Avoiding Instruction-Centric Microarchitectural Timing Channels Via Binary-Code Transformations
Authors: 
Michael Flanders, Reshabh K Sharma, Alexandra E. Michael, Dan Grossman, David KohlbrennerAuthors Info & Claims
Michael Flanders, Reshabh K Sharma, Alexandra E. Michael, Dan Grossman, David KohlbrennerAuthors Info & ClaimsPages 120 - 136
Abstract
With the end of Moore's Law-based scaling, novel microarchitectural optimizations are being patented, researched, and implemented at an increasing rate. Previous research has examined recently published patents and papers and demonstrated ways these upcoming optimizations present new security risks via novel side channels. As these side channels are introduced by microarchitectural optimization, they are not generically solvable in source code.
In this paper, we build program analysis and transformation tools for automatically mitigating the security risks introduced by future instruction-centric microarchitectural optimizations. We focus on two classes of optimizations that are not yet deployed: silent stores and computation simplification. Silent stores are known to leak secret data being written to memory by dropping in-flight stores that will have no effect. Computation simplification is known to leak operands to arithmetic instructions by shortcutting trivial computations at execution time. This presents problems that classical constant-time techniques cannot handle: register spills, address calculations, and the micro-ops of complex instructions are all potentially leaky. To address these problems, we design, implement, and evaluate a process and tool, cio, for detecting and mitigating these types of side channels in cryptographic code. cio is a backstop, providing verified mitigation for novel microarchitectural side-channels when more specialized and efficient hardware or software tools, such as microcode patches, are not yet available.
References
[1]
Chromium: Cross-origin pixel reading and history sniffing via svg filter timing attack, 2017.
[2]
Introducing 2017's extensions to the Arm Architecture, 2017.
[3]
Speculative store bypass cve-2018-3639 intel-sa-00115, 2018.
[4]
RISC-V Cryptography Extensions Volume I Scalar & Entropy Source Instructions, 2022.
[5]
ARM Developer documentation - DIT, Data Independent Timing, 2023.
[6]
Intel Data Operand Independent Timing Instruction Set Architecture (ISA) Guidance, 2023.
[7]
José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. Verifying constant-time implementations. In Thorsten Holz and Stefan Savage, editors, Proceedings of USENIX Security 2016, pages 53--70. USENIX, August 2016.
[8]
Amazon. Constant time verification tests for s2n.
[9]
Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. On subnormal floating point and abnormal timing. In Lujo Bauer and Vitaly Shmatikov, editors, Proceedings of IEEE Security and Privacy ("Oakland") 2015. IEEE Computer Society, May 2015.
[10]
E. Atoofian and A. Baniasadi. Improving energy-efficiency by bypassing trivial computations. In 19th IEEE International Parallel and Distributed Processing Symposium, pages 7 pp.--, 2005.
[11]
Jean-Philippe Aumasson. Cryptocoding.
[12]
Gogul Balakrishnan and Thomas Reps. Analyzing memory accesses in x86 executables. In Compiler Construction: 13th International Conference, CC 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29-April 2, 2004. Proceedings 13, pages 5--23. Springer, 2004.
[13]
Gilles Barthe, Sunjay Cauligi, Benjamin Grégoire, Adrien Koutsos, Kevin Liao, Tiago Oliveira, Swarn Priya, Tamara Rezk, and Peter Schwabe. High-assurance cryptography in the spectre era. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1884--1901, 2021.
[14]
Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39(2):1--7, aug 2011.
[15]
Pietro Borrello, Daniele Cono D'Elia, Leonardo Querzoni, and Cristiano Giuffrida. Constantine: Automatic side-channel resistance using efficient control and data flow linearization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 715--733, 2021.
[16]
Braun, M. 2017 LLVM Developers' Meeting: M. Braun "Welcome to the back-end: The LLVM machine representation".
[17]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. Bap: A binary analysis platform. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings 23, pages 463--469. Springer, 2011.
[18]
Claudio Canella, Daniel Genkin, Lukas Giner, Daniel Gruss, Moritz Lipp, Marina Minkin, Daniel Moghimi, Frank Piessens, Michael Schwarz, Berk Sunar, Jo Van Bulck, and Yuval Yarom. Fallout: Leaking data on meltdown-resistant cpus. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2019.
[19]
Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad S. Wahby, John Renner, Benjamin Grégoire, Gilles Barthe, Ranjit Jhala, and Deian Stefan. Fact: A dsl for timing-sensitive computation. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, page 174--189, New York, NY, USA, 2019. Association for Computing Machinery.
[20]
Tung Chou. Sandy2x: New curve25519 speed records. In International Conference on Selected Areas in Cryptography, pages 145--160. Springer, 2015.
[21]
Bart Coppens, Ingrid Verbauwhede, Koen De Bosschere, and Bjorn De Sutter. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In S&P, 2009.
[22]
Patrick Cousot and Radhia Cousot. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL '77, page 238--252, New York, NY, USA, 1977. Association for Computing Machinery.
[23]
Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems: 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings 14, pages 337--340. Springer, 2008.
[24]
Frank Denis. The sodium cryptography library, Jun 2013.
[25]
Sushant Dinesh, Grant Garrett-Grossman, and Christopher W Fletcher. Synthct: Towards portable constant-time code. In ndss, 2022.
[26]
Brendan Dolan-Gavitt. Someone's been messing with my subnormals!, 2022.
[27]
Zhangxiaowen Gong, Houxiang Ji, Christopher W. Fletcher, Christopher J. Hughes, Sara Baghsorkhi, and Josep Torrellas. SAVE: Sparsity-Aware Vector Engine for Accelerating DNN Training and Inference on CPUs. In 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 796--810, 2020.
[28]
Dave Hansen. Linux kernel mailing list on doit patches.
[29]
Mark Harman and Robert Hierons. An overview of program slicing. software focus, 2(3):85--92, 2001.
[30]
Intel. Data Dependent Prefetcher, 2022.
[31]
Intel. Data operand independent timing instructions, 2023.
[32]
Md. Mafijul Islam and Per Stenstrom. Reduction of energy consumption in processors by early detection and bypassing of trivial operations. In 2006 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation, pages 28--34, 2006.
[33]
Md. Mafijul Islam and Per Stenstrom. Energy and performance tradeoffs between instruction reuse and trivial computations for embedded applications. In 2007 International Symposium on Industrial Embedded Systems, pages 86--93, 2007.
[34]
Ilhyun Kim and M.H. Lipasti. Implementing optimizations at decode time. In Proceedings 29th Annual International Symposium on Computer Architecture, pages 221--232, 2002.
[35]
Soontae Kim. Reducing alu and register file energy by dynamic zero detection. In 2007 IEEE International Performance, Computing, and Communications Conference, pages 365--371, 2007.
[36]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.
[37]
David Kohlbrenner and Hovav Shacham. On the effectiveness of mitigations against floating-point timing channels. In USENIX Security Symposium, pages 69--81, 2017.
[38]
Matthew Kolosick, Basavesh Ammanaghatta Shivakumar, Sunjay Cauligi, Marco Patrignani, Marco Vassena, Ranjit Jhala, and Deian Stefan. Robust constant-time cryptography. POPL '23, 2023.
[39]
C. Lattner and V. Adve. LLVM: a compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004., pages 75--86, 2004.
[40]
K.M. Lepak and M.H. Lipasti. On the value locality of store instructions. In Proceedings of 27th International Symposium on Computer Architecture (IEEE Cat. No.RS00201), pages 182--191, 2000.
[41]
K.M. Lepak and M.H. Lipasti. Silent stores for free. In Proceedings 33rd Annual IEEE/ACM International Symposium on Microarchitecture. MICRO-33 2000, pages 22--31, 2000.
[42]
LLVM developers. Machine ir (mir) format reference manual. https://llvm.org/docs/MIRLangRef.html.
[43]
Laurent Mauborgne and Xavier Rival. Trace partitioning in abstract interpretation based static analyzers. In Programming Languages and Systems: 14th European Symposium on Programming, ESOP 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4-8, 2005. Proceedings 14, pages 5--20. Springer, 2005.
[44]
Antoine Miné. Field-Sensitive Value Analysis of Embedded C Programs with Union Types and Pointer Arithmetics. In Proceedings of the 2006 ACM SIGPLAN/SIGBED Conference on Language, Compilers, and Tool Support for Embedded Systems, LCTES '06, page 54--63, New York, NY, USA, 2006. Association for Computing Machinery.
[45]
Luke Nelson, James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, and Xi Wang. Scaling symbolic evaluation for automated verification of systems code with serval. In Proceedings of the 27th ACM Symposium on Operating Systems Principles, SOSP '19, page 225--242, New York, NY, USA, 2019. Association for Computing Machinery.
[46]
Oleksii Oleksenko, Marco Guarnieri, Boris Köpf, and Mark Silberstein. Hide and seek with spectres: Efficient discovery of speculative information leaks with random testing, 2023.
[47]
Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: The case of aes. In CT-RSA'06, 2006.
[48]
Thomas Pornin. Cttk: Constant-time toolkit.
[49]
Chester Rebeiro, A. David Selvakumar, and A. S. L. Devi. Bitslice implementation of aes. In Cryptology and Network Security, 2006.
[50]
S.E. Richardson. Exploiting trivial and redundant computation. In Proceedings of IEEE 11th Symposium on Computer Arithmetic, pages 220--227, 1993.
[51]
Jose Rodrigo Sanchez Vicarte, Pradyumna Shome, Nandeeka Nayak, Caroline Trippel, Adam Morrison, David Kohlbrenner, and Christopher W. Fletcher. Opening pandora's box: A systematic study of new ways microarchitecture can leak private data. In 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA), pages 347--360, 2021.
[52]
Youngjoo Shin, Hyung Chan Kim, Dokeun Kwon, Ji Hoon Jeong, and Junbeom Hur. Unveiling hardware-based data prefetcher, a hidden source of information leakage. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS '18, page 131--145, New York, NY, USA, 2018. Association for Computing Machinery.
[53]
Emina Torlak and Rastislav Bodik. Growing solver-aided languages with rosette. In Proceedings of the 2013 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming & Software, Onward! 2013, page 135--152, New York, NY, USA, 2013. Association for Computing Machinery.
[54]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In USENIX Security, 2018.
[55]
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. RIDL: Rogue in-flight data load. In S&P, May 2019.
[56]
Marco Vassena, Craig Disselkoen, Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala, Dean Tullsen, and Deian Stefan. Automatically eliminating speculative leaks from cryptographic code with blade. Proc. ACM Program. Lang., 5(POPL), jan 2021.
[57]
Ashwin Prasad Shivarpatna Venkatesh, Aditya Bhat Handadi, and Martin Mory. Security implications of compiler optimizations on cryptography - A review. CoRR, abs/1907.02530, 2019.
[58]
Jose Rodrigo Sanchez Vicarte, Michael Flanders, Riccardo Paccagnella, Grant Garrett-Grossman, Adam Morrison, Christopher W. Fletcher, and David Kohlbrenner. Augury: Using data memory-dependent prefetchers to leak data at rest. In IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 2022.
[59]
Andrew Waterman and Krste Asanovic'. The risc-v instruction set manual, volume i: User-level isa, document version 20191213. 2019.
[60]
Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. Ct-wasm: type-driven secure cryptography for the web ecosystem. Proceedings of the ACM on Programming Languages, 3(POPL):1--29, 2019.
[61]
Matthias Wenzl, Georg Merzdovnik, Johanna Ullrich, and Edgar Weippl. From hack to elaborate technique---a survey on binary rewriting. ACM Computing Surveys (CSUR), 52(3):1--37, 2019.
[62]
Johannes Wikner and Kaveh Razavi. {RETBLEED}: Arbitrary speculative code execution with return instructions. In 31st USENIX Security Symposium (USENIX Security 22), pages 3825--3842, 2022.
[63]
Meng Wu, Shengjian Guo, Patrick Schaumont, and Chao Wang. Eliminating timing side-channel leaks using program repair. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 15--26, 2018.
[64]
Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher Fletcher, Roy Campbell, and Josep Torrellas. Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World. In IEEE S&P, 2019.
[65]
J.J. Yi and D.J. Lilja. Improving processor performance by simplifying and bypassing trivial computations. In Proceedings. IEEE International Conference on Computer Design: VLSI in Computers and Processors, pages 462--465, 2002.
[66]
Zhiyuan Zhang, Gilles Barthe, Chitchanok Chuengsatiansup, Peter Schwabe, and Yuval Yarom. Ultimate slh: Taking speculative load hardening to the next level. In USENIX Security, 2023.
Recommendations
Increasing the instruction fetch rate via block-structured instruction set architectures
MICRO 29: Proceedings of the 29th annual ACM/IEEE international symposium on MicroarchitectureTo exploit larger amounts of instruction level parallelism, processors are being built with wider issue widths and larger numbers of functional units. Instruction fetch rate must also be increased in order to effectively exploit the performance ...
Converting thread-level parallelism to instruction-level parallelism via simultaneous multithreading
To achieve high performance, contemporary computer systems rely on two forms of parallelism: instruction-level parallelism (ILP) and thread-level parallelism (TLP). Wide-issue super-scalar processors exploit ILP by executing multiple instructions from a ...
Increasing the Instruction Fetch Rate via Block-Structured Instruction Set Architectures
To exploit larger amounts of instruction level parallelism, processors are being built with wider issue widths and larger numbers of functional units. Instruction fetch rate must also be increased in order to effectively exploit the performance ...
Comments
Information & Contributors
Information
Published In
April 2024
1299 pages
ISBN:9798400703850
DOI:10.1145/3620665
- General Chairs:
- Nael Abu-Ghazaleh,
- Rajiv Gupta,
- Program Chairs:
- Madan Musuvathi,
- Dan Tsafrir
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 April 2024
Check for updates
Badges
Qualifiers
- Research-article
Funding Sources
Conference
ASPLOS '24: 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2
April 27 - May 1, 2024
CA, La Jolla, USA
Acceptance Rates
Overall Acceptance Rate 535 of 2,713 submissions, 20%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 272Total Downloads
- Downloads (Last 12 months)272
- Downloads (Last 6 weeks)84
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in