skip to main content
10.1145/2892208.2892230acmconferencesArticle/Chapter ViewAbstractPublication PagesccConference Proceedingsconference-collections
research-article

Sparse representation of implicit flows with applications to side-channel detection

Published: 17 March 2016 Publication History

Abstract

Information flow analyses traditionally use the Program Dependence Graph (PDG) as a supporting data-structure. This graph relies on Ferrante et al.'s notion of control dependences to represent implicit flows of information. A limitation of this approach is that it may create O(|I| x |E|) implicit flow edges in the PDG, where I are the instructions in a program, and E are the edges in its control flow graph. This paper shows that it is possible to compute information flow analyses using a different notion of implicit dependence, which yields a number of edges linear on the number of definitions plus uses of variables. Our algorithm computes these dependences in a single traversal of the program's dominance tree. This efficiency is possible due to a key property of programs in Static Single Assignment form: the definition of a variable dominates all its uses. Our algorithm correctly implements Hunt and Sands system of security types. Contrary to their original formulation, which required O(IxI) space and time for structured programs, we require only O(I). We have used our ideas to build FlowTracker, a tool that uncovers side-channel vulnerabilities in cryptographic algorithms. FlowTracker handles programs with over one-million assembly instructions in less than 200 seconds, and creates 24% less implicit flow edges than Ferrante et al.'s technique. FlowTracker has detected an issue in a constant-time implementation of Elliptic Curve Cryptography; it has found several time-variant constructions in OpenSSL, one issue in TrueCrypt and it has validated the isochronous behavior of the NaCl library.

References

[1]
O. Aciic¸mez, c. K. Koc¸, and J.-P. Seifert. On the power of simple branch prediction analysis. In ASIACCS, pages 312–320. ACM, 2007.
[2]
J. Agat. Transforming out timing leaks. In POPL, pages 40–53. ACM, 2000.
[3]
J. B. Almeida, M. Barbosa, J. S. Pinto, and B. Vieira. Formal verification of side-channel countermeasures using self-composition. Science of Computer Programming, 78(7):796–812, 2013.
[4]
A. W. Appel and J. Palsberg. Modern Compiler Implementation in Java. Cambridge University Press, 2nd edition, 2002.
[5]
G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight noninterference Java bytecode verifier. Mathematical Structures in Computer Science, 23(5):1032–1081, 2013.
[6]
D. J. Bernstein. Cache-timing attacks on AES, 2004. URL: http://cr.yp.to/papers.html#cachetiming.
[7]
D. J. Bernstein. Curve25519: new Diffie-Hellman speed records. In PKC, pages 207–228. Springer, 2006.
[8]
D. J. Bernstein, T. Lange, and P. Schwabe. The security impact of a new cryptographic library. In Progress in Cryptology – LATINCRYPT, pages 159–176. Springer, 2012.
[9]
G. Bian, K. Nakayama, Y. Kobayashi, and M. Maekawa. Java bytecode dependence analysis for secure information flow. I. J. Network Security, 4(1):59–68, 2007.
[10]
B. Boissinot, S. Hack, D. Grund, B. D. de Dinechin, and F. Rastello. Fast liveness checking for SSA-form programs. In CGO, pages 35–44. IEEE, 2008.
[11]
J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In POPL, pages 55–66. ACM, 1991.
[12]
R. Cytron, J. Ferrante, and V. Sarkar. Compact representations for control dependence. In PLDI, pages 337–351. ACM, 1990.
[13]
R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and F. Zadeck. Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451–490, 1991.
[14]
D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20:504–513, 1977.
[15]
H. Eldib, C. Wang, M. Taha, and P. Schaumont. QMS: Evaluating the side-channel resistance of masked software from source code. In DAC, pages 209:1–209:6. ACM, 2014.
[16]
J. Ferrante, K. J. Ottenstein, and J. D. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3):319–349, 1987.
[17]
C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur., 8(6):399–422, 2009.
[18]
C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In ISOLA, pages 119–128. IEEE, 2006.
[19]
S. Horwitz, J. Prins, and T. Reps. On the adequacy of program dependence graphs for representing programs. In POPL, pages 146– 157. ACM, 1988.
[20]
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW, pages 40–51, 2004.
[21]
S. Hunt and D. Sands. On flow-sensitive security types. In POPL, pages 79–90. ACM, 2006.
[22]
R. Johnson and K. Pingali. Dependence-based program analysis. In PLDI, pages 78–89. ACM, 1993.
[23]
R. Johnson, D. Pearson, and K. Pingali. The program tree structure. In PLDI, pages 171–185. ACM, 1994.
[24]
P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In CRYPTO, pages 104–113. Springer, 1996.
[25]
C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75––88. IEEE, 2004.
[26]
J. L´opez and R. Dahab. Fast Multiplication on Elliptic Curves over GF(2 m ) without Precomputation. In CHES, volume 1717 of LNCS, pages 316–327. Springer, 1999.
[27]
S. Lortz, H. Mantel, A. Starostin, T. Bähr, D. Schneider, and A. Weber. Cassandra: Towards a certifying app store for android. In SPSM, pages 93–104. ACM, 2014.
[28]
A. Lux and A. Starostin. A tool for static detection of timing channels in java. Journal of Cryptographic Engineering, 1(4):303–313, 2011.
[29]
D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner. The program counter security model: Automatic detection and removal of controlflow side channel attacks. In ICISC, pages 156–168. Springer, 2006.
[30]
H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for c-like languages. In PLDI, pages 1–11. ACM, 2012.
[31]
T. Oliveira, J. L´opez, D. F. Aranha, and F. Rodr´ıguez-Henr´ıquez. Two is the fastest prime: lambda coordinates for binary elliptic curves. J. Cryptographic Engineering, 4(1):3–17, 2014.
[32]
D. A. Osvik, A. Shamir, and E. Tromer. Cache attacks and countermeasures: the case of AES. In Topics in Cryptology–CT-RSA, pages 1–20. Springer, 2006.
[33]
K. J. Ottenstein, R. A. Ballance, and A. B. MacCabe. The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages. In PLDI, pages 257–271. ACM, 1990.
[34]
F. M. Q. Pereira and J. Palsberg. SSA elimination after register allocation. In CC, pages 158 – 173, 2009.
[35]
K. Pingali and G. Bilardi. Optimal control dependence computation and the roman chariots problem. In TOPLAS, pages 462–491. ACM, 1997.
[36]
V. P. Ranganath, T. Amtoft, A. Banerjee, J. Hatcliff, and M. B. Dwyer. A new foundation for control dependence and slicing for modern program structures. TOPLAS, 29(5), 2007.
[37]
F. Rastello. SSA-based Compiler Design. Springer, 1st edition, 2015.
[38]
T. Reps and W. Yang. The semantics of program slicing. Technical report, University of Wisconsin – Madison, 1988.
[39]
A. Rimsa, M. d’Amorim, F. M. Q. Pereira, and R. da Silva Bigonha. Efficient static checker for tainted variable attacks. Sci. Comput. Program., 80:91–105, 2014.
[40]
A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. In CSF, pages 186–199. IEEE Computer Society, 2010.
[41]
G. Snelting. Combining slicing and constraint solving for validation of measurement software. In SAS, pages 332–348. Springer, 1996.
[42]
V. C. Sreedhar and G. R. Gao. A linear time algorithm for placing φ-nodes. In POPL, pages 62–73. ACM, 1995.
[43]
V. C. Sreedhar, R. D. ching Ju, D. M. Gillies, and V. Santhanam. Translating out of static single assignment form. In SAS, pages 194– 210. Springer, 1999.
[44]
M. Taghdiri, G. Snelting, and C. Sinz. Information flow analysis via path condition refinement. In FAST, pages 65–79. Springer, 2011.
[45]
A. Tavares, B. Boissinot, F. Pereira, and F. Rastello. Parameterized construction of program representations for sparse dataflow analyses. In CC, pages 2–21. Springer, 2014.
[46]
D. Wasserrab, D. Lohner, and G. Snelting. On pdg-based noninterference and its modular proof. In PLAS, pages 31–44. ACM, 2009.
[47]
Y. Yarom and N. Benger. Recovering openssl ECDSA nonces using the FLUSH+RELOAD cache side-channel attack. Cryptology ePrint Archive, Report 2014/140, 2014. http://eprint.iacr.org/.
[48]
R. Zhang, S. Huang, Z. Qi, and H. Guan. Combining static and dynamic analysis to discover software vulnerabilities. In IMIS, pages 175–181. IEEE Computer Society, 2011.
[49]
J. Zhao, S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Formal verification of ssa-based optimizations for llvm. In PLDI, pages 175– 186. ACM, 2013.

Cited By

View all

Index Terms

  1. Sparse representation of implicit flows with applications to side-channel detection

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CC '16: Proceedings of the 25th International Conference on Compiler Construction
      March 2016
      270 pages
      ISBN:9781450342414
      DOI:10.1145/2892208
      • General Chair:
      • Ayal Zaks,
      • Program Chair:
      • Manuel Hermenegildo
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      In-Cooperation

      • IEEE-CS: Computer Society

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 17 March 2016

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Information flow
      2. SSA
      3. implicit flows
      4. sparse analyses

      Qualifiers

      • Research-article

      Conference

      CGO '16

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)56
      • Downloads (Last 6 weeks)4
      Reflects downloads up to 27 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media