Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

  title={Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization},
  author={Pietro Borrello and Daniele Cono D'Elia and Leonardo Querzoni and Cristiano Giuffrida},
  journal={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
In the era of microarchitectural side channels, vendors scramble to deploy mitigations for transient execution attacks, but leave traditional side-channel attacks against sensitive software (e.g., crypto programs) to be fixed by developers by means of constant-time programming (i.e., absence of secret-dependent code/data patterns). Unfortunately, writing constant-time code by hand is hard, as evidenced by the many flaws discovered in production side channel-resistant code. Prior efforts to… 

Figures and Tables from this paper

Layered Binary Templating: Efficient Detection of Compiler- and Linker-introduced Leakage
This paper presents a new generic cache template attack technique, LBTA, which uses multiple coarser-grained side channel layers as an extension to cache-line granularity templating to speed up the runtime of cache Templating attacks.
Securing Optimized Code Against Power Side Channels
This paper proposes Secure by Construction Code Generation (SecConCG), a constraint-based compiler approach that generates optimized yet secure code that speeds up the generated code from 10% to 10x compared to non-optimized secure code at a small overhead of up to 7% compared tonon-secure optimized code.
Enforcing fine-grained constant-time policies
This paper develops a systematic, sound, approach for enforcing fine-grained constant-time policies beyond the BL model, and implements the approach in the Jasmin framework for high-assurance cryptography.
Hybrid Pruning: Towards Precise Pointer and Taint Analysis
This paper presents a novel technique called hybrid pruning, where the information collected from a program’s dynamic trace is injected into a static pointer or taint analysis system to enhance its precision.
BliMe: Verifiably Secure Outsourced Computation with Hardware-Enforced Taint Tracking
A machine-checked security proof and an FPGA implementation of BliMe ’s taint tracking policy and it is shown that Bli me-Ibex does not reduce performance rela-tive to the unmodified core, and incurs only minor increases in resource consumption in terms of power, LUTs, and registers.
Cape: compiler-aided program transformation for HTM-based cache side-channel defense
Cape is presented, a compiler analysis and transformation that soundly and automatically protects programs from cache side-channel attacks using Cloak's defense, and provides protection that is as strong as Cloak’s, while performing competitively with Cloak.
Branchless Code Generation for Modern Processor Architectures
This study focuses on a particular optimization, called branchless optimization, which eliminates code branches by utilizing different data transformation techniques that have the same effect and is ranked based on their runtime efficiency.
“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks
A survey with developers of 27 prominent open-source cryptographic libraries finds that developers are aware of timing attacks and of their potentially dramatic consequences and yet often prioritize other issues over the perceived huge investment of time and resources currently needed to make their code resistant to timing attacks.
Structured Leakage and Applications to Cryptographic Constant-Time and Cost
This work puts forward the idea of structured leakage, which greatly simplifies the definition of leakage transformers that map the leakage of source programs to leakage of their compilation and yields more precise statements about the preservation of security properties.


SVF: interprocedural static value-flow analysis in LLVM
SVF, which is fully implemented in LLVM, allows value-flow construction and pointer analysis to be performed in an iterative manner, thereby providing increasingly improved precision for both.
Eliminating timing side-channel leaks using program repair
The method is implemented in LLVM and validated on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total, and ensures that the number of CPU cycles taken to execute any path is independent of the secret data.
MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations
This work proposes MemJam, which utilizes 4K Aliasing to establish a side-channel attack that exploits false dependency of memory read-after-write events and provides a high quality intra cache line timing channel and shows that this side channel can be used to efficiently attack memory dependent cryptographic operations but also to bypass proposed protections.
Path ORAM: an extremely simple oblivious RAM protocol
It is formally proved that Path ORAM requires log^2 N / log X bandwidth overhead for block size B = X log N, and is asymptotically better than the best known ORAM scheme with small client storage.
Raccoon: Closing Digital Side-Channels through Obfuscated Execution
This paper presents a method of defending against a broad class of side-channel attacks, which it is argued about the correctness and security of the compiler transformations and demonstrates that the transformations are safe in the context of a modern processor.
Memory-Safe Elimination of Side Channels
  • Luigi SoaresF. Pereira
  • Computer Science
    2021 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)
  • 2021
This paper shows how to deliver the same runtime guarantees that Wu et al. provide, in a memory-safe way, and proves that the LLVM-based implementation is more efficient than its original inspiration, achieving shorter repairing times, and producing code that is smaller and faster.
Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level
This work tackles the problem of designing an efficient binary-level verification tool for CT providing both bug-finding and bounded-verification and discovered that gcc -O0 and backend passes of clang introduce violations of CT in implementations that were previously deemed secure by a state-of-the-art CT verification tool operating at LLVM level.
Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors
Two ways in which programs that lack key-dependent control flow and key- dependent cache behavior can still leak timing information on modern x86 implementations such as the Intel Core 2 Duo are demonstrated, and defense mechanisms against them are proposed.
SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed)
This work presents the abstraction and inner workings of DBI frameworks, how DBI assisted prominent security research works, and alternative solutions, and makes available to the community a library of detection patterns and stopgap measures that could be of interest to DBI users.
Specfuscator: Evaluating Branch Removal as a Spectre Mitigation
This paper explores a novel principled Spectre mitigation that sits at the other end of the scale: the absence of conditional and indirect branches, and demonstrates the feasibility of Spectre defenses that eliminate branches and indicate good performances.