Human-on-the-Loop Automation for Detecting Software Side-Channel Vulnerabilities

  • Ganesh Ram Santhanam
  • Benjamin Holland
  • Suresh Kothari
  • Nikhil Ranade
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10717)


Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to identify vulnerable code, formulation of plausible side-channel hypotheses, and gathering evidence to prove or refute each hypothesis. This paper describes human-on-the-loop automation to empower analysts to detect SSCVs. The proposed automation is founded on novel ideas for canonical side channel patterns, program artifact filters, and parameterized program graph models for efficient, accurate, and interactive program analyses. The detection process is exemplified through a case study. The paper also presents metrics that bring out the complexity of detecting SSCVs.



We thank our colleagues from Iowa State University and EnSoft for their help with this paper. Dr. Kothari is the founder President and a financial stakeholder in EnSoft.


  1. 1.
    Klocwork source code analysis (2001).
  2. 2.
    Coverity static analysis (2002).
  3. 3.
    Space/time analysis for cybersecurity (2015). Accessed Mar 2016
  4. 4.
    Software side channel vulnerabilities repository (2017). Accessed 18 Aug 2017
  5. 5.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh aah... just a little bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). Google Scholar
  6. 6.
    Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: the case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium, pp. 327–338 (2002)Google Scholar
  7. 7.
    Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 987–1004 (2016)Google Scholar
  8. 8.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  9. 9.
    Chen, S., Zhang, K., Wang, R., Wang, X.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 191–206 (2010)Google Scholar
  10. 10.
    Cummings, M.: Supervising automation: humans on the loop (2008). Accessed 10 May 2017
  11. 11.
    Deering, T., Kothari, S., Sauceda, J., Mathews, J.: Atlas: a new way to explore software, build analysis tools. In: Proceedings of International Conference on Software Engineering, pp. 588–591. ACM (2014)Google Scholar
  12. 12.
    Demme, J., Martin, R., Waksman, A., Sethumadhavan, S.: Side-channel vulnerability factor: a metric for measuring information leakage. SIGARCH Comput. Archit. News 40(3), 106–117 (2012)CrossRefGoogle Scholar
  13. 13.
    Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015)CrossRefGoogle Scholar
  14. 14.
    Ge, Q., Yarom, Y., Cock, D., et al.: J. Cryptogr. Eng. (2016).
  15. 15.
    Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU (2017)Google Scholar
  16. 16.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games-bringing access-based cache attacks on AES to practice. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 490–505. IEEE Computer Society (2011)Google Scholar
  17. 17.
    Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 79–84 (2016)Google Scholar
  18. 18.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Google Scholar
  19. 19.
    Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 286–296. ACM (2007)Google Scholar
  20. 20.
    Lawson, N.: Side-channel attacks on cryptographic software. IEEE Secur. Priv. 7(6), 65–68 (2009)CrossRefGoogle Scholar
  21. 21.
    Matthews, A.: Side-channel attacks on smartcards. Netw. Secur. 2006(12), 18–20 (2006)CrossRefGoogle Scholar
  22. 22.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of power analysis attacks on smartcards. In: Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, p. 17. USENIX Association (1999)Google Scholar
  23. 23.
    Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015)Google Scholar
  24. 24.
    Polakis, I., Argyros, G., Petsios, T., Sivakorn, S., Keromytis, A.D.: Where’s wally?: precise user discovery attacks in location proximity services. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 817–828. ACM (2015)Google Scholar
  25. 25.
    Saura, D., Futoransky, A., Waissbein, A.: Timing attacks for recovering private entries from database engines. Black Hat USA (2007).
  26. 26.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: Proceedings of the 10th Conference on USENIX Security Symposium, vol. 10 (2001)Google Scholar
  27. 27.
    Tamrawi, A., Kothari, S.: Projected control graph for accurate and efficient analysis of safety and security vulnerabilities. In: Asia-Pacific Software Engineering Conference (APSEC), pp. 113–120, December 2016Google Scholar
  28. 28.
    Vila, P., Köpf, B.: Loophole: timing attacks on shared event loops in chrome. arXiv preprint arXiv:1702.06764 (2017)
  29. 29.
    Wei, T., Mao, J., Zou, W., Chen, Y.: A new algorithm for identifying loops in decompilation. In: Nielson, H.R., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 170–183. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  30. 30.
    Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 719–732. USENIX Association, Berkeley, CA, USA (2014)Google Scholar
  31. 31.
    Zhang, K., Li, Z., Wang, R., Wang, X., Chen, S.: Sidebuster: automated detection and quantification of side-channel leaks in web application development. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 595–606. ACM (2010)Google Scholar
  32. 32.
    Zhang, T., Liu, F., Chen, S., Lee, R.B.: Side channel vulnerability metrics: the promise and the pitfalls. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 2:1–2:8. ACM (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Ganesh Ram Santhanam
    • 1
  • Benjamin Holland
    • 1
  • Suresh Kothari
    • 1
  • Nikhil Ranade
    • 2
  1. 1.Iowa State UniversityAmesUSA
  2. 2.Ensoft Corp.AmesUSA

Personalised recommendations