Verifying Constant-Time Implementations by Abstract Interpretation

  • Sandrine Blazy
  • David Pichardie
  • Alix Trieu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


Constant-time programming is an established discipline to secure programs against timing attackers. Several real-world secure C libraries such as NaCl, mbedTLS, or Open Quantum Safe, follow this discipline. We propose an advanced static analysis, based on state-of-the-art techniques from abstract interpretation, to report time leakage during programming. To that purpose, we analyze source C programs and use full context-sensitive and arithmetic-aware alias analyses to track the tainted flows.

We give semantic evidences of the correctness of our approach on a core language. We also present a prototype implementation for C programs that is based on the CompCert compiler toolchain and its companion Verasco static analyzer. We present verification results on various real-world constant-time programs and report on a successful verification of a challenging SHA-256 implementation that was out of scope of previous tool-assisted approaches.


  1. 1.
    Aciiçmez, O., Koç, Ç.K., Seifert, J.-P.: On the power of simple branch prediction analysis. In: ACM Symposium on Information, Computer and Communications Security (2007)Google Scholar
  2. 2.
    Almeida, J.B., et al.: Verifying constant-time implementations. In: 25th USENIX Security Symposium, USENIX Security 16 (2016)Google Scholar
  3. 3.
    Andrysco, M., et al.: On subnormal floating point and abnormal timing. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  4. 4.
    Barnett, M., et al.: Boogie: a modular reusable verifier for object-oriented programs. In: Proceedings of FMCO 2005 (2005)Google Scholar
  5. 5.
    Barthe, G., et al.: System-level non-interference for constant-time cryptography. In: Conference on Computer and Communications Security (CCS) (2014)Google Scholar
  6. 6.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Public Key Cryptography - PKC 2006: 9th International Conference on Theory and Practice in Public-Key Cryptography (2006)Google Scholar
  7. 7.
    Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: International Conference on Cryptology and Information Security in Latin America (2012)Google Scholar
  8. 8.
    Blanchet, B., et al.: A static analyzer for large safety-critical software. In: PLDI (2003)Google Scholar
  9. 9.
    Blazy, S., Laporte, V., Pichardie, D.: An abstract memory functor for verified C static analyzers. In: International Conference on Functional Programming (ICFP 2016) (2016)Google Scholar
  10. 10.
    Bos, J.W., et al.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE Symposium on Security and Privacy, SP 2015 (2015)Google Scholar
  11. 11.
    Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_34 CrossRefGoogle Scholar
  12. 12.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Symposium on Principles of Programming Languages, POPL 1977 (1977)Google Scholar
  13. 13.
  14. 14.
    Darvas, Á., Hähnle, R., Sands, D.: A theorem proving approach to analysis of secure information flow. In: Proceedings of 2nd International Conference on Security in Pervasive Computing (2005)Google Scholar
  15. 15.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19, 236–243 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
  17. 17.
    Doychev, G., et al.: CacheAudit: a tool for the static analysis of cache side channels. In: USENIX Conference on Security (2013)Google Scholar
  18. 18.
    Al Fardan, N.J., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Symposium on Security and Privacy (SP 2013) (2013)Google Scholar
  19. 19.
    Feret, J.: Static analysis of digital filters. In: European Symposium on Programming (ESOP 2004) (2004)Google Scholar
  20. 20.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Sec. 8, 399–422 (2009)CrossRefGoogle Scholar
  21. 21.
    Hedin, D., Sabelfeld, A.: A perspective on information-flow control. In: Software Safety and Security - Tools for Analysis and Verification (2012)Google Scholar
  22. 22.
    Jourdan, J.-H., et al.: A formally-verified C static analyzer. In: Symposium on Principles of Programming Languages, POPL 2015 (2015)Google Scholar
  23. 23.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Advances in Cryptology - CRYPTO 1996 (1996)Google Scholar
  24. 24.
    Lattner, C., Lenharth, A., Adve, V.S.: Making contextsensitive points-to analysis with heap cloning practical for the real world. In: Conference on Programming Language Design and Implementation, PLDI 2007 (2007)Google Scholar
  25. 25.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52, 107–115 (2009)CrossRefGoogle Scholar
  26. 26.
    mbed TLS (formerly known as PolarSSL).
  27. 27.
    Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES 2006) (2006)Google Scholar
  28. 28.
    Miné, A.: The octagon abstract domain. In: Higher-Order and Symbolic Computation (2006)Google Scholar
  29. 29.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: Symposium on Principles of Programming Languages, POPL 1999 (1999)Google Scholar
  30. 30.
    Open Quantum Safe.
  31. 31.
    Pottier, F., Simonet, V.: Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 117–158 (2003)CrossRefzbMATHGoogle Scholar
  32. 32.
    Reparaz, O., Balasch, J., Verbauwhede, I.: Dude, is my code constant time. In: Proceedings of DATE 2017 (2017)Google Scholar
  33. 33.
    Rodrigues, B., Quintão Pereira, F.M., Aranha, D.F.: Sparse representation of implicit flows with applications to side-channel detection. In: Compiler Construction (2016)Google Scholar
  34. 34.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)CrossRefGoogle Scholar
  35. 35.
  36. 36.
    Wheeler, D.J., Needham, R.M.: TEA, a tiny encryption algorithm. In: Fast Software Encryption: Second International Workshop Leuven (1995)Google Scholar
  37. 37.
    Zhao, J.: et al.: Formalizing the LLVM intermediate representation for verified program transformation. In: Symposium on Principles of Programming Languages, POPL 2012 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.CNRS IRISA - Université Rennes 1 - InriaRennesFrance
  2. 2.CNRS IRISA - ENS Rennes - InriaRennesFrance

Personalised recommendations