Abstract
Cache side channels constitute a persistent threat to crypto implementations. In particular, block ciphers are prone to attacks when implemented with a simple lookup-table approach. Implementing crypto as software evaluations of circuits avoids this threat but is very costly.
We propose an approach that combines program analysis and circuit compilation to support the selective hardening of regular C implementations against cache side channels. We implement this approach in our toolchain RiCaSi. RiCaSi avoids unnecessary complexity and overhead if it can derive sufficiently strong security guarantees for the original implementation. If necessary, RiCaSi produces a circuit-based, hardened implementation. For this, it leverages established circuit-compilation technology from the area of secure computation. A final program analysis step ensures that the hardening is, indeed, effective.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abel, A., Reineke, J.: nanoBench: a low-overhead tool for running microbenchmarks on x86 systems. CoRR abs/1911.03282 (2019)
Aciiçmez, O., Koç, Ç.K.: Trace-driven cache attacks on AES (short paper). In: ICICS (2006)
Advanced Micro Devices: software optimization guide for AMD family 17h models 30h and greater processors. Publication number: 56305, Revision: 3.02 (2020)
Aoki, K., et al.: Specification of Camellia - a 128-bit block cipher, version 2.0 (2001)
Apecechea, G.I., Eisenbarth, T., Sunar, B.: S\$a: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: S & P (2015)
Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, cross-vm attack on AES. In: RAID (2014)
ARM Limited: mbedTLS (Version 2.16.5) (2020). https://tls.mbed.org/download/start/mbedtls-2.16.5-apache.tgz
Barthe, G., Rezk, T., Warnier, M.: Preventing timing leaks through transactional branching instructions. In: QAPL (2006)
Belaïd, S., Dagand, P., Mercadier, D., Rivain, M., Wintersdorff, R.: Tornado: automatic generation of probing-secure masked bitsliced implementations. In: EUROCRYPT (2020)
Belaïd, S., Goudarzi, D., Rivain, M.: Tight private circuits: achieving probing security with the least refreshing. In: ASIACRYPT (2018)
Bernstein, D.J.: Cache-timing attacks on AES. University of Illinois at Chicago, Technical report (2005)
Biham, E.: A fast new DES implementation in software. In: FSE (1997)
Bindel, N., Buchmann, J.A., Krämer, J., Mantel, H., Schickel, J., Weber, A.: Bounding the cache-side-channel leakage of lattice-based signature schemes using program semantics. In: FPS (2017)
Brotzman, R., Liu, S., Zhang, D., Tan, G., Kandemir, M.T.: Casym: cache aware symbolic execution for side channel detection and mitigation. In: S&P (2019)
Büscher, N., Demmler, D., Katzenbeisser, S., Kretzmer, D., Schneider, T.: HyCC: compilation of hybrid protocols for practical secure computation. In: CCS (2018)
Chothia, T., Kawamoto, Y., Novakovic, C.: A tool for estimating information leakage. In: CAV (2013)
Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS (2004)
Costan, V., Devadas, S.: Intel SGX explained. ePrint 2016/86 (2016)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL (1977)
Daemen, J., Rijmen, V.: AES submission document on Rijndael. Version 2 (1999)
Demmler, D., Dessouky, G., Koushanfar, F., Sadeghi, A., Schneider, T., Zeitouni, S.: Automated synthesis of optimized circuits for secure computation. In: CCS (2015)
Demmler, D., Schneider, T., Zohner, M.: ABY - a framework for efficient mixed-protocol secure two-party computation. In: NDSS (2015)
Dewald, F., Mantel, H., Weber, A.: AVR processors as a platform for language-based security. In: ESORICS (2017)
Doychev, G., Köpf, B.: Rigorous analysis of software countermeasures against cache attacks. In: PLDI (2017)
Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: Cacheaudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1) (2015)
Felsen, S., Kiss, Á., Schneider, T., Weinert, C.: Secure and private function evaluation with Intel SGX. In: CCSW (2019)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC (2009)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC (1987)
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: CRYPTO (2008)
Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: S&P (2011)
Holzer, A., Franz, M., Katzenbeisser, S., Veith, H.: Secure two-party computations in ANSI C. In: CCS (2012)
Corporation, Intel: Intel® 64 and IA-32 architectures optimization reference manual. Order Number 248966–032 (2016)
Järvinen, K., Kolesnikov, V., Sadeghi, A., Schneider, T.: Garbled circuits for leakage-resilience: hardware implementation and evaluation of one-time programs. In: CHES (2010)
Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: CHES (2009)
Kim, T., Peinado, M., Mainar-Ruiz, G.: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security (2012)
Köpf, B., Mantel, H.: Transformational typing and unification for automatically correcting insecure programs. IJIS 6(2–3) (2007)
Köpf, B., Mauborgne, L., Ochoa, M.: Automatic quantification of cache side-channels. In: CAV (2012)
Köpf, B., Smith, G.: Vulnerability bounds and leakage resilience of blinded cryptography under timing attacks. In: CSF (2010)
Kreuter, B., Shelat, A., Mood, B., Butler, K.R.B.: PCF: a portable circuit format for scalable two-party secure computation. In: USENIX Security (2013)
libtom projects: LibTomCrypt (Version 1.18.2) (2018). https://github.com/libtom/libtomcrypt/releases/tag/v1.18.2
Malacaria, P., Khouzani, M., Pasareanu, C.S., Phan, Q., Luckow, K.S.: Symbolic side-channel analysis for probabilistic programs. In: CSF (2018)
Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay - secure two-party computation system. In: USENIX Security (2004)
Mantel, H., Schickel, J., Weber, A., Weber, F.: How secure is green it? the case of software-based energy side channels. In: ESORICS (2018)
Mantel, H., Starostin, A.: Transforming out timing leaks, more or less. In: ESORICS (2015)
Mantel, H., Weber, A., Köpf, B.: A systematic study of cache side channels across AES implementations. In: ESSoS (2017)
Matsui, M., Nakajima, J.: On the power of bitslice implementation on Intel Core2 processor. In: CHES (2007)
Mercadier, D., Dagand, P.: Usuba: high-throughput and constant-time ciphers, by construction. In: PLDI, pp. 157–173 (2019)
Möller, N.: Nettle (Version 3.5) (2019). https://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz
Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: ICISC (2006)
Nane, R., et al.: A survey and evaluation of FPGA high-level synthesis tools. IEEE Trans. CAD Integrat. Circ. Syst. 35(10), 1591–1604 (2016)
National Institute of Standards and Technology: FIPS PUB 46–3: Data encryption standard (DES) (1999)
National Institute of Standards and Technology: FIPS PUB 197: Advanced encryption standard (AES) (2001)
National Institute of Standards and Technology: Update to current use and deprecation of TDEA (2017). https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
OpenSSL Software Foundation: OpenSSL (Version 1.0.1d) (2020). https://www.openssl.org/source/openssl-1.0.1d.tar.gz
OpenVPN Inc: OpenVPN (2020). https://openvpn.net/
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: CT-RSA (2006)
Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. ePrint 2002/169 (2002)
Poddar, R., Datta, A., Rebeiro, C.: A cache trace attack on Camellia. In: InfoSecHiComNet (2011)
Smith, G.: On the foundations of quantitative information flow. In: FoSSaCS (2009)
Songhori, E.M., Hussain, S.U., Sadeghi, A., Schneider, T., Koushanfar, F.: Tinygarble: highly compressed and scalable sequential garbled circuits. In: S&P (2015)
Synopsis: DC Ultra (2020). https://www.synopsys.com/implementation-and-signoff/rtl-synthesis-test/dc-ultra.html
Testa, E., Soeken, M., Amarù, L.G., Micheli, G.D.: Reducing the multiplicative complexity in logic networks for cryptography and security applications. In: DAC (2019)
Testa, E., Soeken, M., Riener, H., Amaru, L., Micheli, G.D.: A logic synthesis toolbox for reducing the multiplicative complexity in logic networks. In: DATE (2020)
The cURL Team: cURL (2020). https://curl.haxx.se/
Tillich, S., Smart, N.: (Bristol Format) Circuits of basic functions suitable for MPC and FHE (2020). https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html
Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: CHES (2003)
Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: Cached: identifying cache-based timing channels in production software. In: USENIX Security (2017)
Weiser, S., Spreitzer, R., Bodner, L.: Single trace attack against RSA key generation in Intel SGX SSL. In: ASIACCS (2018)
Weiser, S., Zankl, A., Spreitzer, R., Miller, K., Mangard, S., Sigl, G.: DATA - differential address trace analysis: Finding address-based side-channels in binaries. In: USENIX Security (2018)
Yao, A.C.: How to generate and exchange secrets (extended abstract). In: FOCS (1986)
Zahur, S., Evans, D.: Obliv-C: a language for extensible data-oblivious computation. ePrint 2015/1153 (2015)
Zhao, X., Wang, T., Zheng, Y.: Cache timing attacks on Camellia block cipher. ePrint 2009/354 (2009)
Acknowledgments
We thank the anonymous reviewers for their helpful comments. This project was co-funded by the Deutsche Forschungsgemeinschaft (DFG) – SFB 1119 CROSSING/236615297 and GRK 2050 Privacy & Trust/251805230, and by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE. It has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No. 850990 PSOTI).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mantel, H., Scheidel, L., Schneider, T., Weber, A., Weinert, C., Weißmantel, T. (2020). RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)