Formal reasoning about programs executing in virtual memory is a difficult problem, as it is an environment in which writing to memory can change its layout. Current approaches rely on entering special modes or making high level assertions about the. Although our valuedependent noninterference property is timingsensitive, our attacker model may differ from some of this other work in that we consider only the threads of a concurrent system that are verified to cooperate with the locking. We will also see that it is possible to achieve this level of security. Nov 30, 2017 this work focuses on the study of constanttime implementations. Introduction to programming languages is designed to formalize and consolidate the knowledge of programming languages gained in the introductory courses a computer science curriculum and to provide a base for further studies in the semantics and translation of. Towards ending kernel hardening wars with split kernel anil kurmus and robby. Testing cache sidechannel leakage sudipta chattopadhyay. Bos,halderman,heninger,moore,naehrig,wustrow elliptic curve cryptography in practice. Systemlevel noninterference of constanttime cryptography. However, there is no rigorous analysis of stealth memory and sconstanttime, and no tool support for checking if applications are sconstanttime. In this session, two papers on cryptography have been included for the first time in esorics. Automated proof and flawfinding tools in cryptography.
The android security model resembles a multiuser server, rather than the sandbox model found on jme platform. The spectrum of coverage ranges from the presentation of a new inference rule with proof of its logical properties to a detailed account of a computer program designed to solve various problems in industry. Verification of programs in virtual memory using separation. At the linux system level, android is a multiprocess system. Keywords microarchitectural leakage, constant time, side channel, cache at. Systemlevel non interference for constanttime cryptography conference paper pdf available november 2014 with 159 reads how we measure reads. Computer security esorics 98, 5 conf pdf free download. Aaby introduction to programming language free ebook download as pdf file. Cryptographic constanttime security is indeed usually stated as a non interference property. Systemlevel non interference of constanttime cryptography. Stealth memory induces a weak form of constanttime, called.
Sconstanttime programs do not leak confidential information through the cache to other operating systems executing concurrently on. Systemlevel noninterference for constanttime cryptography. Gilles barthe, gustavo betarte, juan diego campo, carlos luna, and david pichardie. The portable document format pdf is the defacto standard for document exchange worldwide. Computeraided security proofs for the working cryptographer. Focusing on security, android combines two levels, linux system and application framework level, of enforcement 26, 27. In gailjoon ahn, moti yung, and ninghui li, lattice model for static analysis of programs by construction or editors, acm ccs 14, pages 12671279. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of pdf signatures.
Synthesis of fault attacks on cryptographic implementations. Our results provide the first rigorous analysis of stealth memory and sconstanttime, and the first tool support for. Verifying constanttime implementations by abstract. Inserted 57 8955 21 temperature sensor is muxed with the cryptography modules. This work focuses on the study of constanttime implementations. Formal analysis of security models for mobile devices. Acm sigsac conference on computer and communications security, ccs14, nov 2014, scottsdale, united states. One recent such mechanism is stealth memory, which provisions a small amount of private cache for programs.
Adjusted compcert preserves constanttime coq proof jasmin preserves constanttime paper proof constanttime implies systemlevel security6 6gilles barthe, gustavo betarte, juan diego campo, carlos daniel luna, david pichardie. Inserted 24 2651 20 cryptographic key for aes stored in unprotected memory. Anonymity and non interference can be reduced to opacity using a proper encodc ing 2. To guarantee the authenticity and integrity of documents, digital signatures are used. We show how a multiview of the rendering data can ensure good batching of rendering primitives and comfortable constant time access. Native 1 4 18 non functioning cryptography module causes dos. Cachebased attacks are a class of sidechannel attacks that are particularly effective in virtualized or cloudbased environments, where.
Categories and subject descriptors according to acm ccs. Systemlevel non interference for constanttime cryptography full version. Gilles barthe and gustavo betarte and juan diego campo and carlos luna and david pichardie. The throughput of dividiv r32 varies with the number of. Acm transactions on information and system security. Systemlevel non interference for constanttime cryptography gilles barthe, gustavo betarte, juan diego campo, carlos luna and david pichardie. Gilles barthe, francois dupressoir, pierrealain fouque, benjamin gregoire, jeanchristophe zapalowicz. Principles of modern cryptography alexis bonnecaze. Unlike many prior attacks on rsa, we do not assume. Stealth memory induces a weak form of constanttime, called sconstanttime, which encompasses some widely used cryptographic implementations.
Systemlevel non interference for constanttime cryptography acm ccs 14, gailjoon ahn, moti yung, and ninghui li eds. At the same time, correctly reasoning about virtual memory is essential to operating system verification, a field we are very much interested in. Setbased models for cryptocurrency software gustavo betarte1, maximiliano cristi. In acm sigsac conference on computer and communications security, ccs14. An alternative approach is to rely on systemlevel mechanisms. They avoid branchings controlled by secret data as an attacker could use timing attacks, which are a broad class of sidechannel attacks that measure different execution times of a program in order to infer some of its secret values 1,17,27,32. This works by taking the operational semantics of the considered language, and instrumenting it by adding leakages or observations to step taken by instructions that can be compiled to some sort of jump or memory accesses. A framework for finding side channels in binaries arxiv. In cryptography, a timing attack is a sidechannel attack in which the attacker attempts to. Computer and communications security ccs 10, 2010, pp.
Securing justintime compilation using modular controlflow integrity ben niu and gang tan. A singledecryption embased attack on openssls constanttime. Gilles barthe, gustavo betarte, juan diego campo, carlos daniel luna, and david pichardie. In this section we instantiate observational noninterference.
Systemlevel non interference for constanttime cryptography. Verifying constanttime implementations michael emmi. By gilles barthe, gustavo betarte, juan diego campo. Perthread compositional compilation for confidentiality. Stealth memory induces a weak form of constant time, called s constant time, which encompasses some widely used cryptographic implementations. The interdisciplinary journal of automated reasoning balances theory, implementation and application. These policies can then be verified formally using type systems. Avoidance of timing attacks involves design of constanttime functions and.
Systemlevel non interference for constanttime cryptography gilles barthe1, gustavo betarte 2, juan diego campo, carlos luna2, and david pichardie3 1 imdea software, madrid, spain. Towards constanttime foundations for the new spectre era. While previously, we had considered that cryptography papers should be submitted to conferences dedicated to cryptography, these two papers have been accepted because security people can learn from them the risks that can be raised by naive. In proceedings of the 2014 acm sigsac conference on computer and communications security. Our results provide the first rigorous analysis of stealth memory and s constant time, and the first tool support for checking if applications are s constant time. Systemlevel non interference for constanttime cryptography full version, 2014. Sandrine blazy joint work with gilles barthe, vincent laporte. Inserted 24 2651 19 insecure hash function in the cryptography module.
Systemlevel non interference for constanttime cryptography full version technical report pdf available june 2014 with 120 reads how we measure reads. Cachebased attacks are a class of sidechannel attacks that are particularly e ective in. To protect their implementations, cryptographers follow a very strict programming discipline called constant time programming. Even physical layer communication security technologies, like the kljn cipher, quantum cryptography, and spreadspectrum communication, use cryptography in one way or another. Systemlevel non interference for constanttime cryptography by gilles barthe, gustavo betarte, juan diego campo, carlos luna and david pichardie no static citation data no static citation data cite. If the adversary can modify network communication, then it must have its integrity protected and be authenticated that is, to have the source identified. Conference on computer and communications security ccs, 2014. Systemlevel non interference for constant 18 patrick cousot and radhia cousot.
55 490 968 434 4 37 779 845 681 1130 434 1259 79 184 218 892 1054 1430 1056 92 719 1550 458 1266 194 1203 1410 645 1038 439 893 1111 1056 326 293 1399 511 929 1416 530