On the Trade-Offs in Oblivious Execution Techniques

  • Shruti Tople
  • Prateek Saxena
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)


To enable privacy-preserving computation on encrypted data, a class of techniques for input-oblivious execution have surfaced. The property of input-oblivious execution guarantees that an adversary observing the interaction of a program with the underlying system learns nothing about the sensitive input. To highlight the importance of oblivious execution, we demonstrate a concrete practical attack—called a logic-reuse attack—that leaks every byte of encrypted input if oblivious techniques are not used. Next, we study the efficacy of oblivious execution techniques and understand their limitations from a practical perspective. We manually transform 30 common Linux utilities by applying known oblivious execution techniques. As a positive result, we show that 6 utilities perform input-oblivious execution without modification, 11 utilities can be transformed with O(1) performance overhead and 11 other show O(N) overhead. As a negative result, we show that theoretical limitations of oblivious execution techniques do manifest in 2 real applications in our case studies incurring a performance cost of \(O(2^N)\) over non-oblivious execution.


Input File Leak Information Timing Channel Homomorphic Encryption Address Parameter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank the anonymous reviewers of this paper for their helpful feedback. We also thank Shweta Shinde, Zheng Leong Chua and Loi Luu for useful feedback on an early version of the paper. This work is supported by the Ministry of Education, Singapore under Grant No. R-252-000-560-112 and a university research grant from Intel. All opinions expressed in this work are solely those of the authors.


  1. 1.
  2. 2.
  3. 3.
    GNU CoreUtils.
  4. 4.
  5. 5.
    Trusted Computing Group. Trusted platform module, July 2007Google Scholar
  6. 6.
    Agat, J.: Transforming out timing leaks. In: Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2000 (2000)Google Scholar
  7. 7.
    ARM: ARM Security Technology – Building a Secure System using TrustZone Technology. ARM Technical White Paper (2013)Google Scholar
  8. 8.
    Azab, T.: Differentially private traffic padding for web applications. Ph.D. thesis, Concordia University Montreal, Quebec (2014)Google Scholar
  9. 9.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM conference on Computer and communications security (2003)Google Scholar
  10. 10.
    Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with haven. In: OSDI (2014)Google Scholar
  11. 11.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Networks 48(5), 701–716 (2005)CrossRefGoogle Scholar
  12. 12.
    Checkoway, S., Shacham, H.: Iago attacks: why the system call API is a bad untrusted RPC interface. In: ASPLOS (2013)Google Scholar
  13. 13.
    Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: IEEE Symposium on Security and Privacy (SP), pp. 191–206. IEEE (2010)Google Scholar
  14. 14.
    Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A., Boneh, D., Dwoskin, J., Ports, D.R.: Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems (2008)Google Scholar
  15. 15.
    Chhabra, S., Rogers, B., Solihin, Y., Prvulovic, M.: SecureME: a hardware-software approach to full system security. In: ICS (2011)Google Scholar
  16. 16.
    Cock, D., Ge, Q., Murray, T., Heiser, G.: The last mile: an empirical study of timing channels on sel4. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014 (2014)Google Scholar
  17. 17.
    Coppens, B., Verbauwhede, I., De Bosschere, K., De Sutter, B.: Practical mitigations for timing-based side-channel attacks on modern x86 processors. In: 30th IEEE Symposium on Security and Privacy, pp. 45–60. IEEE (2009)Google Scholar
  18. 18.
    Dwork, C., van Tilborg, H.C.A., Jajodia, S.: Differential privacy. Encyclopedia of Cryptography and Security, pp. 338–340. Springer, New York (2011)Google Scholar
  19. 19.
    Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail. In: IEEE Symposium on Security and Privacy (SP), pp. 332–346. IEEE (2012)Google Scholar
  20. 20.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi: 10.1007/3-540-39568-7_2 CrossRefGoogle Scholar
  21. 21.
    Fairley, R.E.: Tutorial: static analysis and dynamic testing of computer software. Computer (1978)Google Scholar
  22. 22.
    Fletcher, C.W., Dijk, M.V., Devadas, S.: A secure processor architecture for encrypted computation on untrusted programs. In: Proceedings of the seventh ACM workshop on Scalable trusted computing, pp. 3–8. ACM (2012)Google Scholar
  23. 23.
    Fletchery, C.W., Ren, L., Yu, X., Van Dijk, M., Khan, O., Devadas, S.: Suppressing the oblivious ram timing channel while making information leakage and program efficiency trade-offs. In: 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA), pp. 213–224. IEEE (2014)Google Scholar
  24. 24.
    Gentry, C., Halevi, S.: Implementing gentry’s fully-homomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_9 CrossRefGoogle Scholar
  25. 25.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: 41st Annual ACM Symposium on Theory of Computing (2009)Google Scholar
  26. 26.
    Gentry, C., Halevi., S.: A working implementation of fully homomorphic encryption. In: EUROCRYPT (2010)Google Scholar
  27. 27.
    Gianvecchio, S., Wang, H.: Detecting covert timing channels: an entropy-based approach. In: Proceedings of the 14th ACM conference on Computer and communications security. ACM (2007)Google Scholar
  28. 28.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Goodrich, M.T., Mitzenmacher, M., Ohrimenko, O., Tamassia, R.: Practical oblivious storage. In: Proceedings of the second ACM conference on Data and Application Security and Privacy (2012)Google Scholar
  30. 30.
    Gordon, S.D., Katz, J., Kolesnikov, V., Krell, F., Malkin, T., Raykova, M., Vahlis, Y.: Secure two-party computation in sublinear (amortized) time. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012 (2012)Google Scholar
  31. 31.
    Henecka, W., Kogl, S., Sadeghi, A.R., Schneider, T., Wehrenberg, I.: TASTY: tool for automating secure two-party computations. In: ACM CCS (2010)Google Scholar
  32. 32.
    Hofmann, O.S., Kim, S., Dunn, A.M., Lee, M.Z., Witchel, E.: InkTag: secure applications on an untrusted operating system. In: ASPLOS (2013)Google Scholar
  33. 33.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)CrossRefGoogle Scholar
  34. 34.
    Holzer, A., Franz, M., Katzenbeisser, S., Veith, H.: Secure two-party computations in ANSI C. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012 (2012)Google Scholar
  35. 35.
    Hu, W.M.: Reducing timing channels with fuzzy time. In: IEEE Computer Society Symposium on Research in Security and Privacy, Proceedings, pp. 8–20, May 1991Google Scholar
  36. 36.
    Huang, Y., Evans, D., Katz, J., Malka, L.: Faster secure two-party computation using garbled circuits. In: USENIX Security Symposium (2011)Google Scholar
  37. 37.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: IEEE Symposium on Security and Privacy (SP) (2013)Google Scholar
  38. 38.
    Jiang, X., Wang, H.J., Xu, D., Wang, Y.M.: RandSys: thwarting code injection attacks with system service interface randomization. In: 26th IEEE International Symposium on Reliable Distributed Systems, SRDS 2007, pp. 209–218. IEEE (2007)Google Scholar
  39. 39.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM (2003)Google Scholar
  40. 40.
    Keller, M., Scholl, P.: Efficient, oblivious data structures for MPC. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 506–525. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_27 Google Scholar
  41. 41.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_25 Google Scholar
  42. 42.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  43. 43.
    Landi, W.: Undecidability of static analysis. ACM Lett. Program. Lang. Syst. 1(4), 323–337 (1992)CrossRefGoogle Scholar
  44. 44.
    Li, X., Hu, H., Bai, G., Jia, Y., Liang, Z., Saxena, P.: DroidVault: a trusted data vault for android devices. In: 19th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 29–38. IEEE (2014)Google Scholar
  45. 45.
    Liu, C., Harris, A., Maas, M., Hicks, M., Tiwari, M., Shi, E.: GhostRider: A hardware-software system for memory trace oblivious computation. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 87–101. ACM (2015)Google Scholar
  46. 46.
    Liu, C., Hicks, M., Shi, E.: Memory trace oblivious program execution. In: CSF 2013, pp. 51–65 (2013)Google Scholar
  47. 47.
    McCune, J.M., Parnoy, B., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for TCB minimization. In: EuroSys (2008)Google Scholar
  48. 48.
    McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP (2013)Google Scholar
  49. 49.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006). doi: 10.1007/11734727_14 CrossRefGoogle Scholar
  50. 50.
    Osadchy, M., Pinkas, B., Jarrous, A., Moskovich, B.: SCiFI - a system for secure face identification. In: Security and Privacy (2010)Google Scholar
  51. 51.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). doi: 10.1007/11605805_1 CrossRefGoogle Scholar
  52. 52.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_16 Google Scholar
  53. 53.
    Quirk, R., Crystal, D., Education, P.: A Comprehensive Grammar of the English Language, vol. 397. Cambridge University Press, Cambridge (1985)Google Scholar
  54. 54.
    Saxena, P., Poosankam, P., McCamant, S., Song, D.: Loop-extended symbolic execution on binary programs. In: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, pp. 225–236. ACM (2009)Google Scholar
  55. 55.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM (2004)Google Scholar
  56. 56.
    Shi, E., Chan, T.-H.H., Stefanov, E., Li, M.: Oblivious RAM with O((logN)3) worst-case cost. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 197–214. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_11 CrossRefGoogle Scholar
  57. 57.
    Shinde, S., Le Tien, D., Tople, S., Saxena, P.: Panoply: Low-TCB linux applications with SGX enclaves. In: NDSS (2017)Google Scholar
  58. 58.
    Stefanov, E., van Dijk, M., Shi, E., Fletcher, C., Ren, L., Yu, X., Devadas, S.: Path oram: an extremely simple oblivious ram protocol. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar
  59. 59.
    Stefanov, E., Shi, E., Song, D.: Towards Practical Oblivious RAM. CoRR (2011)Google Scholar
  60. 60.
    Thekkath, D.L.C., Mitchell, M., Lincoln, P., Boneh, D., Mitchell, J., Horowitz, M.: Architectural support for copy and tamper resistant software. In: Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS IX (2000)Google Scholar
  61. 61.
    Tople, S., Shinde, S., Chen, Z., Saxena, P.: AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar
  62. 62.
    Wang, X.S., Chan, T.H., Shi, E.: Circuit ORAM: on tightness of the Goldreich-Ostrovsky lower bound (2014)Google Scholar
  63. 63.
    Wang, X.S., Huang, Y., Chan, T., Shelat, A., Shi, E.: SCORAM: Oblivious RAM for secure computation. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 191–202. ACM (2014)Google Scholar
  64. 64.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE (1999)Google Scholar
  65. 65.
    Wilhelm, R., Engblom, J., Ermedahl, A., Holsti, N., Thesing, S., Whalley, D., Bernat, G., Ferdinand, C., Heckmann, R., Mitra, T., et al.: The worst-case execution-time problem–overview of methods and survey of tools. ACM Trans. Embed. Comput. Syst. (TECS) 7(3), 36 (2008)Google Scholar
  66. 66.
    Williams, P., Sion, R., Tomescu, A.: PrivateFS: a parallel oblivious file system. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012Google Scholar
  67. 67.
    Wright, C.V., Ballard, L., Coull, S.E., Monrose, F., Masson, G.M.: Spot me if you can: uncovering spoken phrases in encrypted VoIP conversations. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP 2008 (2008)Google Scholar
  68. 68.
    Yao, A.C.: Protocols for secure computations. In: 23rd Annual IEEE Symposium on Foundations of Computer Science (1982)Google Scholar
  69. 69.
    Xu, Y., Cui, W., Peinado, M.: GhostRider: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: IEEE Security and Privacy 2015 (2015)Google Scholar
  70. 70.
    Zhang, D., Askarov, A., Myers, A.C.: Language-based control and mitigation of timing channels. In: Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2012 (2012)Google Scholar
  71. 71.
    Zhang, Y., Steele, A., Blanton, M.: PICCO: a general-purpose compiler for private distributed computation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.National University of SingaporeSingaporeSingapore

Personalised recommendations