49 45 ... 63 44 65 76 05 05 07 00 00 FaCT SecDev 2017 Sunjay Cauligi

  7. Writing secure code int32_t remove_padding( int32_t remove_padding2( uint8_t* buf, uint8_t* buf, uint32_t buflen) { uint32_t buflen) { uint8_t ok = 1; uint8_t padlen = buf[buflen-1]; uint8_t padlen = buf[buflen-1]; uint32_t i; uint32_t i; for (i = 0; i < padlen; i++) { for (i = 0; i < padlen; i++) { if (buf[buflen-i-1] != padlen) if (buf[buflen-i-1] != padlen) return -1; ok = 0; buf[buflen-i-1] = 0; buf[buflen-i-1] = 0; } } return padlen; return ok ? padlen : -1; } } 10μs 10μs 10μs 10μs 10μs 49 45 ... 63 44 65 76 00 00 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  8. Writing secure code int32_t remove_padding2( uint8_t* buf, It’s dangerous to uint32_t buflen) { bound loops with secrets! uint8_t ok = 1; uint8_t padlen = buf[buflen-1]; uint32_t i; for ( i = 0; i < padlen; i++) { if (buf[buflen-i-1] != padlen) ok = 0; buf[buflen-i-1] = 0; Use this instead. } return ok ? padlen : -1; } 10μs 10μs 10μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  9. Writing secure code int32_t remove_padding3( uint8_t* buf, int32_t remove_padding2( uint32_t buflen) { uint8_t* buf, uint8_t ok = 1; uint32_t buflen) { uint8_t padlen = buf[buflen-1]; uint8_t ok = 1; uint32_t i; for (i = buflen-256; i < buflen; i++) { uint8_t padlen = buf[buflen-1]; uint8_t b = buf[i]; uint32_t i; if (i >= buflen - padlen) { for (i = 0; i < padlen; i++) { if (b != padlen) if (buf[buflen-i-1] != padlen) ok = 0; ok = 0; b = 0; buf[buflen-i-1] = 0; } } buf[i] = b; return ok ? padlen : -1; } } return ok ? padlen : -1; } 10μs 10μs 10μs 10μs 10μs 10μs 10μs 10μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  10. Writing secure code int32_t remove_padding3( uint8_t* buf, uint32_t buflen) { It’s dangerous to uint8_t ok = 1; uint8_t padlen = buf[buflen-1]; have branching code! uint32_t i; for (i = buflen-256; i < buflen; i++) { uint8_t b = buf[i]; if (i >= buflen - padlen) { if (b != padlen) ok = 0; b = 0; } Use this instead. buf[i] = b; } return ok ? padlen : -1; } 9μs 9μs 9μs 9μs 9μs 10μs 10μs 10μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  11. Writing secure code Ugly! Do not read! int32_t remove_padding4( int32_t remove_padding3( uint8_t* buf, uint8_t* buf, uint32_t buflen) { uint32_t buflen) { uint32_t ok = -1; uint8_t ok = 1; uint8_t padlen = buf[buflen-1]; uint8_t padlen = buf[buflen-1]; uint32_t i; uint32_t i; for (i = buflen-256; i < buflen; i++) { for (i = buflen-256; i < buflen; i++) { uint8_t b = buf[i]; uint8_t b = buf[i]; uint32_t proper_index = if (i >= buflen - padlen) { ct_ge_u32(i, buflen - padlen); if (b != padlen) uint32_t matches_pad = ct_eq_u8(b, padlen); ok = 0; ok &= matches_pad & proper_index; b = 0; b = ~proper_index & b; } buf[i] = b; buf[i] = b; } } return (ok & padlen) | ~ok; return ok ? padlen : -1; } } 12μs 12μs 12μs 12μs 12μs 12μs 12μs 12μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  12. Writing secure code int32_t remove_padding4( uint8_t* buf, d ! e a r o t n D o y ! g l U uint32_t buflen) { uint32_t ok = -1; uint8_t padlen = buf[buflen-1]; uint32_t i; for (i = buflen-256; i < buflen; i++) { uint8_t b = buf[i]; uint32_t proper_index = ct_ge_u32(i, buflen - padlen); uint32_t matches_pad = ct_eq_u8(b, padlen); ok &= matches_pad & proper_index; b = ~proper_index & b; buf[i] = b; } return (ok & padlen) | ~ok; } 12μs 12μs 12μs 12μs 12μs 12μs 12μs 12μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  13. Error-prone in practice OpenSSL padding oracle attack Canvel, et al. “Password Interception in a SSL/TLS Channel.” Crypto, Vol. 2729. 2003. FaCT SecDev 2017 Sunjay Cauligi

  14. Error-prone in practice Lucky 13 timing attack Al Fardan and Paterson. “Lucky thirteen: Breaking the TLS and DTLS record protocols.” Oakland 2013. FaCT SecDev 2017 Sunjay Cauligi

  15. Error-prone in practice Further refinements Decryption path has no more measurable timing differences FaCT SecDev 2017 Sunjay Cauligi

  16. Error-prone in practice CVE-2016-2107 Somorovsky. “Curious padding oracle in OpenSSL.” FaCT SecDev 2017 Sunjay Cauligi

  17. That’s a lot of work, but even if we get everything right... FaCT SecDev 2017 Sunjay Cauligi

  18. Compiler optimizations get in the way /* Return either x or y depending on gcc 5.4: -O2 -m32 -march=i386 whether bit is set */ xor edx, edx cmp BYTE PTR [esp+12], 0 uint32_t ct_select_u32( setne dl uint32_t x, mov eax, edx uint32_t y, neg eax uint8_t pred) { and eax, DWORD PTR [esp+4] uint32_t mask = -(!!pred); dec edx return (mask & x) | (~mask & y); and edx, DWORD PTR [esp+8] } or eax, edx ret FaCT SecDev 2017 Sunjay Cauligi

  19. Compiler optimizations get in the way /* Return either x or y depending on clang 3.6: -O2 -m32 -march=i386 whether bit is set */ cmp byte ptr [esp + 12], 0 jne .LBB0_1 uint32_t ct_select_u32( lea eax, [esp + 8] uint32_t x, mov eax, dword ptr [eax] uint32_t y, ret uint8_t pred) { .LBB0_1: uint32_t mask = -(!!pred); lea eax, [esp + 4] return (mask & x) | (~mask & y); mov eax, dword ptr [eax] } ret FaCT SecDev 2017 Sunjay Cauligi

  20. Checking up on the compiler word32 u = 0; for (i=0; i<1024; i+=cacheLineSize) u &= *(const word32 *)(const void *)(((const byte *)Te)+i); Assembly: < optimized out > FaCT SecDev 2017 Sunjay Cauligi

  21. Checking up on the compiler volatile word32 _u = 0; word32 u = _u; for (i=0; i<1024; i+=cacheLineSize) u &= *(const word32 *)(const void *)(((const byte *)Te)+i); “ ...I know volatile is an abuse under GCC but its [sic] usually enough to tame the optimizer ...I don’t known [sic] if it’s worth the additional complexity / lack of readability ” FaCT SecDev 2017 Sunjay Cauligi

  22. We can trick the compiler, but this semantic gap has a high cost... FaCT SecDev 2017 Sunjay Cauligi

  23. Inefficient assembly (mask & x) | (~mask & y) 1.65 cycles 0.04 cycles vs. and esi, edi test edi, edi not edi cmov esi, r8d and r8d, edi or esi, r8d lo = lo1 + lo2 hi = hi1 + hi2 + (lo >> 31) 1.01 cycles 0.13 cycles add edi, esi vs. add edi, esi mov eax, edi adc r8d, r9d shr eax, 31 add r8d, r9d add r8d, eax FaCT SecDev 2017 Sunjay Cauligi

  24. Constant problems with constant-time ● Can’t use standard programming constructs Manually keep track of secret vs. public ○ Write obfuscated code for computation on secrets ○ Difficult to write such code correctly ○ ● Fighting the compiler Need to prevent optimizer from undermining you ○ But now you don’t produce efficient assembly ○ ● Hard to maintain FaCT SecDev 2017 Sunjay Cauligi

  25. We need a new language ● Write clear code for computation on secrets Helps you keep track of secrets vs. public values ○ Lets you use standard programming constructs ○ Ensures you write correct code ○ ● Compiler that helps instead of hurts Optimize your code as much as possible ○ But ensure code remains constant-time ○ ● Simple to work with FaCT SecDev 2017 Sunjay Cauligi

  26. FaCT FaCT .fact .h .o .c cc -c cc Final binary .o .h FaCT SecDev 2017 Sunjay Cauligi

  27. What does FaCT look like? secret int32 remove_padding(secret mut uint8[] buf) { uint8 padlen = buf[len buf - 1]; for (uint32 i from len buf - 256 to len buf) { if (i >= len buf - padlen) { if (buf[i] != padlen) { return -1; } buf[i] = 0; } } return padlen; } 11μs 11μs 11μs 11μs 11μs 11μs 11μs 11μs 49 45 ... 63 44 65 76 31 37 00 00 00 FaCT SecDev 2017 Sunjay Cauligi

  28. Automatically transform code FaCT FaCT SecDev 2017 Sunjay Cauligi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n = The factorial function! Factorial in lambda calculus Wish for: fact = \n.(zero? n) 1 (times n (fact (pred n))); But: on right-hand side, fact is

471 views • 14 slides
Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible

Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible

Patient Feedback Challenge Wave 3 FACT Team, Newark Its a FACT!!!!!! Flexible Assertive Community Treatment 2 3 FACT! F Families A - and C - Carers T - Tell all. 4 First National Project with a focus

383 views • 20 slides
Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2020 Informing the Future of FACT Wrap up FACT Phase I Planned Changes for FACT Phase II Considerations for FACT Phase II Align FACT Phase II with FDP Phase VII

323 views • 14 slides
Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps,

Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps,

Look Ma, No Cavities! Look Ma, No Cavities! Fact or Fiction? Fact or Fiction? Kathy Phipps, DrPH ASTDD Data Coordinator The findings and conclusions in this presentation have not been formally disseminated by the Centers for Disease Control

557 views • 22 slides
Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do

Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do

FACT ADVOCACY DAYS: A PREVIEW Welcome! Agenda FACT Coalition 101 Why Financial Transparency and Accountability? Why do we care? Big Challenges, Big Solutions Goals and Rationale for FACT Advocacy Days Logistics, Wrap up and

145 views • 11 slides
FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT

FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT

FacultyAdministrator Collaboration Team(FACT) FDP Meeting Sept 2018 Agenda for FACT Session Introductions 5 min Review Purpose, Goals, Timeline &amp; Progress 10 min Has anyone done something like this before? 5

416 views • 27 slides
61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact

61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact

61A Lecture 34 Monday, November 19 Logic Language Review Expressions begin with query or fact followed by relations. Expressions and their relations are Scheme lists. Simple fact (fact (append-to-form () ?x ?x)) Conclusion (fact

207 views • 10 slides
Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing

Constant-time programming in FaCT What is FaCT? Domain specific language for writing constant-time code Whats the difference between a DSL and a general- purpose language? How do you use FaCT? Write your program in C Write your

420 views • 38 slides
Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major

Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major

Report and Presentation Requirements Dr Ian Storey 2018 Fact Finding Fact finding is a major component of the analysis in this assignment. Describe techniques used, and give a small number of examples with associated data ( no less than 3 ). For

203 views • 7 slides
Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its

Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its

Determinants: Definitions The Key Fact Fact. A square matrix is invertible if and only if its determinant is not zero. detONE: 2 The 2 2 Case a b a b det = = ad bc c d c d We use both

435 views • 9 slides
An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1.

An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1.

An introduction to the Families and Childrens Transformation (FACT) programme. Contents 1. What is FACT? 2. Why FACT? Why now? 3. What are we hoping to achieve? 4. How? Programme approach 5. How? Reporting and governance 6. How?

508 views • 23 slides
Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29

Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29

Faith vs Unbelief Caleb &amp; Joshua Mob Fact #1 Num 13:27 land = as God promised Fact #2 13:28-29 a fight ahead Grasshopper Bread Interpretation Interpretation 13:31-14:4 13:30; 14:8-9 Occupants stronger than Lord is stronger

449 views • 10 slides
FACT report Financial Advisory Consulting T eam California-Nevada Annual Conference February

FACT report Financial Advisory Consulting T eam California-Nevada Annual Conference February

FACT report Financial Advisory Consulting T eam California-Nevada Annual Conference February 3, 2018 FACT: Partnering to provide a holistic fjnancial review and be a resource to help achieve conference vitality and sustainability. FACT

648 views • 27 slides
You Never Know! How did it all begin? Darwin's Theory of Natural Selection. Fact #1 -

You Never Know! How did it all begin? Darwin's Theory of Natural Selection. Fact #1 -

You Never Know! How did it all begin? Darwin's Theory of Natural Selection. Fact #1 - Without constraints, populations will grow exponentially, producing an ever more rapidly growing number of organisms. Fact #2 - In spite of this

212 views • 19 slides
Fact Sheet Solid Waste Management Unit 48 &amp; 49 March 2009 Introduction This fact sheet

Fact Sheet Solid Waste Management Unit 48 &amp; 49 March 2009 Introduction This fact sheet

Fact Sheet Solid Waste Management Unit 48 &amp; 49 March 2009 Introduction This fact sheet describes the recommended action for addressing elevated constituents in groundwater at Solid Waste Management Units (SWMU) 48 [Oily Water Burial Area]

433 views • 5 slides
Faculty-Administrator Collaboration Team(FACT) FDP Meeting Sept 2019 Agenda FACT Two

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Sept 2019 Agenda FACT Two

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Sept 2019 Agenda FACT Two Year Report Introduction 10 min Year One Issues and Analyses 10 min Year Two and Process Study 15 min Conclusions &amp;

780 views • 30 slides
Pointers and dynamic objects Topics Pointers Memory addresses Declaration

Pointers and dynamic objects Topics Pointers Memory addresses Declaration

Pointers and dynamic objects Topics Pointers Memory addresses Declaration Dereferencing a pointer Pointers to pointer Static vs. dynamic objects new and delete Computer Memory Each variable is assigned a memory

636 views • 48 slides
Lists in C Personal Software Engineering But First - How Much Space Is Needed? For strings, we

Lists in C Personal Software Engineering But First - How Much Space Is Needed? For strings, we

Lists in C Personal Software Engineering But First - How Much Space Is Needed? For strings, we can use strlen: char *p_copy = malloc( strlen(&quot;Hello&quot;)+1 ) ; But what about other types (ints, doubles, structs, etc.)? This is the purpose

281 views • 17 slides
CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly

CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly

CSE 341 Programming Languages More Ruby Zach Tatlock Spring 2014 This lecture Three mostly separate topics Flexible arrays, ranges, and hashes [actually covered in section] Rubys approach to almost-closures (blocks) and closures

253 views • 24 slides
for Those in Need In what city and state are you located? www.byteback.org Tech Within Reach:

for Those in Need In what city and state are you located? www.byteback.org Tech Within Reach:

Tech Within Reach: Recycling Technology for Those in Need In what city and state are you located? www.byteback.org Tech Within Reach: Recycling Technology for Those in Need What are you hoping to hear about during todays webinar? a) How

341 views • 18 slides
tr tr

tr tr

tr tr tts P trt Prr s r

472 views • 19 slides
Final Exam Review Monchai Sopitkamon, Ph.D. Final Exam Topics Arrays Methods 1

Final Exam Review Monchai Sopitkamon, Ph.D. Final Exam Topics Arrays Methods 1

2/22/2007 Final Exam Review Monchai Sopitkamon, Ph.D. Final Exam Topics Arrays Methods 1 2/22/2007 What Is an Array? An array is a sequence of elements All elements in an array have the same type Structs can have elements

374 views • 22 slides
Panel elis ists Matthew Doherty Executive Director Lindsay Knotts Policy Director 2 Webin

Panel elis ists Matthew Doherty Executive Director Lindsay Knotts Policy Director 2 Webin

Panel elis ists Matthew Doherty Executive Director Lindsay Knotts Policy Director 2 Webin inar For Format 90 minute webinar Approximately 45 minutes for questions To ask a question at any time, use the question and answer

665 views • 34 slides
Zhijun Liang V ER FOR CE CEPC PC ERTEX EX DE DETECTOR FO High precision vertex detector

Zhijun Liang V ER FOR CE CEPC PC ERTEX EX DE DETECTOR FO High precision vertex detector

Zhijun Liang V ER FOR CE CEPC PC ERTEX EX DE DETECTOR FO High precision vertex detector essential for Hbb/cc/gg and H Single point resolution &lt; 3 m Vibration need to be control to m level Radiation tolerance

643 views • 40 slides

More recommend