sorting integer arrays security speed and verification d
play

Sorting integer arrays: security, speed, and verification D. J. - PDF document

Mar 12, 2024 •423 likes •1.04k views

1 Sorting integer arrays: security, speed, and verification D. J. Bernstein 2 Bobs laptop screen: From: Alice Thank you for your submission. We received many interesting papers, and unfortunately your Bob assumes this message is

  1. 1 Sorting integer arrays: security, speed, and verification D. J. Bernstein

  2. 2 Bob’s laptop screen: From: Alice Thank you for your submission. We received many interesting papers, and unfortunately your Bob assumes this message is something Alice actually sent. But today’s “security” systems fail to guarantee this property. Attacker could have modified or forged the message.

  3. 3 Trusted computing base (TCB) TCB: portion of computer system that is responsible for enforcing the users’ security policy.

  4. 3 Trusted computing base (TCB) TCB: portion of computer system that is responsible for enforcing the users’ security policy. Security policy for this talk: If message is displayed on Bob’s screen as “ From: Alice ” then message is from Alice.

  5. 3 Trusted computing base (TCB) TCB: portion of computer system that is responsible for enforcing the users’ security policy. Security policy for this talk: If message is displayed on Bob’s screen as “ From: Alice ” then message is from Alice. If TCB works correctly, then message is guaranteed to be from Alice, no matter what the rest of the system does.

  6. 4 Examples of attack strategies: 1. Attacker uses buffer overflow in a device driver to control Linux kernel on Alice’s laptop.

  7. 4 Examples of attack strategies: 1. Attacker uses buffer overflow in a device driver to control Linux kernel on Alice’s laptop. 2. Attacker uses buffer overflow in a web browser to control disk files on Bob’s laptop.

  8. 4 Examples of attack strategies: 1. Attacker uses buffer overflow in a device driver to control Linux kernel on Alice’s laptop. 2. Attacker uses buffer overflow in a web browser to control disk files on Bob’s laptop. Device driver is in the TCB. Web browser is in the TCB. CPU is in the TCB. Etc.

  9. 4 Examples of attack strategies: 1. Attacker uses buffer overflow in a device driver to control Linux kernel on Alice’s laptop. 2. Attacker uses buffer overflow in a web browser to control disk files on Bob’s laptop. Device driver is in the TCB. Web browser is in the TCB. CPU is in the TCB. Etc. Massive TCB has many bugs, including many security holes. Any hope of fixing this?

  10. 5 Classic security strategy: Rearchitect computer systems to have a much smaller TCB.

  11. 5 Classic security strategy: Rearchitect computer systems to have a much smaller TCB. Carefully audit the TCB.

  12. 5 Classic security strategy: Rearchitect computer systems to have a much smaller TCB. Carefully audit the TCB. e.g. Bob runs many VMs: VM A VM C · · · Alice data Charlie data TCB stops each VM from touching data in other VMs.

  13. 5 Classic security strategy: Rearchitect computer systems to have a much smaller TCB. Carefully audit the TCB. e.g. Bob runs many VMs: VM A VM C · · · Alice data Charlie data TCB stops each VM from touching data in other VMs. Browser in VM C isn’t in TCB. Can’t touch data in VM A, if TCB works correctly.

  14. 5 Classic security strategy: Rearchitect computer systems to have a much smaller TCB. Carefully audit the TCB. e.g. Bob runs many VMs: VM A VM C · · · Alice data Charlie data TCB stops each VM from touching data in other VMs. Browser in VM C isn’t in TCB. Can’t touch data in VM A, if TCB works correctly. Alice also runs many VMs.

  15. � � � � � 6 Cryptography How does Bob’s laptop know that incoming network data is from Alice’s laptop? Cryptographic solution: Message-authentication codes. Alice’s message k authenticated message untrusted network authenticated message Alice’s message k

  16. � � � � � 6 Cryptography How does Bob’s laptop know that incoming network data is from Alice’s laptop? Cryptographic solution: Message-authentication codes. Alice’s message k authenticated message untrusted network modified message “Alert: forgery!” k

  17. 7 Important for Alice and Bob to share the same secret k . What if attacker was spying on their communication of k ?

  18. � � � � � � � 7 Important for Alice and Bob to share the same secret k . What if attacker was spying on their communication of k ? Solution 1: Public-key encryption. private key a k ciphertext public key aG network network ciphertext public key aG k

  19. � � � � � � � 8 Solution 2: Public-key signatures. m a signed message aG network network signed message aG m

  20. � � � � � � � 8 Solution 2: Public-key signatures. m a signed message aG network network signed message aG m No more shared secret k but Alice still has secret a . Cryptography requires TCB to protect secrecy of keys, even if user has no other secrets.

  21. 9 Constant-time software Large portion of CPU hardware: optimizations depending on addresses of memory locations. Consider data caching, instruction caching, parallel cache banks, store-to-load forwarding, branch prediction, etc.

  22. 9 Constant-time software Large portion of CPU hardware: optimizations depending on addresses of memory locations. Consider data caching, instruction caching, parallel cache banks, store-to-load forwarding, branch prediction, etc. Many attacks (e.g. TLBleed from 2018 Gras–Razavi–Bos–Giuffrida) show that this portion of the CPU has trouble keeping secrets.

  23. 10 Typical literature on this topic: Understand this portion of CPU. But details are often proprietary, not exposed to security review. Try to push attacks further. This becomes very complicated. Tweak the attacked software to try to stop the known attacks.

  24. 10 Typical literature on this topic: Understand this portion of CPU. But details are often proprietary, not exposed to security review. Try to push attacks further. This becomes very complicated. Tweak the attacked software to try to stop the known attacks. For researchers: This is great!

  25. 10 Typical literature on this topic: Understand this portion of CPU. But details are often proprietary, not exposed to security review. Try to push attacks further. This becomes very complicated. Tweak the attacked software to try to stop the known attacks. For researchers: This is great! For auditors: This is a nightmare. Many years of security failures. No confidence in future security.

  26. 11 The “constant-time” solution: Don’t give any secrets to this portion of the CPU. (1987 Goldreich, 1990 Ostrovsky: Oblivious RAM; 2004 Bernstein: domain-specific for better speed)

  27. 11 The “constant-time” solution: Don’t give any secrets to this portion of the CPU. (1987 Goldreich, 1990 Ostrovsky: Oblivious RAM; 2004 Bernstein: domain-specific for better speed) TCB analysis: Need this portion of the CPU to be correct, but don’t need it to keep secrets. Makes auditing much easier.

  28. 11 The “constant-time” solution: Don’t give any secrets to this portion of the CPU. (1987 Goldreich, 1990 Ostrovsky: Oblivious RAM; 2004 Bernstein: domain-specific for better speed) TCB analysis: Need this portion of the CPU to be correct, but don’t need it to keep secrets. Makes auditing much easier. Good match for attitude and experience of CPU designers: e.g., Intel issues errata for correctness bugs, not for information leaks.

  29. 12 Case study: Constant-time sorting Serious risk within 10 years: Attacker has quantum computer breaking today’s most popular public-key crypto (RSA and ECC; e.g., finding a given aG ).

  30. 12 Case study: Constant-time sorting Serious risk within 10 years: Attacker has quantum computer breaking today’s most popular public-key crypto (RSA and ECC; e.g., finding a given aG ). 2017: Hundreds of people submit 69 complete proposals to international competition for post-quantum crypto standards.

  31. 12 Case study: Constant-time sorting Serious risk within 10 years: Attacker has quantum computer breaking today’s most popular public-key crypto (RSA and ECC; e.g., finding a given aG ). 2017: Hundreds of people submit 69 complete proposals to international competition for post-quantum crypto standards. Subroutine in some submissions: sort array of secret integers. e.g. sort 768 32-bit integers.

  32. 13 How to sort secret data without any secret addresses?

  33. 13 How to sort secret data without any secret addresses? Typical sorting algorithms— merge sort, quicksort, etc.— choose load/store addresses based on secret data. Usually also branch based on secret data.

  34. 13 How to sort secret data without any secret addresses? Typical sorting algorithms— merge sort, quicksort, etc.— choose load/store addresses based on secret data. Usually also branch based on secret data. One submission to competition: “Radix sort is used as constant-time sorting algorithm.” Some versions of radix sort avoid secret branches.

  35. 13 How to sort secret data without any secret addresses? Typical sorting algorithms— merge sort, quicksort, etc.— choose load/store addresses based on secret data. Usually also branch based on secret data. One submission to competition: “Radix sort is used as constant-time sorting algorithm.” Some versions of radix sort avoid secret branches. But data addresses in radix sort still depend on secrets.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D.

Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D.

1 2 Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D. J. Bernstein Thank you for your submission. We received many interesting papers, and unfortunately your Bob assumes this message is

1.54k views • 131 slides
Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D.

Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D.

1 2 Sorting integer arrays: Bobs laptop screen: security, speed, and verification From: Alice D. J. Bernstein Thank you for your University of Illinois at Chicago, submission. We received Ruhr-University Bochum many interesting papers,

1.61k views • 125 slides
Arrays Arrays and Methods Searching Sorting Arrays Reading: => Continue with

Arrays Arrays and Methods Searching Sorting Arrays Reading: => Continue with

Arrays Arrays and Methods Searching Sorting Arrays Reading: => Continue with section 2.1 1 Arrays and Array Elements as Method Arguments As noted previously, an array element can be used in any context expecting an

1.06k views • 59 slides
Data Abstraction Copying Arrays. Sorting Arrays. 2D Arrays. Janyl Jumadinova September 30 and

Data Abstraction Copying Arrays. Sorting Arrays. 2D Arrays. Janyl Jumadinova September 30 and

Data Abstraction Copying Arrays. Sorting Arrays. 2D Arrays. Janyl Jumadinova September 30 and October 5, 2020 Janyl Jumadinova Data Abstraction Copying Arrays. Sorting Arrays. 2D Arrays. September 30 and October 5, 2020 1 / 15 Copying Arrays

624 views • 19 slides
Searching Sorting and Searching arrays Given an array of ints find the index of the

Searching Sorting and Searching arrays Given an array of ints find the index of the

Topic 24 Searching Sorting and Searching arrays Given an array of ints find the index of the "There's nothing in your head first occurrence of a target int the sorting hat can't see. So try index 0 1 2 3 4 5 me on and I will tell

285 views • 5 slides
Programming in C 1 Programming with Arrays Subtasks Partially-filled arrays

Programming in C 1 Programming with Arrays Subtasks Partially-filled arrays

Programming in C 1 Programming with Arrays Subtasks Partially-filled arrays Loading Searching Sorting Sum, average Extremes 2 Partially-filled Arrays (Common Case) Must be declared some maximum

325 views • 17 slides
Week 13 - Monday What did we talk about last time? Sorting Arrays.sort()

Week 13 - Monday What did we talk about last time? Sorting Arrays.sort()

Week 13 - Monday What did we talk about last time? Sorting Arrays.sort() Collections.sort() Comparable<T> interface Custom Comparator<T> objects Characteristic Description We can update the code to add in new

675 views • 41 slides
Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods

Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods

Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods Chapter 8 Aggregate Array Operations Using Arrays in Classes Single-Dimensional Arrays Searching and Sorting Arrays Using Arrays

434 views • 14 slides
Craig Interpolation for Integer Arithmetic, Uninterpreted Functions, and the Theory of Arrays

Craig Interpolation for Integer Arithmetic, Uninterpreted Functions, and the Theory of Arrays

Craig Interpolation for Integer Arithmetic, Uninterpreted Functions, and the Theory of Arrays Angelo Brillout 1 Daniel Kroening 2 ome Leroux 3 J er ummer 4 Thomas Wahl 2 Philipp R 1 ETH Zurich 2 University of Oxford 3 Laboratoire

989 views • 50 slides
Review: Creating Arrays } Like any Java construct, arrays are declared and instantiated Array

Review: Creating Arrays } Like any Java construct, arrays are declared and instantiated Array

Review: Creating Arrays } Like any Java construct, arrays are declared and instantiated Array Declaration TypeName [] arrayVariableName ; int[] intArray; Note: size must be a fixed, String[] strArray; non-negative integer Oval[] ovalArray;

291 views • 4 slides
Overview/Questions What is sorting? Why does sorting matter? How is sorting

Overview/Questions What is sorting? Why does sorting matter? How is sorting

CS101 Lecture 30: Sorting Algorithms Selection Sort and Bubble Sort Aaron Stevens 15 April 2009 1 Overview/Questions What is sorting? Why does sorting matter? How is sorting accomplished? Why are there different sorting

534 views • 21 slides
Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd

Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd

Introduction Verification Analysis Summary Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd December 2004 Anders Franz en Combining SAT and ILP Introduction Verification Analysis

776 views • 58 slides
High-Speed Computing & Co-Processing with FPGAs FPGAs (Field Programmable Gate Arrays) are

High-Speed Computing & Co-Processing with FPGAs FPGAs (Field Programmable Gate Arrays) are

High-Speed Computing & Co-Processing with FPGAs FPGAs (Field Programmable Gate Arrays) are slowly becoming more and more advanced and practical as high-speed computing platforms. In this talk, David will provide an in-depth introduction into

478 views • 43 slides
Sorting Chapter 7 1 Quick Sort One of the most popular fast sorting algorithms Quick sort

Sorting Chapter 7 1 Quick Sort One of the most popular fast sorting algorithms Quick sort

Sorting Chapter 7 1 Quick Sort One of the most popular fast sorting algorithms Quick sort overcomes the drawback of merge sort of creating an additional array Generally, quick sort is the most efficient algorithm for large arrays 2 Quick

548 views • 35 slides
Quick Sort Undoubtedly the most popular sorting algorithm. O(nlog(n)). Arrays

Quick Sort Undoubtedly the most popular sorting algorithm. O(nlog(n)). Arrays

Quick Sort Undoubtedly the most popular sorting algorithm. O(nlog(n)). Arrays faster than mergesort Does not require as much space as merge sort. Recall that merge sort requires twice as much space as original array to

362 views • 11 slides
SORTING Review of Sorting Merge Sort Sets sorting 1 Sorting Algorithms

SORTING Review of Sorting Merge Sort Sets sorting 1 Sorting Algorithms

SORTING Review of Sorting Merge Sort Sets sorting 1 Sorting Algorithms Selection Sort uses a priority queue P implemented with an unsorted sequence: - Phase 1 : the insertion of an item into P takes O (1) time; overall O ( n

591 views • 31 slides
Matrix-Chain Multiplication Given : chain of matrices ( A 1 , A 2 , . . . A n ) , with A i

Matrix-Chain Multiplication Given : chain of matrices ( A 1 , A 2 , . . . A n ) , with A i

Matrix-Chain Multiplication Given : chain of matrices ( A 1 , A 2 , . . . A n ) , with A i having dimension ( p i 1 p i ) . Goal: compute product A 1 A 2 A n as quickly as possible Dynamic Programming 1 Multiplication of (

339 views • 21 slides
NUMA-aware Matrix-Matrix-Multiplication Max Reimann, Philipp Otto 1 About this talk

NUMA-aware Matrix-Matrix-Multiplication Max Reimann, Philipp Otto 1 About this talk

NUMA-aware Matrix-Matrix-Multiplication Max Reimann, Philipp Otto 1 About this talk Objective: Show how to improve performance of algorithms in a NUMA-system with MMM as an example Code was written in C with numa.h, pthread.h

470 views • 45 slides
Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability

Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability

Randomness in Computing L ECTURE 2 Last time Verifying polynomial identities Probability amplification Probability review Discussions Law of Total Probability Bayeslaw Today More probability amplification Verifying

615 views • 8 slides
Fast and Accurate Memristor- Based Algorithms for Social Network Analysis Sucheta Soundarajan

Fast and Accurate Memristor- Based Algorithms for Social Network Analysis Sucheta Soundarajan

Fast and Accurate Memristor- Based Algorithms for Social Network Analysis Sucheta Soundarajan Yanzhi Wang Overview of Memristors Invented by HP Labs in 2008 Resistance changes if voltage greater than V thresh is applied

452 views • 11 slides
Merge Sort: Summary General algorithm: Basic analysis: Divide in half log(n) times,

Merge Sort: Summary General algorithm: Basic analysis: Divide in half log(n) times,

Merge Sort: Summary General algorithm: Basic analysis: Divide in half log(n) times, merge log(n) times = 2log(n) Merging touches each value once, so it is linear At each level, there are n items to merge Complexity is

240 views • 11 slides
15-252 More Great Ideas in Theoretical Computer Science Lecture 1: Sorting Pancakes January

15-252 More Great Ideas in Theoretical Computer Science Lecture 1: Sorting Pancakes January

15-252 More Great Ideas in Theoretical Computer Science Lecture 1: Sorting Pancakes January 20th, 2017 Question If there are n pancakes in total (all in different size), what is the max number of flips that we would ever have to use to sort

515 views • 27 slides
Searching and Sorting Chapter 18 Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall

Searching and Sorting Chapter 18 Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall

Searching and Sorting Chapter 18 Instructor: Scott Kristjanson CMPT 125/125 SFU Burnaby, Fall 2013 Scope 2 Searching and Sorting : Linear search and binary search algorithms Several sorting algorithms, including: selection sort

688 views • 46 slides
Sorting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Part I: Upper Bound Page 2

Sorting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Part I: Upper Bound Page 2

Sorting Upper and Lower bounds [Aggarwal, Vitter, 88] Page 1 Part I: Upper Bound Page 2 Standard MergeSort Merge of two sorted sequences sequential access MergeSort: O ( N log 2 ( N/M ) /B ) I/Os Page 3

411 views • 22 slides

More recommend