Constant-time programming in C

Similar documents
FaCT. A Flexible, Constant-Time Programming Language

Topics Power tends to corrupt; absolute power corrupts absolutely. Computer Organization CS Data Representation

Bits, Bytes, and Integers Part 2

Control Structures. Code can be purely arithmetic assignments. At some point we will need some kind of control or decision making process to occur

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

B.V. Patel Institute of Business Management, Computer & Information Technology, Uka Tarsadia University

Recap. ANSI C Reserved Words C++ Multimedia Programming Lecture 2. Erwin M. Bakker Joachim Rijsdam

C - Basics, Bitwise Operator. Zhaoguo Wang

Name :. Roll No. :... Invigilator s Signature : INTRODUCTION TO PROGRAMMING. Time Allotted : 3 Hours Full Marks : 70

Programming refresher and intro to C programming

Today s lecture. Translating an if-then statement

Flow Control. CSC215 Lecture

Important From Last Time

INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS

The component base of C language. Nguyễn Dũng Faculty of IT Hue College of Science

Important From Last Time

Writing Program in C Expressions and Control Structures (Selection Statements and Loops)

Part I Part 1 Expressions

Lecture 02 C FUNDAMENTALS

CS313D: ADVANCED PROGRAMMING LANGUAGE

C#.Net. Course Contents. Course contents VT BizTalk. No exam, but laborations

CS321 Languages and Compiler Design I. Winter 2012 Lecture 2

Bounded Model Checking Of C Programs: CBMC Tool Overview

EMBEDDED SYSTEMS PROGRAMMING Language Basics

P.G.TRB - COMPUTER SCIENCE. c) data processing language d) none of the above

Logistics. Next week, my OH will be vs HW6 (= writing + Monad.hs) counts! You HW grade = max of 5 HWs. CAPEs!

Lecture 2: C Programming Basic

Type Conversion. and. Statements

Bentley Rules for Optimizing Work

just a ((somewhat) safer) dialect.

Two Types of Types. Primitive Types in Java. Using Primitive Variables. Class #07: Java Primitives. Integer types.

Programming Fundamentals (CS 302 ) Dr. Ihsan Ullah. Lecturer Department of Computer Science & IT University of Balochistan

C++ Programming Lecture 1 Software Engineering Group

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Variables Data types Variable I/O. C introduction. Variables. Variables 1 / 14

Computer Programming: Skills & Concepts (CP) Strings

Expressions and Data Types CSC 121 Spring 2015 Howard Rosenthal

Intermediate Code Generation

QUIZ How do we implement run-time constants and. compile-time constants inside classes?

CS 261 Fall C Introduction. Variables, Memory Model, Pointers, and Debugging. Mike Lam, Professor

Structures, Unions Alignment, Padding, Bit Fields Access, Initialization Compound Literals Opaque Structures Summary. Structures

Introduction to C. Zhiyuan Teo. Cornell CS 4411, August 26, Geared toward programmers

Filesystems timing attacks

Introduce C# as Object Oriented programming language. Explain, tokens,

High-Performance Cryptography in Software

Introduction to Programming Using Java (98-388)

Computer Architecture and Organization. Instruction Sets: Addressing Modes and Formats

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Motivation was to facilitate development of systems software, especially OS development.

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Hardware: Logical View

Java and C CSE 351 Spring

a data type is Types

Lectures 5-6: Introduction to C

Pointer Basics. Lecture 13 COP 3014 Spring March 28, 2018

Recitation #11 Malloc Lab. November 7th, 2017

Intermediate Representation Prof. James L. Frankel Harvard University

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

last time Assembly part 2 / C part 1 condition codes reminder: quiz

Expressions and Data Types CSC 121 Fall 2015 Howard Rosenthal

There are 16 total numbered pages, 7 Questions. You have 2 hours. Budget your time carefully!

Programming Language Implementation

CSC Java Programming, Fall Java Data Types and Control Constructs

Lecture Notes on Types in C

Quick Review. lw $t0, 4($a0) Registers x Memory. $a0 is simply another name for register 4 $t0 is another name for register (green sheet)

CprE 288 Introduction to Embedded Systems Exam 1 Review. 1

Computational Expression

C Programming Review CSC 4320/6320

Boolean Algebra Boolean Algebra

Motivation was to facilitate development of systems software, especially OS development.

Process s Address Space. Dynamic Memory. Backing the Heap. Dynamic memory allocation 3/29/2013. When a process starts the heap is empty

Chapter 7. Additional Control Structures

C++ Tutorial AM 225. Dan Fortunato

BASIC ELEMENTS OF A COMPUTER PROGRAM

LECTURE 17. Expressions and Assignment

C Introduction. Comparison w/ Java, Memory Model, and Pointers

CS 31 Review Sheet. Tau Beta Pi - Boelter Basics 2. 2 Working with Decimals 2. 4 Operators 3. 6 Constants 3.

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

CSE 333 Lecture 2 Memory

Types, Variables, and Constants

CPSC 427: Object-Oriented Programming

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

Basic program The following is a basic program in C++; Basic C++ Source Code Compiler Object Code Linker (with libraries) Executable

Introduction to C# Applications

Before we start - Announcements: There will be a LAB TONIGHT from 5:30 6:30 in CAMP 172. In compensation, no class on Friday, Jan. 31.

CS 314 Principles of Programming Languages. Lecture 9

Programming in C and C++

School of Computer Science CPS109 Course Notes 5 Alexander Ferworn Updated Fall 15

Tutorial 1: Introduction to C Computer Architecture and Systems Programming ( )

Limitations of the stack

Lecture 2: C Programm

6.096 Introduction to C++ January (IAP) 2009

Short Notes of CS201

Midterm 1 topics (in one slide) Bits and bitwise operations. Outline. Unsigned and signed integers. Floating point numbers. Number representation

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C

UCB CS61C : Machine Structures

System Programming and Computer Architecture (Fall 2009)

CSE 431S Type Checking. Washington University Spring 2013

CS , Fall 2004 Exam 1

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

Transcription:

Constant-time programming in C

What s our goal? Goal: Write C programs that don t leak sensitive data Assumption: no explicit leaks E.g., writing secret data to public location Approach: constant-time programming More robust approach than random fuzzing/padding Why? Completely eliminates time-variability!

What s our goal? Goal: Write C programs that don t leak sensitive data Assumption: no explicit leaks E.g., writing secret data to public location Approach: constant-time programming More robust approach than random fuzzing/padding Why? Completely eliminates time-variability!

What introduces time-variability?

Which runs faster? void foo(double x) { double z, y = 1.0; for (uint32_t i = 0; i < 100000000; i++) { z = y*x; A: B: foo(1.0); foo(1.0e-323); C: They take the same amount of time! Code from D. Kohlbrenner

Example: floating-point operations

Leaks due to variable-time instructions Problem: Certain instructions take different amounts of time depending on the operands What s another example? Solution?

Unsafe language-level operators Operators that lead to variable-time instructions E.g., /, % Operators that lead to conditional branches E.g.,, &&,?: Why? (We ll see in a bit!)

What s the problem with this code? s0; for (uint32_t i = 0; i < secret; i++) { s1; s2; s3; s4;

How do we fix this? s0; uint32_t done = 0; for (uint32_t i = 0; i < pub_max; i++) { done = (max == secret); if (!done) { s1; s2; s3; s4; Is this right? A: yes, B: no

Why are if-statements on secrets unsafe? s0; if (secret) { s1; s2; s3;

Why are if-statements on secrets unsafe? s0; if (secret) { s1; s2; s3;

Why are if-statements on secrets unsafe? s0; if (secret) { s1; s2; s3; secret true false run s0;s1;s2;s3; s0;s3; 4 2

Can we pad else branch? if (secret) { s1; s2; else { s1 ; s2 ; where s1 and s1 take same amount of time Is this safe? A: yes, B: no

Issue with conditional branching Problem: Instructions are loaded from cache Which instructions were loaded (or not) observable Problem: Hardware tried to predict where branch goes Success (or failure) of prediction is observable Solution?

Solution: don t branch on secrets!

Solution: fold control flow into data flow (assumption secret = 1 or 0) if (secret) { x = a; x = secret * a + (1-secret) * x;

Solution: fold control flow into data flow (assumption secret = 1 or 0) if (secret) { x = a; x = secret * a + (1-secret) * x;

Solution: fold control flow into data flow (assumption secret = 1 or 0) if (secret) { x = a; else { x = b; x = secret * a + (1-secret) * x; x = (1-secret) * b + secret * x;

Solution: fold control flow into data flow Multiple ways to fold control flow in Previous example: takes advantage of arithmetic What s another way? if (secret) { x = a; x = (-secret & (a^x)) ^ x

Solution: fold control flow into data flow Useful to create library of primitives E.g., bit? a : b select(a, b, bit); unsigned select (unsigned a, unsigned b, unsigned bit) { /* -0 = 0, -1 = 0xff...ff */ unsigned mask = - bit; unsigned ret = mask & (a^b); ret = ret ^ a; return ret; Code from https://cryptocoding.net

A more complex example static int get_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { size_t i; if( NULL == input NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); *data_len = 0; for( i = input_len; i > 0; i-- ) { if (input[i-1]!= 0) { *data_len = i; return 0; return 0; Is this safe? A: yes, B: no

A more complex example static int get_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { size_t i unsigned done = 0, prev_done = 0; if( NULL == input NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); *data_len = 0; for( i = input_len; i > 0; i-- ) { prev_done = done; done = input[i-1]!= 0; if (done &!prev_done) { *data_len = i; return 0; Is this safe? A: yes, B: no

A more complex example static int get_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { size_t i unsigned done = 0, prev_done = 0; if( NULL == input NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); *data_len = 0; for( i = input_len; i > 0; i-- ) { prev_done = done; done = input[i-1]!= 0; *data_len = select(i, *data_len, done &!prev_done); return 0; Is this safe? A: yes, B: no

Leaks via control flow Problem: Control flow that depends on secret data can lead to information leakage Loops If-statements (switch, etc.) Early returns, goto, break, continue Function calls Solution: control flow should not depend on secrets, fold secret control flow into data!

Is this code safe? void cond_assign( uint8_t *X, const uint8_t *Y, size_t len, unsigned char assign ) { /* make sure assign is 0 or 1 */ assign = ( assign!= 0 ); for (size_t i = 0; i < len; i++) { X[i] = X[i] * ( 1 - assign ) + Y[i] * assign; A: yes, B: no

How do we fix this? Make it hard for compiler to optimize some code, but really look at the generated assembly!

Accessing memory can leak too Non-example: strcmp(a, B) from last lecture strcmp(, ); Why is this not a problem due to memory access? What would be an example of a leak via memory access?

What s the problem with this code? static void KeyExpansion(uint8_t* RoundKey, const uint8_t* Key) {... // All other round keys are found from the previous round keys. for (i = Nk; i < Nb * (Nr + 1); ++i) {... k = (i - 1) * 4; tempa[0]=roundkey[k + 0]; tempa[1]=roundkey[k + 1]; tempa[2]=roundkey[k + 2]; tempa[3]=roundkey[k + 3];...... tempa[0] = sbox[tempa[0]]; tempa[1] = sbox[tempa[1]]; tempa[2] = sbox[tempa[2]]; tempa[3] = sbox[tempa[3]];

Why is this a problem? Problem: Accessing memory based on secret arr[secret] Why is this a problem? duration(arr[secret]) depends on whether or not arr[secret] is in the cache! What happens if attacker can influence cache?

How do we fix this? Only access memory at public index How do we express arr[secret]? x=arr[secret] for(size_t i = 0; i < arr_len; i++) x = select(arr[i], x, secret == i)

Summary Duration of certain operations depends on data Do not use operators that are variable time Control flow Do not branch based on a secret Memory access Do not access memory based on a secret

Challenges with writing constant-time code Duration of certain operations depends on data Transform to safe, known CT operations Control flow Turn control flow into data flow problem: select! Memory access Loop over public bounds of array!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback