Adversarial symbolic execution for detecting concurrency-related cache timing leaks

@article{Guo2018AdversarialSE,
  title={Adversarial symbolic execution for detecting concurrency-related cache timing leaks},
  author={Shengjian Guo and Meng Wu and Chao Wang},
  journal={Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering},
  year={2018}
}
  • Shengjian Guo, Meng Wu, Chao Wang
  • Published 9 July 2018
  • Computer Science
  • Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
The timing characteristics of cache, a high-speed storage between the fast CPU and the slow memory, may reveal sensitive information of a program, thus allowing an adversary to conduct side-channel attacks. Existing methods for detecting timing leaks either ignore cache all together or focus only on passive leaks generated by the program itself, without considering leaks that are made possible by concurrently running some other threads. In this work, we show that timing-leak-freedom is not a… 
SPECUSYM: Speculative Symbolic Execution for Cache Timing Leak Detection
TLDR
This work proposes a new symbolic execution based method, Specusym, for precisely detecting cache timing leaks introduced by speculative execution and implemented SpecuSym atop KLEE, which successfully detected from 2 to 61 leaks in 6 programs under 3 different cache settings.
Eliminating timing side-channel leaks using program repair
TLDR
The method is implemented in LLVM and validated on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total, and ensures that the number of CPU cycles taken to execute any path is independent of the secret data.
Exposing cache timing side-channel leaks through out-of-order symbolic execution
TLDR
A symbolic execution-based technique, named SymO3, for exposing cache timing leaks under the context of out-of-order execution, and finds that, in general, program transformation from compiler optimizations shrink the surface to timing leaks.
Mitigating power side channels during compilation
TLDR
A type-based technique for detecting leaks, which leverages Datalog-based declarative analysis and domain-specific optimizations to achieve high efficiency and accuracy and a mitigation technique for the compiler's backend, more specifically the register allocation modules, to ensure that leaky intermediate computation results are stored in different CPU registers or memory locations.
Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation
TLDR
A novel static analysis method on binaries to detect cache-based side channels and proposes a novel abstract domain called the Secret-Augmented Symbolic domain (SAS), which tracks program secrets and dependencies on them for precision, while it tracks only coarse-grained public information for scalability.
ConcSpectre: Be Aware of Forthcoming Malware Hidden in Concurrent Programs
TLDR
This paper presents concurrent program spectre (ConcSpectre), a new security threat that hides malware in non-deterministic thread interleavings, and develops a stealth malware technique called Concurrent Logic Bomb (CLB), which bypassed most of the anti-virus engines in VirusTotal and four well-known online dynamic malware analysis systems.
JVM Fuzzing for JIT-Induced Side-Channel Detection
TLDR
The results directly contradict the conclusions of four separate state-of-the-art program analysis tools for side-channel detection and demonstrate that JIT-induced side channels are prevalent and can be detected automatically.
Data-Driven Debugging for Functional Side Channels
TLDR
A functional extension of standard decision tree learning to pinpoint the code fragments causing a side channel if there is one and empirically evaluates the performance of the tool FUCHSIA on a series of micro-benchmarks and realistic Java programs.
Data-Driven Synthesis of Provably Sound Side Channel Analyses
TLDR
This work proposes a data-driven method for synthesizing static analyses to detect side-channel information leaks in cryptographic software and guarantees soundness by proving each learned analysis rule via a technique called query containment checking.
Abstract interpretation under speculative execution
TLDR
The notion of virtual control flow to augment instructions that may be speculatively executed and thus affect subsequent instructions is introduced and the analysis efficient is proposed to handle merges and loops and to safely bound the speculative execution depth.
...
1
2
3
...

References

SHOWING 1-10 OF 65 REFERENCES
Eliminating timing side-channel leaks using program repair
TLDR
The method is implemented in LLVM and validated on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total, and ensures that the number of CPU cycles taken to execute any path is independent of the secret data.
CacheD: Identifying Cache-Based Timing Channels in Production Software
TLDR
This work proposes a novel technique to help software developers identify potential vulnerabilities that can lead to cache-based timing attacks, and implements the proposed technique as a practical tool named CacheD (Cache Difference), and evaluated it towards multiple real-world cryptosystems.
Quantifying the information leak in cache attacks via symbolic execution
TLDR
At the core of CHALICE is a novel approach to quantify information leak that can highlight critical cache side-channel leaks on arbitrary binary code.
Automatic Quantification of Cache Side-Channels
TLDR
A novel method for automatically deriving upper bounds on the amount of information about the input that an adversary can extract from a program by observing the CPU's cache behavior by using a novel technique for efficient counting of concretizations of abstract cache states.
Testing Cache Side-Channel Leakage
TLDR
The proposed test generation methodology is a method that systematically explores the program input space and it adapts based on the observed cache performance in the executed tests, which effectively reveals cache side-channel leakage in such real-world programs.
Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling
TLDR
This paper implements instruction-based scheduling, a new kind of scheduler that is indifferent to timing perturbations from underlying hardware components, such as the cache, TLB, and CPU buses, and shows this scheduler is secure against cache-based internal timing attacks for applications using a single CPU.
CacheAudit: A Tool for the Static Analysis of Cache Side Channels
TLDR
The results obtained exhibit the influence of cache size, line size, associativity, replacement policy, and coding style on the security of the executables and include the first formal proofs of security for implementations with countermeasures such as preloading and data-independent memory access patterns.
Decomposition instead of self-composition for proving the absence of timing channels
We present a novel approach to proving the absence of timing channels. The idea is to partition the program's execution traces in such a way that each partition component is checked for timing attack
SMT-Based Verification of Software Countermeasures against Side-Channel Attacks
TLDR
This work proposes the first SMT solver based method for formally verifying the security of a countermeasures against side channel attacks, and encodes this verification problem into a series of quantifier-free first-order logic formulas, whose satisfiability can be decided by an off-the-shelf SMT Solver.
Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT
TLDR
A program analysis that uses symbolic execution to quantify the information that is leaked to an attacker who makes multiple side-channel measurements is described, showing how to obtain tight bounds on information leakage under a small number of attack steps.
...
1
2
3
4
5
...