What you get is what you C: Controlling side effects in mainstream - - PowerPoint PPT Presentation

what you get is what you c controlling side effects in
SMART_READER_LITE
LIVE PREVIEW

What you get is what you C: Controlling side effects in mainstream - - PowerPoint PPT Presentation

Sep 02, 2022 280 likes •868 views

What you get is what you C: Controlling side effects in mainstream C compilers Laurent Simon, David Chisnall, Ross Anderson Laurent Simon l.simon@samsung.com https://sites.google.com/view/laurent-simon/ Approved for public release;

slide-1
SLIDE 1

What you get is what you C: Controlling side effects in mainstream C compilers

Laurent Simon Laurent Simon, David Chisnall, Ross Anderson

l.simon@samsung.com https://sites.google.com/view/laurent-simon/

Approved for public release; distribution is unlimited. Sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contract FA8750-10-C-0237 (“CTSRD”) as part of the DARPA CRASH research
  • program. The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government.
slide-2
SLIDE 2

24 April 18 Laurent SIMON - EuroS&P'18 - London 2

Talk outline

  • Compiler Optimizations and Side Effects
  • Example: constant-time choose
  • Proposed Solution and Evaluation
  • Conclusion
slide-3
SLIDE 3

24 April 18 Laurent SIMON - EuroS&P'18 - London 3

slide-4
SLIDE 4

24 April 18 Laurent SIMON - EuroS&P'18 - London 4

slide-5
SLIDE 5

24 April 18 Laurent SIMON - EuroS&P'18 - London 5

slide-6
SLIDE 6

24 April 18 Laurent SIMON - EuroS&P'18 - London 6

slide-7
SLIDE 7

24 April 18 Laurent SIMON - EuroS&P'18 - London 7

slide-8
SLIDE 8

24 April 18 Laurent SIMON - EuroS&P'18 - London 8

Question 1

Why are C compilers allowed to remove the calls?

slide-9
SLIDE 9

24 April 18 Laurent SIMON - EuroS&P'18 - London 9

C89/90/99/11

“An actual implementation need not evaluate part of an expression if it can deduce that its value is not used and that no needed side effects are produced"

slide-10
SLIDE 10

24 April 18 Laurent SIMON - EuroS&P'18 - London 10

slide-11
SLIDE 11

24 April 18 Laurent SIMON - EuroS&P'18 - London 11

slide-12
SLIDE 12

24 April 18 Laurent SIMON - EuroS&P'18 - London 12

slide-13
SLIDE 13

24 April 18 Laurent SIMON - EuroS&P'18 - London 13

slide-14
SLIDE 14

24 April 18 Laurent SIMON - EuroS&P'18 - London 14

slide-15
SLIDE 15

24 April 18 Laurent SIMON - EuroS&P'18 - London 15

Takeaway message (1)

  • I. C standard is not suited to express security

guarantees relying on controlling side effects of code

slide-16
SLIDE 16

24 April 18 Laurent SIMON - EuroS&P'18 - London 16

Side Effects in Cryptography

  • Side channels:
  • Examples: timing, power, energy, EM
  • Hardening techniques:
  • Bit scattering
  • Fault injection (e.g., rowhammer)
  • See paper for more
slide-17
SLIDE 17

24 April 18 Laurent SIMON - EuroS&P'18 - London 17

Question 2

How do programmers attempt to control side effects today; and are they successful?

slide-18
SLIDE 18

24 April 18 Laurent SIMON - EuroS&P'18 - London 18

Talk outline

  • Compiler Optimizations and Side Effects
  • Example: constant-time choose
  • Proposed Solution and Evaluation
  • Conclusion
slide-19
SLIDE 19

24 April 18 Laurent SIMON - EuroS&P'18 - London 19

Goal Goal: for all inputs, execution time is the same => resistant to timing side channels

slide-20
SLIDE 20

24 April 18 Laurent SIMON - EuroS&P'18 - London 20

Constant-time requirements

  • 1. No branching on sensitive data
slide-21
SLIDE 21

24 April 18 Laurent SIMON - EuroS&P'18 - London 21

slide-22
SLIDE 22

24 April 18 Laurent SIMON - EuroS&P'18 - London 22

slide-23
SLIDE 23

24 April 18 Laurent SIMON - EuroS&P'18 - London 23

slide-24
SLIDE 24

24 April 18 Laurent SIMON - EuroS&P'18 - London 24

slide-25
SLIDE 25

24 April 18 Laurent SIMON - EuroS&P'18 - London 25

slide-26
SLIDE 26

24 April 18 Laurent SIMON - EuroS&P'18 - London 26

Constant-time requirements

  • 1. No branching on sensitive data
  • 2. Same data access pattern for all inputs
slide-27
SLIDE 27

24 April 18 Laurent SIMON - EuroS&P'18 - London 27

slide-28
SLIDE 28

24 April 18 Laurent SIMON - EuroS&P'18 - London 28

slide-29
SLIDE 29

24 April 18 Laurent SIMON - EuroS&P'18 - London 29

slide-30
SLIDE 30

24 April 18 Laurent SIMON - EuroS&P'18 - London 30

slide-31
SLIDE 31

24 April 18 Laurent SIMON - EuroS&P'18 - London 31

slide-32
SLIDE 32

24 April 18 Laurent SIMON - EuroS&P'18 - London 32

slide-33
SLIDE 33

24 April 18 Laurent SIMON - EuroS&P'18 - London 33

slide-34
SLIDE 34

24 April 18 Laurent SIMON - EuroS&P'18 - London 34

slide-35
SLIDE 35

24 April 18 Laurent SIMON - EuroS&P'18 - London 35

slide-36
SLIDE 36

24 April 18 Laurent SIMON - EuroS&P'18 - London 36

slide-37
SLIDE 37

24 April 18 Laurent SIMON - EuroS&P'18 - London 37

condition = false, return FalseVal

slide-38
SLIDE 38

24 April 18 Laurent SIMON - EuroS&P'18 - London 38

$clang-3.0 -O[0,1,2,3] ✓

slide-39
SLIDE 39

24 April 18 Laurent SIMON - EuroS&P'18 - London 39

$clang-3.0 -O[1,2,3] 

slide-40
SLIDE 40

24 April 18 Laurent SIMON - EuroS&P'18 - London 40

slide-41
SLIDE 41

24 April 18 Laurent SIMON - EuroS&P'18 - London 41

$clang-3.0 -O[0,1,2,3] ✓

slide-42
SLIDE 42

24 April 18 Laurent SIMON - EuroS&P'18 - London 42

$clang-3.3 -O[2,3]

slide-43
SLIDE 43

24 April 18 Laurent SIMON - EuroS&P'18 - London 43

Observation: newer versions of compilers may be less reliable than

  • lder versions for controlling side effects
slide-44
SLIDE 44

24 April 18 Laurent SIMON - EuroS&P'18 - London 44

Takeaway message (2)

  • I. C abstract standard is not suited to express

security guarantees relying on controlling side effects of code

  • II. Developers are left fighting the compiler

through obfuscation to control side effects. This must stop: we must make C compilers our allies, not our enemies.

slide-45
SLIDE 45

24 April 18 Laurent SIMON - EuroS&P'18 - London 45

Talk outline

  • Compiler Optimizations and Side Effects
  • Example: constant-time choose
  • Proposed Solution and Evaluation
  • Conclusion
slide-46
SLIDE 46

24 April 18 Laurent SIMON - EuroS&P'18 - London 46

Proposed Solution

  • Adding support into the compilers
slide-47
SLIDE 47

24 April 18 Laurent SIMON - EuroS&P'18 - London 47

Proposed Solution

  • Adding support into the compilers
  • Expose support to developers explicitly
  • Examples: pragma, annotations, flags,

attributes, new functions, etc

slide-48
SLIDE 48

24 April 18 Laurent SIMON - EuroS&P'18 - London 48

Proposed Solution

  • Adding support into the compilers
  • Expose support to developers explicitly
  • Examples: pragma, annotations, flags,

attributes, new functions, etc

  • Better communication has improved

performance (e.g., SIMD attributes, restrict keyword), so will it help control side effects

slide-49
SLIDE 49

24 April 18 Laurent SIMON - EuroS&P'18 - London 49

Proposed Solution

  • Adding support into the compilers
  • Expose support to developers explicitly
  • Examples: pragma, annotations, flags,

attributes, new functions, etc

  • Better communication has improved

performance (e.g., SIMD attributes, restrict keyword), so will it help control side effects

  • EuroLLVM 2018: general support for extensions

that better express programmer intent

slide-50
SLIDE 50

24 April 18 Laurent SIMON - EuroS&P'18 - London 50

Implementation

  • Two steps towards our goal:

– Secret erasure for stack and registers: see

paper

– Constant-time choose()

  • Clang/LLVM framework
slide-51
SLIDE 51

24 April 18 Laurent SIMON - EuroS&P'18 - London 51

slide-52
SLIDE 52

24 April 18 Laurent SIMON - EuroS&P'18 - London 52

Constant-time choose()

Type __builtin_ct_choose( bool cond, Type TrueVal, Type FalseVal);

slide-53
SLIDE 53

24 April 18 Laurent SIMON - EuroS&P'18 - London 53

Constant-time choose()

Type __builtin_ct_choose( bool cond, Type TrueVal, Type FalseVal); OpenSSL defines 37 functions

slide-54
SLIDE 54

24 April 18 Laurent SIMON - EuroS&P'18 - London 54

Runtime overhead

X25519 Montgomery ladder 0.25 0.5 0.75 1 OpenSSL choose __builtin_ct_choose Runtime overhead (# CPU cycles)

slide-55
SLIDE 55

24 April 18 Laurent SIMON - EuroS&P'18 - London 55

Takeaway message (3)

  • I. C abstract standard is not suited to express

security guarantees relying on controlling side effects of code

  • II. Developers are left fighting the compiler

through obfuscation to control side effects. This must stop: we must make C compilers our allies, not our enemies.

  • III. Explicit compiler support will empower

developers

slide-56
SLIDE 56

24 April 18 Laurent SIMON - EuroS&P'18 - London 56

Conclusion

  • C standard not appropriate to control side

effects

  • Arms race between compiler writers and

developers/cryptographers must stop

  • Compiler support and expose it to developers
  • Ton of work, with real impact
  • Long journey: compiler, developers, OS,

hardware (e.g., power side effects)

slide-57
SLIDE 57

24 April 18 Laurent SIMON - EuroS&P'18 - London 57

Thanks!

Questions?

Reference implementations:

https://github.com/lmrs2/ct_choose https://github.com/lmrs2/zerostack

Laurent Simon l.simon@samsung.com https://sites.google.com/view/laurent-simon/