Skip to main content

System-Level Non-interference of Constant-Time Cryptography. Part II: Verified Static Analysis and Stealth Memory

Abstract

This paper constitutes the second part of a paper published in Barthe et al. (J Autom Reason, 2017. https://doi.org/10.1007/s10817-017-9441-5). Cache-based attacks are a class of side-channel attacks that are particularly effective in virtualized or cloud-based environments, where they have been used to recover secret keys from cryptographic implementations. One common approach to thwart cache-based attacks is to use constant-time implementations, i.e.  those which do not branch on secrets and do not perform memory accesses that depend on secrets. However, there is no rigorous proof that constant-time implementations are protected against concurrent cache-attacks in virtualization platforms with shared cache. We propose a new information-flow analysis that checks if an x86 application executes in constant-time, and show that constant-time programs do not leak confidential information through the cache to other operating systems executing concurrently on virtualization platforms. Our static analysis targets the pre-assembly language of the CompCert verified compiler. Its soundness proof is based on a connection between CompCert semantics and our idealized model of virtualization, and uses isolation theorems presented in Part I. We then extend our model of virtualization platform and our static analysis to accommodate stealth memory, a countermeasure which provisions a small amount of private cache for programs to carry potentially leaking computations securely. Stealth memory induces a weak form of constant-time, called S-constant-time, which encompasses some widely used cryptographic implementations. Our results provide the first rigorous analysis of stealth memory and S-constant-time, and the first tool support for checking if applications are S-constant-time. We formalize our results using the Coq proof assistant and we demonstrate the effectiveness of our analyses on cryptographic implementations, including PolarSSL AES, DES and RC4, SHA256 and Salsa20.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Notes

  1. The terminology is inherited from cryptography, where it is generally used for source level programs whose execution time is independent of secrets. Because the property intends to characterize the behavior of program executions on concrete architectures, rather than in abstract operational models, we focus on low-level languages, and on a variant of constant-time expressed in terms of addresses (which consist of base addresses plus offsets). Varying execution times of non-memory operations are not considered in the analysis proposed in this work.

  2. The formal development is available at https://www.fing.edu.uy/inco/grupos/gsi/sources/virtualcert/constant-time_lang.tar.gz, and can be verified using Coq .

  3. Mach is the last-but-final intermediate language in the CompCert compilation chain. This language is used after compiler passes that may introduce new memory accesses, and immediately before generation of assembly code.

  4. To avoid confusion, we will use the letter t to denote states at the language level, and s to denote states at the virtualization platform level.

  5. The full formalization is available at [7].

  6. This could be easily generalized to a set of stealth virtual addresses, all sharing the same cache line set, as is described in [6].

  7. The model formalizes a notion of valid state that captures several well-formedness conditions, which are preserved by execution.

  8. It was developed circa 2010 by Adam Langley and is available from https://github.com/agl/ctgrind/.

References

  1. Barthe, G., Betarte, G., Campo, J., Luna, C.: Cache-leakage resilient OS isolation in an idealized model of virtualization. CSF 2012, 186–197 (2012)

    Google Scholar 

  2. Bernstein, D.J.: Cache-timing attacks on AES (2005). Available from author’s webpage

  3. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)

    MathSciNet  Article  Google Scholar 

  4. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: ISCA 2007, pp. 494–505. ACM (2007)

  5. Erlingsson, U., Abadi, M.: Operating system protection against side-channel attacks that exploit memory latency. Tech. Rep. MSR-TR-2007-117, Microsoft Research (2007)

  6. Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security 2012, pp. 11–11. USENIX Association, Berkeley (2012)

  7. Barthe, G., Betarte, G., Campo, J.D., Luna, C.: System-level non-interference of constant-time cryptography part I: model. J. Autom. Reason. (2017). https://doi.org/10.1007/s10817-017-9441-5

    Article  MATH  Google Scholar 

  8. The Coq Development Team: The Coq Proof Assistant Reference Manual (2018)

  9. Leroy, X.: Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In: POPL 2006, pp. 42–54. ACM (2006)

  10. Sison, R., Murray, T.C.: Verifying that a compiler preserves concurrent value-dependent information-flow security. CoRR abs/1907.00713 (2019). http://arxiv.org/abs/1907.00713

  11. Kildall, G.A.: A unified approach to global program optimization. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL ’73, pp. 194–206. ACM, New York (1973). https://doi.org/10.1145/512927.512945

  12. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20(7), 504–513 (1977). https://doi.org/10.1145/359636.359712

    Article  MATH  Google Scholar 

  13. Leroy, X., Robert, V.: A formally-verified alias analysis. In: CPP, pp. 11–26 (2012)

  14. Hind, M.: Pointer analysis: Haven’t we solved this problem yet? In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, PASTE ’01, pp. 54–61. ACM, New York (2001). https://doi.org/10.1145/379605.379665

  15. Chrząszcz, J.: Implementing modules in the Coq system. In: Basin, D., Wolff, B. (eds.) Theorem Proving in Higher Order Logics, Lecture Notes in Computer Science, vol. 2758, pp. 270–286. Springer, Berlin (2003). https://doi.org/10.1007/10930755_18

  16. Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES, Lecture Notes in Computer Science, vol. 5747, pp. 1–17. Springer (2009)

  17. Coppens, B., Verbauwhede, I., Bosschere, K.D., Sutter, B.D.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: S&P 2009, pp. 45–60 (2009)

  18. Advanced encryption standard (AES). Tech. Rep. FIPS PUB 197, Federal Information Processing Standards Publications (2001)

  19. ARM Limited.: mbed TLS. See https://tls.mbed.org/

  20. Data encryption standard (DES). Tech. Rep. FIPS PUB 46, Federal Information Processing Standards Publications (1977)

  21. Schneier, B.: The Blowfish encryption algorithm. http://www.schneier.com/blowfish.html

  22. Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: CHES 2003, LNCS, vol. 2779, pp. 62–76. Springer (2003)

  23. Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. J. Comput. Secur. 8(2–3), 141–158 (2000)

    Article  Google Scholar 

  24. Schneier, B.: The Blowfish source code. http://www.schneier.com/blowfish-download.html

  25. 3rd Generation Partnership Project: Specification of the 3GPP confidentiality and integrity algorithms UEA2 & UIA2; document 2: SNOW 3G specification (2006)

  26. Leander, G., Zenner, E., Hawkes, P.: Cache timing analysis of LFSR-based stream ciphers. In: IMACC 2009, LNCS, vol. 5921, pp. 433–445. Springer (2009). https://doi.org/10.1007/978-3-642-10868-6_26

  27. Chardin, T., Fouque, P.A., Leresteux, D.: Cache timing analysis of RC4. In: ACNS 2011, LNCS, vol. 6715, pp. 110–129 (2011)

  28. Wheeler, D., Needham, R.: TEA, a tiny encryption algorithm. In: Preneel, B. (ed.) Fast Software Encryption, Lecture Notes in Computer Science, vol. 1008, pp. 363–366. Springer, Berlin (1995). https://doi.org/10.1007/3-540-60590-8_29

  29. Bernstein, D.: Salsa20 Specification (2005)

  30. Secure Hash Standard. Tech. Rep. FIPS PUB 180-4, Federal Information Processing Standards Publications (2012)

  31. Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D., Wang, X. (eds.) Advances in Cryptology—ASIACRYPT 2011, Lecture Notes in Computer Science, vol. 7073, pp. 344–371. Springer, Berlin (2011). https://doi.org/10.1007/978-3-642-25385-0_19

  32. Fouque, P.A., Jean, J., Peyrin, T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J. (eds.) Advances in Cryptology—CRYPTO 2013, Lecture Notes in Computer Science, vol. 8042, pp. 183–203. Springer, Berlin (2013). https://doi.org/10.1007/978-3-642-40041-4_11

  33. Koeune, F., Quisquater, J.J.: A timing attack against Rijndael. Tech. rep. Université Catholique de Louvain (1999)

  34. Bonneau, J., Mironov, I.: Cache collision timing attacks against AES. In: CHES ’06 (2006)

  35. Aciiçmez, O., Schindler, W., Kaya Koç, Çetin: Cache based remote timing attack on the AES. In: CT-RSA 2007, LNCS, vol. 4377, pp. 271–286. Springer (2007)

  36. Canteaut, A., Lauradoux, C., Seznec, A.: Understanding cache attacks. Rapport de recherche RR-5881, INRIA (2006). http://hal.inria.fr/inria-00071387

  37. Gullasch, D., Bangerter, E., Krenn, S.: Cache games—bringing access-based cache attacks on AES to practice. In: S&P 2011, pp. 490–505 (2011)

  38. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud! Exploring information leakage in third-party compute clouds. In: CCS 2009, pp. 199–212. ACM Press (2009)

  39. Daemen, J., Daemen, J., Daemen, J., Rijmen, V., Rijmen, V.: AES proposal: Rijndael (1998)

  40. Kocher, P.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and Other Systems. In: CRYPTO’96, LNCS, vol. 1109, pp. 104–113. Springer (1996)

  41. Aly, H., ElGayyar, M.: Attacking AES using Bernstein’s attack on modern processors. In: Youssef, A., Nitaj, A., Hassanien, A. (eds.) Progress in Cryptology—AFRICACRYPT 2013, Lecture Notes in Computer Science, vol. 7918, pp. 127–139. Springer Berlin (2013). https://doi.org/10.1007/978-3-642-38553-7_7

  42. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Fine grain cross-VM attacks on Xen and VMware are possible! IACR Cryptology ePrint Archive 2014, 248 (2014). http://eprint.iacr.org/2014/248

  43. Genkin, D., Valenta, L., Yarom, Y.: May the fourth be with you: A microarchitectural side channel attack on several real-world applications of curve25519. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, October 30–November 03, 2017, pp. 845–858. ACM (2017). https://doi.org/10.1145/3133956.3134029

  44. Yarom, Y., Genkin, D., Heninger, N.: Cachebleed: a timing attack on openssl constant-time RSA. J. Cryptogr. Eng. 7(2), 99–112 (2017). https://doi.org/10.1007/s13389-017-0152-y

    Article  Google Scholar 

  45. Ronen, E., Paterson, K.G., Shamir, A.: Pseudo constant time implementations of TLS are only pseudo secure. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, October 15–19, 2018, pp. 1397–1414. ACM (2018). https://doi.org/10.1145/3243734.3243775

  46. Shi, J., Song, X., Chen, H., Zang, B.: Limiting cache-based side-channel in multi-tenant cloud using dynamic page coloring. In: Dependable Systems and Networks Workshops (DSN-W), 2011 IEEE/IFIP 41st International Conference on, pp. 194–199 (2011). https://doi.org/10.1109/DSNW.2011.5958812

  47. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302. IEEE Computer Society (2008)

  48. Barbosa, M., Barthe, G., Bhargavan, K., Blanchet, B., Cremers, C., Liao, K., Parno, B.: Sok: Computer-aided cryptography. IACR Cryptology ePrint Archive 2019, 1393 (2019). https://eprint.iacr.org/2019/1393

  49. Agat, J.: Transforming out Timing Leaks. In: Proceedings POPL’00, pp. 40–53. ACM (2000)

  50. Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. ICISC 2005, 156–168 (2005)

    MATH  Google Scholar 

  51. Zhang, D., Askarov, A., Myers, A.C.: Predictive mitigation of timing channels in interactive systems. In: Chen, Y., Danezis, G., Shmatikov V. (eds.) Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17–21, pp. 563–574. ACM (2011). https://doi.org/10.1145/2046707.2046772

  52. Stefan, D., Buiras, P., Yang, E.Z., Levy, A., Terei, D., Russo, A., Mazières, D.: Eliminating cache-based timing attacks with instruction-based scheduling. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS, Lecture Notes in Computer Science, vol. 8134, pp. 718–735. Springer (2013)

  53. Liu, C., Hicks, M., Shi, E.: Memory trace oblivious program execution. CSF 2013, 51–65 (2013)

    Google Scholar 

  54. Doychev, G., Feld, D., Köpf, B., Mauborgne, L., Reineke, J.: Cacheaudit: A tool for the static analysis of cache side channels. In: Usenix Security (2013)

  55. Doychev, G., Köpf, B.: Rigorous analysis of software countermeasures against cache attacks. In: Cohen, A., Vechev, M.T. (eds.) Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, June 18–23, 2017, pp. 406–421. ACM (2017). https://doi.org/10.1145/3062341.3062388

  56. Barthe, G., Köpf, B., Mauborgne, L., Ochoa, M.: Leakage resilience against concurrent cache attacks. In: POST (2014)

  57. Chattopadhyay, S., Beck, M., Rezine, A., Zeller, A.: Quantifying the information leakage in cache attacks via symbolic execution. ACM Trans. Embed. Comput. Syst. (TECS) 18(1), 7 (2019)

    Google Scholar 

  58. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: Cached: Identifying cache-based timing channels in production software. In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17), pp. 235–252 (2017)

  59. Pasareanu, C.S., Phan, Q.S., Malacaria, P.: Multi-run side-channel analysis using symbolic execution and max-smt. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 387–400. IEEE (2016)

  60. Blazy, S., Pichardie, D., Trieu, A.: Verifying constant-time implementations by abstract interpretation. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) Computer Security—ESORICS 2017—22nd European Symposium on Research in Computer Security, Oslo, September 11–15, 2017, Proceedings, Part I, Lecture Notes in Computer Science, vol. 10492, pp. 260–277. Springer (2017). https://doi.org/10.1007/978-3-319-66402-6_16

  61. Barthe, G., Blazy, S., Laporte, V., Pichardie, D., Trieu, A.: Verified translation validation of static analyses. In: 30th IEEE Computer Security Foundations Symposium, CSF 2017, Santa Barbara, CA, USA, August 21–25, 2017, pp. 405–419. IEEE Computer Society (2017). https://doi.org/10.1109/CSF.2017.16

  62. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10–12, 2016., pp. 53–70. USENIX Association (2016). https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida

  63. Barthe, G., Crespo, J.M., Kunz, C.: Relational verification using product programs. In: Butler, M.J., Schulte, W. (eds.) FM 2011: Formal Methods—17th International Symposium on Formal Methods, Limerick, Ireland, June 20–24, 2011. Proceedings, Lecture Notes in Computer Science, vol. 6664, pp. 200–214. Springer (2011). https://doi.org/10.1007/978-3-642-21437-0_17

  64. Barthe, G., Crespo, J.M., Kunz, C.: Product programs and relational program logics. J. Log. Algebra Methods Progr. 85(5), 847–859 (2016). https://doi.org/10.1016/j.jlamp.2016.05.004

    MathSciNet  Article  MATH  Google Scholar 

  65. Almeida, J.B., Barbosa, M., Barthe, G., Blot, A., Grégoire, B., Laporte, V., Oliveira, T., Pacheco, H., Schmidt, B., Strub, P.: Jasmin: High-assurance and high-speed cryptography. In: Thuraisingham, B.M., Evans, D., Malkin,T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pp. 1807–1823. ACM (2017). https://doi.org/10.1145/3133956.3134078

  66. Bond, B., Hawblitzel, C., Kapritsos, M., Leino, K.R.M., Lorch, J.R., Parno, B., Rane, A., Setty, S.T.V., Thompson, L.: Vale: Verifying high-performance cryptographic assembly code. In: Kirda, E., Ristenpart, T. (eds.) 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, August 16–18, 2017., pp. 917–934. USENIX Association (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/bond

  67. Rodrigues, B., Pereira, F.M.Q., Aranha, D.F.: Sparse representation of implicit flows with applications to side-channel detection. In: Zaks, A., Hermenegildo, M.V. (eds.) Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, March 12–18, 2016, pp. 110–120. ACM (2016). https://doi.org/10.1145/2892208.2892230

  68. Watt, C., Renner, J., Popescu, N., Cauligi, S., Stefan, D.: Ct-wasm: type-driven secure cryptography for the web ecosystem. PACMPL 3(POPL), 77:1–77:29 (2019). https://doi.org/10.1145/3290390

    Article  Google Scholar 

  69. Barthe, G., Grégoire, B., Laporte, V.: Secure compilation of side-channel countermeasures: the case of cryptographic “constant-time”. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9–12, 2018, pp. 328–343. IEEE Computer Society (2018). https://doi.org/10.1109/CSF.2018.00031

  70. Wu, M., Guo, S., Schaumont, P., Wang, C.: Eliminating timing side-channel leaks using program repair. In: Tip, F., Bodden, E. (eds.) Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, Amsterdam, July 16–21, 2018, pp. 15–26. ACM (2018). https://doi.org/10.1145/3213846.3213851

  71. Cauligi, S., Soeller, G., Brown, F., Renner, J., Johannesmeyer, B., Wahby, R.S., Grégoire, B., Barthe, G., Jhala, R., Stefan, D.: FaCT: A dsl for timing-sensitive computation. In: Proceedings of PLDI 2019. ACM (2019)

  72. Besson, F., Dang, A., Jensen, T.P.: Securing compilation against memory probing. In: Alvim, M.S., Delaune, S. (eds.) Proceedings of the 13th Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2018, Toronto, ON, October 15–19, 2018, pp. 29–40. ACM (2018). https://doi.org/10.1145/3264820.3264822

  73. Besson, F., Dang, A., Jensen, T.P.: Information-flow preservation in compiler optimisations. In: 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, June 25–28, 2019, pp. 230–242. IEEE (2019). https://doi.org/10.1109/CSF.2019.00023

  74. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)

  75. Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T.F., Yarom, Y., Strackx, R.: Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In: Proceedings of the 27th USENIX Security Symposium. USENIX Association (2018). (See also technical report Foreshadow-NG [86])

  76. Weisse, O., Van Bulck, J., Minkin, M., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Strackx, R., Wenisch, T.F., Yarom, Y.: Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. Tech. Rep.(2018). (See also USENIX Security paper Foreshadow [82])

  77. Kocher, P., Horn, J., Fogh, A., , Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S&P’19) (2019)

  78. Cheang, K., Rasmussen, C., Seshia, S.A., Subramanyan, P.: A formal approach to secure speculation. In: 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, June 25–28, 2019, pp. 288–303. IEEE (2019). https://doi.org/10.1109/CSF.2019.00027

  79. Bhargavan, K., Fournet, C., Gordon, A.D.: Modular verification of security protocol code by typing. In: POPL 2010. ACM (2010)

  80. Dupressoir, F., Gordon, A.D., Jürjens, J., Naumann, D.A.: Guiding a general-purpose C verifier to prove cryptographic protocols. In: CSF 2011, pp. 3–17. IEEE Computer Society (2011)

  81. Cadé, D., Blanchet, B.: From computationally-proved protocol specifications to implementations. In: ARES 2012, pp. 65–74. IEEE Computer Society (2012)

  82. Aizatulin, M., Gordon, A.D., Jürjens, J.: Computational verification of C protocol implementations by symbolic execution. In: CCS 2012, pp. 712–723. ACM (2012)

  83. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: CCS (2013)

  84. Barthe, G., Grégoire, B., Heraud, S., Zanella-Béguelin, S.: Computer-aided security proofs for the working cryptographer. In: CRYPTO 2011, LNCS, vol. 6841. Heidelberg (2011)

  85. Appel, A.W.: Verification of a cryptographic primitive: SHA-256. ACM Trans. Progr. Lang. Syst. 37(2), 7:1–7:31 (2015). https://doi.org/10.1145/2701415

    Article  Google Scholar 

  86. Appel, A.W.: Program Logics–for Certified Compilers. Cambridge University Press, Cambridge (2014)

    Book  Google Scholar 

  87. Beringer, L., Petcher, A., Ye, K.Q., Appel, A.W.: Verified correctness and security of openssl HMAC. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 15, Washington, DC, August 12–14, 2015., pp. 207–221. USENIX Association (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/beringer

  88. Ye, K.Q., Green, M., Sanguansin, N., Beringer, L., Petcher, A., Appel, A.W.: Verified correctness and security of mbedtls HMAC-DRBG. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, October 30–November 03, 2017, pp. 2007–2020. ACM (2017). https://doi.org/10.1145/3133956.3133974

  89. Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: Hacl*: A verified modern cryptographic library. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, October 30–November 03, 2017, pp. 1789–1806. ACM (2017). https://doi.org/10.1145/3133956.3134043

  90. Swamy, N., Chen, J., Fournet, C., Strub, P., Bhargavan, K., Yang, J.: Secure distributed programming with value-dependent types. In: Chakravarty, M.M.T., Hu, Z., Danvy, O. (eds.) Proceeding of the 16th ACM SIGPLAN International Conference on Functional Programming, ICFP 2011, Tokyo, September 19–21, 2011, pp. 266–278. ACM (2011). https://doi.org/10.1145/2034773.2034811

  91. Erbsen, A., Philipoom, J., Gross, J., Sloan, R., Chlipala, A.: Simple high-level code for cryptographic arithmetic—with proofs, without compromises. In: Proceedings of Security and Privacy (2019)

  92. Barthe, G., Rezk, T., Naumann, D.A.: Deriving an information flow checker and certifying compiler for java. In: S&P 2006, pp. 230–242. IEEE Computer Society (2006)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Carlos Luna.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Barthe, G., Betarte, G., Campo, J.D. et al. System-Level Non-interference of Constant-Time Cryptography. Part II: Verified Static Analysis and Stealth Memory. J Autom Reasoning 64, 1685–1729 (2020). https://doi.org/10.1007/s10817-020-09548-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-020-09548-x

Keywords

  • Non-interference
  • Cache-based attacks
  • Constant-time cryptography
  • Stealth memory
  • Coq