Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels

Size: px

Start display at page:

Download "Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels"

Sharleen Carter
6 years ago
Views:

1 Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels PLDI June 20th, 2017 Timos Antonopoulos, Yale Paul Gazzillo, Yale Michael Hicks, UMD Eric Koskinen, Yale Tachio Terauchi, JAIST Shiyi Wei, UMD

2 Side-channel attacks Applications contain secrets like passwords Side channels can leak such secrets indirectly Side channel of interest: running time 2

$boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

3 boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; Number of loop iterations reveals correct character count boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; 3

$boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

4 boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; Loop iterations now independent of correct characters return (correct_chars == real_pwd.length) && matches; 4

values for each traces Running time does not depend on secret Any two

5 Timing Channel Freedom π1,π2. in(π1)[low] = in(π2)[low] time(π1) = time(π2) ± c This means low input values for each traces Running time does not depend on secret Any two traces have roughly same running time for same low input A 2-safety property, i.e., must relate pairs of traces to prove property 5

6 Self-Composition boolean chpass(real_pwd_a, real_pwd_b, input_pwd_a, input_pwd_b,...) { assume(input_pwd_a == input_pwd_b); assume(new_pwd_a == new_pwd_b);... result_a = result_b = boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; Describes all pairs of traces Analyze composite program Use non-relational analysis Discovering invariants between distinct programs can be challenging for many verifiers assert(equivalent(time_a, time_b)) 6

7 Reframe Timing Channel Freedom π1,π2. in(π1)[low] = in(π2)[low] time(π1) = time(π2) ± c Function of public inputs only Non-relational: in terms of one trace Implies timing channel freedom, a relational property f. π. time(π) = f (in(π)[low]) ± c 7

8 Prove with Running Time Analysis for (int i = 0; i < new_pwd.length; i++) { matches = matches && (new_pwd[i] == new_pwd_confirm[i]); Static Running Time Analysis time(π) = f (in(π)[new_pwd]) = new_pwd.length Finds running time function f Implies timing channel freedom 8

9 Finding f Is Hard Programs can have nested conditionals and loops Many branches on public inputs At any program point In loop headers f can be piecewise with complex cases f = { { { { { 9

10 f = { input_pwd.len * 2 + new_pwd.len * input_pwd.len * if new_pwd.len == new_pwd_confirm.len if new_pwd.len!= new_pwd_confirm.len boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; Piecewise function with complex cases Running time analysis can t do this well return (correct_chars == real_pwd.length) && matches; 10

$new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

11 Partition the Program Prove freedom of partitions alone Must choose partitions carefully Prove safety of partitions separately Implies safety of complete program boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches in(π1)[low] = false;!= in(π2)[low] return (correct_chars == real_pwd.length) && matches; 11

12 Key Idea Solve a relational problem by proving a non-relational property about each trace in each partition, for properly chosen partitions. 12

13 Contributions Technique to prove timing channel freedom by decomposition Generalization to k-safety properties Implementation of verificaton of timing channel freedom in the Blazer tool with an evaluation 13

14 Safety Proving Algorithm Java program Refine Partitions Partition on public input branches Find source of leak Use taint analysis to get non-secret branches Use static running time bounds analysis Taint Analysis Check Safety Exists running time function? Iteratively partition and check safety Continue partitioning until all partitions safe Find source of leak Proven safe 14

15 Algorithm in Action: Check Safety boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; Entire Program Running time analysis Lower: input_pwd.len * 2 + new_pwd.len * Upper: input_pwd.len * Secret-dependent running time could sit between upper and lower return (correct_chars == real_pwd.length) && matches; 15

16 Algorithm in Action: Refine Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; If Branch Partition Entire Program Else Branch Partition return (correct_chars == real_pwd.length) && matches; 16

$Algorithm in Action: Check New Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

17 Algorithm in Action: Check New Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; If Branch Partition Running time analysis Lower: input_pwd.len * 2 + new_pwd.len * Upper: input_pwd.len * 2 + new_pwd.len* Tight running time bounds means safe partition Entire Program Else Branch Partition 17

$Algorithm in Action: Check New Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.$ $length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.$

18 Algorithm in Action: Check New Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; If Branch Partition Running time analysis Lower: input_pwd.len * Upper: input_pwd.len * Entire Program Tight running time bounds means safe partition Else Branch Partition 18

$Algorithm in Action: Whole Program Safety boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars Safety = 0; of all partitions means for(int i = 0; i < input_pwd.$

19 Algorithm in Action: Whole Program Safety boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars Safety = 0; of all partitions means for(int i = 0; i < input_pwd.length; whole program is safe i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else correct_chars += 0; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; If Branch Partition Entire Program Else Branch Partition return (correct_chars == real_pwd.length) && matches; 19

20 General k-safety Properties 20

21 k-safety Properties E.g., for 2-safety consider all pairs of traces in(π1)[low] = in(π2)[low] time(π1) = time(π2) ± c Reason about combinations of k traces To disprove k-safety, you need k traces 21

22 Relational by Property Sharing For a k-safety property q, RBPS(P,q) = time(π) = f (in(π)[low]) ± c in(π1)[low] = in(π2)[low] time(π1) = time(π2) ± c 22

23 y-quotient Partitioning is a y-quotient partition provided that: = {T 1, T 2, T 3 in(π1)[low] = in(π2)[low] time(π1) = time(π2) ± c A k-safety property F can be partitioned in this way if in(π1)[low] = in(π2)[low] 23

24 Soundness Theorem (Proof in paper) 24

25 Other k-safety Properties Determinism Relaxed timing channel freedom 25

26 Identifying Leaks 26

27 Safety Proving Algorithm Java program Refine Partitions Partition on public input branches Find source of leak Taint Analysis Check Safety Exists running time function? Proven safe 27

28 Leak Identification Algorithm Java program Refine Partitions Partition on public input branches Find source Refine Partitions of Partition leak on secret input branches No more secret branches Taint Analysis Check Safety Exists running time function? Check Leak Find different running times Proven safe Potential leak 28

$Algorithm in Action boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

29 Algorithm in Action boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; Number of loop iterations reveals correct character count boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; 29

30 Algorithm in Action: Attempt to Prove Safety boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; If Branch Partition Entire Program Running time analysis Lower: 2 + new_pwd.len * Upper: input_pwd.len * 2 + new_pwd.len * Could be a secret-dependent difference in running time Else Branch Partition 30

31 Algorithm in Action: Refine Secret Partitions boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); else matches = false; return (correct_chars == real_pwd.length) && matches; If Branch Partition Secret If Partition Entire Program Else Branch Partition Secret Else Partition 31

$Algorithm in Action: Identify Leak boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.$

32 Algorithm in Action: Identify Leak boolean chpass(real_pwd, input_pwd, new_pwd, new_pwd_confirm) { int correct_chars = 0; for(int i = 0; i < input_pwd.length; i++) { if(i < real_pwd.length && real_pwd[i] == input_pwd[i]) correct_chars += 1; else return false; boolean matches = true; if(new_pwd.length == new_pwd_confirm.length) { for (int i = 0; i < new_pwd.length; i++) matches = matches && (new_pwd[i] == new_pwd_confirm[i]); Running time analysis Lower: 2 + new_pwd.len * Upper: input_pwd.len * 2 + new_pwd.len * else matches = false; return (correct_chars == real_pwd.length) && matches; Could be a secret-dependent difference in running time If Branch Partition Secret If Partition Entire Program Else Branch Partition Secret Else Partition 32

33 Blazer An Implementation for Timing Channel Freedom 33

34 Architecture Java programs Taint analysis for public/secret branches Blazer BRICS library for partitioning Running time analysis based on abstract interpreter invariants JOANA Taint Analysis Running time bounds analysis Abstract interpreter BRICS automata library Component (Scala) SLoC Blazer 4,302 Running time analysis 1,517 WALA Bytecode Analysis Framework Abstract interpreter 4,416 34

35 Benchmarks Three types of Java benchmarks MicroBench 12 small, simple examples STAC - 6 from DARPA challenge programs Literature 6 adapted from literature DARPA/STAC benchmarks extracted from large, real-world program Use other techniques to find potentially vulnerable hot methods The benchmarks are a few lines to a few dozen One safe version One unsafe version 35

36 Size in basic blocks Time to prove safety Average of 5 runs If not safe, time to prove attack Average of 5 runs A few seconds or less for most benchmarks 22.20s at most for safety proving Proved safety or leak for all. 36

37 Scalability of Leak Identification Notable outliers Minutes or hours Related to block size Likely due to many partitions 37

38 Future Directions More fine-grained partitioning strategies for timing channel freedom Scaling Blazer to larger programs Using other running time analyses E.g., dynamic running time analysis Application to other k-safety properties New non-relational properties New partitioning properties 38

39 Conclusion Technique to prove timing channel freedom by decomposition Generalization to k-safety properties Implementation of verification of timing channel freedom in the Blazer tool with an evaluation 39

Decomposition Instead of Self-Composition for k-safety

Decomposition Instead of Self-Composition for k-safety Timos Antopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei Yale University University of Maryland JAIST Abstract