Transforming Out Timing Leaks, More or Less

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)

Abstract

We experimentally evaluate program transformations for removing timing side-channel vulnerabilities wrt. security and overhead. Our study of four well-known transformations confirms that their performance overhead differs substantially. A novelty of our work is the empirical investigation of channel bandwidths, which clarifies that the transformations also differ wrt. how much security they add to a program. Interestingly, we observe such differences even between transformations that have been proven to establish timing-sensitive noninterference. Beyond clarification, our findings provide guidance for choosing a suitable transformation for removing timing side-channel vulnerabilities. Such guidance is needed because there is a trade-off between security and overhead, which makes choosing a suitable transformation non-trivial.

Notes

Acknowledgements

We thank Boris Köpf, David Sands, and the anonymous reviewers for valuable comments. We thank Patrick Metzler for help in the early phase of this work. This work has been partially funded by the DFG as part of project E2 within the CRC 1119 CROSSING and by CASED (www.cased.de).

References

  1. 1.
    FlexiProvider (Version 1.7p7) (2013). http://www.flexiprovider.de
  2. 2.
    Agat, J.: Transforming out Timing Leaks. In: POPL 2000, pp. 40–53. ACM (2000)Google Scholar
  3. 3.
    Agat, J.: Type Based Techniques for Covert Channel Elimination and Register Allocation. PhD thesis, Chalmers University of Technology (2000)Google Scholar
  4. 4.
    AlFardan, N.J., Paterson, K.G.: Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In: S&P 2013, pp. 526–540. IEEE (2013)Google Scholar
  5. 5.
    Alglave, J., Kroening, D., Nimal, V., Tautschnig, M.: Software verification for weak memory via program transformation. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 512–532. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  6. 6.
    Alvim, M.-S., Chatzikokolakis, K., McIver, A., Morgan, C., Palamidessi, C., Smith, G.: Additive and Multiplicative Notions of Leakage, and Their Capacities. In: CSF 2014, pp. 308–322. IEEE (2014)Google Scholar
  7. 7.
    Alvim, M.S., Chatzikokolakis, K., Palamidessi, C., Smith, G.: Measuring Information Leakage using Generalized Gain Functions. In: CSF 2012, pp. 265–279. IEEE (2012)Google Scholar
  8. 8.
    Arimoto, S.: An algorithm for computing the capacity of arbitrary discrete memoryless channels. IEEE Trans. Inf. Theory 18(1), 14–20 (1972)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Askarov, A., Zhang, D., Myers, A.C., Predictive Black-Box Mitigation of Timing Channels. In: CCS 2010, pp. 297–307. ACM (2010)Google Scholar
  10. 10.
    Backes, M., Köpf, B.: Formally bounding the side-channel leakage in unknown-message attacks. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 517–532. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  11. 11.
    Baron, M.: Probability and Statistics for Computer Scientists. CRC Press (2006)Google Scholar
  12. 12.
    Barthe, G., Crespo, J.M., Devriese, D., Piessens, F., Rivas, E.: Secure multi-execution through static program transformation. In: Giese, H., Rosu, G. (eds.) FORTE 2012 and FMOODS 2012. LNCS, vol. 7273, pp. 186–202. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Barthe, G., Rezk, T., Warnier, M.: Preventing Timing Leaks Through Transactional Branching Instructions. In: QAPL 2005, pp. 33–55. Elsevier (2006)Google Scholar
  14. 14.
    Blahut, R.E.: Computation of channel capacity and rate-distortion functions. IEEE Trans. Inf. Theory 18(4), 460–473 (1972)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  16. 16.
    Burstall, R.M., Darlington, J.: A transformation system for developing recursive programs. J. ACM 24(1), 44–67 (1977)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical measurement of information leakage. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 390–404. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004)CrossRefGoogle Scholar
  19. 19.
    Cock, D., Ge, Q., Murray, T.C., Heiser, G.: The last mile: an empirical study of timing channels on seL4. In: CCS 2014, pp. 570–581. ACM (2014)Google Scholar
  20. 20.
    Coppens, B., Verbauwhede, I., De Bosschere, K., De Sutter, B.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: S&P 2009, pp. 45–60. IEEE (2009)Google Scholar
  21. 21.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd ed. Wiley (2006)Google Scholar
  22. 22.
    Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: NDSS 2015. The Internet Society (2015)Google Scholar
  23. 23.
    Di Pierro, A., Hankin, C., Wiklicky, H.: Probabilistic timing covert channels: to close or not to close? Int. J. Inf. Sec. 10(2), 83–106 (2011)CrossRefGoogle Scholar
  24. 24.
    Doychev, G., Feld, D., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. In: USENIX Security 2013, pp. 431–446. USENIX (2013)Google Scholar
  25. 25.
    Doychev, G., Köpf, B.: Rational protection against timing attacks. In: CSF 2015. IEEE (2015)Google Scholar
  26. 26.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  27. 27.
    Gay, R., Mantel, H., Sudbrock, H.: An empirical bandwidth analysis of interrupt-related covert channels. In: QASA 2013 (2013)Google Scholar
  28. 28.
    Georges, A., Buytaert, D., Eeckhout, L.: Statistically rigorous Java performance evaluation. In: OOPSLA 2007, pp. 57–76. ACM (2007)Google Scholar
  29. 29.
    Guttoski, P.B., Sunyé, M.S., Silva, F.: Kruskal’s algorithm for query tree optimization. In: IDEAS 2007, pp. 296–302. IEEE (2007)Google Scholar
  30. 30.
    Hedin, D., Sands, D.: Timing aware information flow security for a JavaCard-like Bytecode. El. Notes Th. Comp. Science 141(1), 163–182 (2005)CrossRefGoogle Scholar
  31. 31.
    Hu, W.-M.: Reducing timing channels with fuzzy time. In: S&P 1991, pp. 8–20. IEEE (1991)Google Scholar
  32. 32.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 97–110. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  33. 33.
    Knuth, D.: Structured programming with go to statements. ACM Comput. Surv. 6(4), 261–301 (1974)CrossRefGoogle Scholar
  34. 34.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
  35. 35.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) Google Scholar
  36. 36.
    Köpf, B., Basin, D.A.: An information-theoretic model for adaptive side-channel attacks. In: CCS 2007, pp. 286–296. ACM (2007)Google Scholar
  37. 37.
    Köpf, B., Dürmuth, M.: A provably secure and efficient countermeasure against timing attacks. In: CSF 2009, pp. 324–335. IEEE (2009)Google Scholar
  38. 38.
    Köpf, B., Mantel, H.: Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec. 6(2–3), 107–131 (2007)CrossRefGoogle Scholar
  39. 39.
    Köpf, B., Smith, G.: Vulnerability bounds and leakage resilience of blinded cryptograph under timing attacks. In: CSF 2010, pp. 44–56. IEEE (2010)Google Scholar
  40. 40.
    Kruskal, J.B.: On the shortest spanning subtree of a graph and the traveling salesman problem. Proc. American Math. Soc. 7(1), 48–50 (1956)MathSciNetCrossRefGoogle Scholar
  41. 41.
    Lai, X.: On the design and security of block ciphers. PhD thesis, ETH Zürich (1992)Google Scholar
  42. 42.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  43. 43.
    Lux, A., Starostin, A.: A tool for static detection of timing channels in Java. J. Crypt. Eng. 1(4), 303–313 (2011)CrossRefGoogle Scholar
  44. 44.
    Macé, F., Standaert, F.-X., Quisquater, J.-J.: Information theoretic evaluation of side-channel resistant logic styles. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 427–442. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  45. 45.
    Mantel, H., Sudbrock, H.: Comparing countermeasures against interrupt-related covert channels in an information-theoretic framework. In: CSF 2007, pp. 326–340. IEEE (2007)Google Scholar
  46. 46.
    Millen, J.K.: Covert channel capacity. In: S&P 1987, pp. 60–66. IEEE (1987)Google Scholar
  47. 47.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  48. 48.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  49. 49.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  50. 50.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  51. 51.
    Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(379–423), 623–656 (1948)MathSciNetCrossRefGoogle Scholar
  52. 52.
    Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  53. 53.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  54. 54.
    Svenningsson, J., Sands, D.: Specification and Verification of Side Channel Declassification. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 111–125. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  55. 55.
    Wray, J.C.: An analysis of covert timing channels. In: S&P 1991, pp. 2–7. IEEE (1991)Google Scholar
  56. 56.
    Zhang, D., Askarov, A., Myers, A.C.: Language-based control and mitigation of timing channels. In: PLDI 2012, pp. 99–110. ACM (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is distributed under the terms of the Creative Commons Attribution Noncommercial License, which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

Authors and Affiliations

  1. 1.Computer Science DepartmentTU DarmstadtDarmstadtGermany

Personalised recommendations