The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks

  • David Molnar
  • Matt Piotrowski
  • David Schultz
  • David Wagner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3935)


We introduce new methods for detecting control-flow side channel attacks, transforming C source code to eliminate such attacks, and checking that the transformed code is free of control-flow side channels. We model control-flow side channels with a program counter transcript, in which the value of the program counter at each step is leaked to an adversary. The program counter transcript model captures a class of side channel attacks that includes timing attacks and error disclosure attacks.

Further, we propose a generic source-to-source transformation that produces programs provably secure against control-flow side channel attacks. We implemented this transform for C together with a static checker that conservatively checks x86 assembly for violations of program counter security; our checker allows us to compile with optimizations while retaining assurance the resulting code is secure. We then measured our technique’s effect on the performance of binary modular exponentiation and real-world implementations in C of RC5 and IDEA: we found it has a performance overhead of at most 5× and a stack space overhead of at most 2×. Our approach to side channel security is practical, generally applicable, and provably secure against an interesting class of side channel attacks.


Smart Card Side Channel Code Size Program Counter Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agat, J.: Transforming Out Timing Leaks. In: Proceedings on the 27th ACM Symposium on the Principles of Programming Languages (2000)Google Scholar
  2. 2.
    Agat, J.: Type Based Techniques for Covert Channel Elimination and Register Allocation. PhD thesis, Chalmers University of Technology (2001)Google Scholar
  3. 3.
    Benini, L., Macii, A., Macii, E., Omerbegovic, E., Poncino, M., Pro, F.: A Novel Architecture for Power Maskable Arithmetic Units. In: Proceedings of the 13th ACM Great Lakes symposium on VLSI (2003)Google Scholar
  4. 4.
    Benini, L., Macii, A., Macii, E., Omerbegovic, E., Poncino, M., Pro, F.: Energy-aware Design Techniques for Differential Power Analysis Protection. In: Proceedings of the 40th conference on Design automation (2003)Google Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005),
  6. 6.
    Black, J., Urtubia, H.: Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. In: Proceedings of the 11th USENIX Security Symposium (2002)Google Scholar
  7. 7.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 1. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Blömer, J., Merchan, J.G., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Brumley, D.: Remote Timing Attacks Are Practical. In: Proceedings of the 12th USENIX Security Symposium (2003)Google Scholar
  10. 10.
    Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. In: Proceedings of the Second AES Candidate Conference (1999)Google Scholar
  11. 11.
    Coron, J.-S., Goubin, L.: On Boolean and Arithmetic Masking Against Differential Power Analysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, p. 231. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Handschuh, H., Heys, H.: A timing attack on RC5. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 306–318. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. 13.
    Hennessy, M.: The Semantics of Programming Languages: an Elementary Introduction using Structural Operational Semantics. John Wiley and Sons, New York (1990)MATHGoogle Scholar
  14. 14.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side Channel Cryptanalysis of Product Ciphers. Journal of Computer Security 8, 141–158 (2000)CrossRefGoogle Scholar
  15. 15.
    Klima, V., Pokorny, O., Rosa, T.: Attacking RSA-based sessions in SSL/TLS. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Klima, V., Rosa, T.: Side channel attacks on CBC encrypted messages in the PKCS #7 format. Cryptology ePrint Archive, Report 2003/098 (2003),
  17. 17.
    Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  18. 18.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. 19.
    Lampson, B.W.: A Note on the Confinement Problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  20. 20.
    Manger, J.: A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS #1 v2.0. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 230. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Messerges, T.S.: Securing the AES Finalists Against Power Analysis Attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, p. 150. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of Power Analysis Attacks on Smartcards. In: Proceedings of the USENIX Workshop on Smartcard Technology (1999)Google Scholar
  23. 23.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power Analysis Attacks of Modular Exponentiation in Smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, p. 144. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Möller, B.: Security of CBC ciphersuites in SSL/TLS: Problems and countermeasures (May 2004),
  26. 26.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: Automatic detection and removal of control-flow side channel attacks (full version) (2005); IACR eprint archive report 2005/368Google Scholar
  27. 27.
    Necula, G., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In: Proceedings of the Conference on Compilier Construction (2002)Google Scholar
  28. 28.
    Rakers, P., Connell, L., Collins, T., Russell, D.: Secure Contactless Smartcard ASIC with DPA Protection. In: Proceedings of the Custom Integrated Circuits Conference (2000)Google Scholar
  29. 29.
    Sabelfeld, A., Myers, A.C.: Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  30. 30.
    Shamir, A.: Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, p. 71. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
  32. 32.
    Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS... In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 534. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    Zheng, L., Myers, A.: End-to-end availability policies and noninterference. In: Computer Security Foundations Workshop (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • David Molnar
    • 1
  • Matt Piotrowski
    • 1
  • David Schultz
    • 2
  • David Wagner
    • 1
  1. 1.UC-BerkeleyUSA
  2. 2.MITUSA

Personalised recommendations