skip to main content
research-article
Open Access
Artifacts Available
Artifacts Evaluated & Reusable

Formal verification of a constant-time preserving C compiler

Authors Info & Claims
Published:20 December 2019Publication History
Skip Abstract Section

Abstract

Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs that do not perform secret-dependent branches and memory accesses. This mitigation, known as "cryptographic constant-time", is adopted by several popular cryptographic libraries.

This paper focuses on compilation of cryptographic constant-time programs, and more specifically on the following question: is the code generated by a realistic compiler for a constant-time source program itself provably constant-time? Surprisingly, we answer the question positively for a mildly modified version of the CompCert compiler, a formally verified and moderately optimizing compiler for C. Concretely, we modify the CompCert compiler to eliminate sources of potential leakage. Then, we instrument the operational semantics of CompCert intermediate languages so as to be able to capture cryptographic constant-time. Finally, we prove that the modified CompCert compiler preserves constant-time. Our mechanization maximizes reuse of the CompCert correctness proof, through the use of new proof techniques for proving preservation of constant-time. These techniques achieve complementary trade-offs between generality and tractability of proof effort, and are of independent interest.

Skip Supplemental Material Section

Supplemental Material

a7-barthe.webm

References

  1. Carmine Abate, Roberto Blanco, Deepak Garg, Catalin Hritcu, Marco Patrignani, and Jérémy Thibault. 2018. Exploring Robust Property Preservation for Secure Compilation. In Computer Security Foundations 2019. http://arxiv.org/abs/1807.04603Google ScholarGoogle Scholar
  2. Martin R. Albrecht and Kenneth G. Paterson. 2016. Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS. In Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I (Lecture Notes in Computer Science), Marc Fischlin and Jean-Sébastien Coron (Eds.), Vol. 9665. Springer, 622–643. Google ScholarGoogle ScholarCross RefCross Ref
  3. Nadhem J. AlFardan and Kenneth G. Paterson. 2013. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. IEEE Computer Society, 526–540. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-Assurance and High-Speed Cryptography. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. 2016. Verifying Constant-Time Implementations. In 25th USENIX Security Symposium, USENIX Security 16.Google ScholarGoogle Scholar
  6. José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Benjamin Grégoire, Adrien Koutsos, Vincent Laporte, Tiago Oliveira, and Pierre-Yves Strub. 2019. The Last Mile: High-Assurance and High-Speed Cryptographic Implementations. CoRR abs/1904.04606 (2019). arXiv: 1904.04606 http://arxiv.org/abs/1904.04606Google ScholarGoogle Scholar
  7. Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2015. On Subnormal Floating Point and Abnormal Timing. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. 623–639. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Marc Andrysco, Andres Nötzli, Fraser Brown, Ranjit Jhala, and Deian Stefan. 2018. Towards Verified, Constant-time Floating Point Operations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018. 1369–1382. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Andrew W. Appel. 2011. Verified Software Toolchain - (Invited Talk). In Programming Languages and Systems - 20th European Symposium on Programming, ESOP 2011, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2011, Saarbrücken, Germany, March 26-April 3, 2011. Proceedings. 1–17. Google ScholarGoogle ScholarCross RefCross Ref
  10. Andrew W. Appel. 2014. Program Logics - for Certified Compilers. Cambridge University Press. http: //www.cambridge.org/de/academic/subjects/computer- science/programming- languages- and- applied- logic/programlogics- certified- compilers?format=HBGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  11. Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2 (2015), 7:1–7:31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. ARM. 2016. mbed TLS. https://tls.mbed.org/Google ScholarGoogle Scholar
  13. Gilles Barthe, Gustavo Betarte, Juan Campo, Carlos Luna, and David Pichardie. 2014. System-level non-interference for constant-time cryptography. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Gilles Barthe, Benjamin Grégoire, and Vincent Laporte. 2018. Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF). 328–343. Google ScholarGoogle ScholarCross RefCross Ref
  15. Gilles Barthe, Tamara Rezk, and David A. Naumann. 2006. Deriving an Information Flow Checker and Certifying Compiler for Java. In 2006 IEEE Symposium on Security and Privacy (S&P 2006), 21-24 May 2006, Berkeley, California, USA. IEEE Computer Society, 230–242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. 2015. Verified Correctness and Security of OpenSSL HMAC. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015., Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 207–221. https://www.usenix.org/conference/usenixsecurity15/technicalsessions/presentation/beringerGoogle ScholarGoogle Scholar
  17. Daniel J Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. In International Workshop on Public Key Cryptography. Springer, 207–228.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Daniel J Bernstein, Tanja Lange, and Peter Schwabe. 2012. The security impact of a new cryptographic library. In International Conference on Cryptology and Information Security in Latin America. Springer, 159–176.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Frédéric Besson, Alexandre Dang, and Thomas Jensen. 2019. Information-Flow Preservation in Compiler Optimisations. In CSF. IEEE.Google ScholarGoogle Scholar
  20. Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. 2006. Formal Verification of a C Compiler Front-End. In FM 2006 (LNCS), Vol. 4085. 460–475.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Sandrine Blazy, David Pichardie, and Alix Trieu. 2019. Verifying constant-time implementations by abstract interpretation. Journal of Computer Security 27, 1 (2019), 137–163. Google ScholarGoogle ScholarCross RefCross Ref
  22. Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad S. Wahby, John Renner, Benjamin Grégoire, Gilles Barthe, Ranjit Jhala, and Deian Stefan. 2019. FaCT: a DSL for timing-sensitive computation. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019., Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 174–189. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving compilation of end-to-end verification of security enforcement. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2010, Toronto, Ontario, Canada, June 5-10, 2010, Benjamin G. Zorn and Alexander Aiken (Eds.). ACM, 412–423. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Inria 2019. The Coq proof assistant reference manual. Inria. http://coq.inria.fr Version 8.9.1.Google ScholarGoogle Scholar
  25. Jacques-Henri Jourdan, Vincent Laporte, Sandrine Blazy, Xavier Leroy, and David Pichardie. 2015. A Formally-Verified C Static Analyzer. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 247–259. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Jeehoon Kang, Yoonseung Kim, Youngju Song, Juneyoung Lee, Sanghoon Park, Mark Dongyeon Shin, Yonghyun Kim, Sungkeun Cho, Joonwon Choi, Chung-Kil Hur, and Kwangkeun Yi. 2018. Crellvm: verified credible compilation for LLVM. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, Philadelphia, PA, USA, June 18-22, 2018, Jeffrey S. Foster and Dan Grossman (Eds.). ACM, 631–645. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Daniel Kästner, Jörg Barrho, Ulrich Wünsche, Marc Schlickling, Bernhard Schommer, Michael Schmidt, Christian Ferdinand, Xavier Leroy, and Sandrine Blazy. 2018. CompCert: Practical Experience on Integrating and Qualifying a Formally Verified Optimizing Compiler. In ERTS2 2018 - 9th European Congress Embedded Real-Time Software and Systems. 3AF, SEE, SIE, Toulouse, France, 1–9. https://hal.inria.fr/hal- 01643290Google ScholarGoogle Scholar
  28. Thierry Kaufmann, Hervé Pelletier, Serge Vaudenay, and Karine Villegas. 2016. When Constant-Time Source Yields VariableTime Binary: Exploiting Curve25519-donna Built with MSVC 2015. In 15 th International Conference on Cryptology and Network Security (CANS). 573–582.Google ScholarGoogle Scholar
  29. Ramana Kumar, Magnus O. Myreen, Michael Norrish, and Scott Owens. 2014. CakeML: a verified implementation of ML. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, Suresh Jagannathan and Peter Sewell (Eds.). ACM, 179–192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Adam Langley. 2010. ctgrind. https://github.com/agl/ctgrindGoogle ScholarGoogle Scholar
  31. Adam Langley. 2015. curve25519-donna. https://code.google.com/archive/p/curve25519- donnaGoogle ScholarGoogle Scholar
  32. Xavier Leroy. 2006. Formal certification of a compiler back-end or : Programming a compiler with a proof assistant. POPL (2006), 42–54.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Xavier Leroy. 2009a. Formal verification of a realistic compiler. Commun. ACM (2009).Google ScholarGoogle Scholar
  34. Xavier Leroy. 2009b. A formally verified compiler back-end. Journal of Automated Reasoning 43, 4 (2009), 363–446.Google ScholarGoogle ScholarCross RefCross Ref
  35. Xavier Leroy, Andrew W. Appel, Sandrine Blazy, and Gordon Stewart. 2014. The CompCert memory model. In Program Logics for Certified Compilers, Andrew W. Appel (Ed.). Cambridge University Press, 237–271. https://hal.inria.fr/hal- 00905435Google ScholarGoogle Scholar
  36. Xavier Leroy, Sandrine Blazy, Daniel Kästner, Bernhard Schommer, Markus Pister, and Christian Ferdinand. 2016. CompCert - A Formally Verified Optimizing Compiler. In ERTS 2016: Embedded Real Time Software and Systems, 8th European Congress. SEE, Toulouse, France. https://hal.inria.fr/hal- 01238879Google ScholarGoogle Scholar
  37. Chang Liu, Michael Hicks, and Elaine Shi. 2013. Memory Trace Oblivious Program Execution. In 2013 IEEE 26th Computer Security Foundations Symposium, New Orleans, LA, USA, June 26-28, 2013. IEEE Computer Society, 51–65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Andreas Lööw, Ramana Kumar, Yong Kiam Tan, Magnus O. Myreen, Michael Norrish, Oskar Abrahamsson, and Anthony C. J. Fox. 2019. Verified compilation on a verified processor. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019., Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 1041–1053. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. David Molnar, Matt Piotrowski, David Schultz, and David A. Wagner. 2005. The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks. In Information Security and Cryptology - ICISC 2005, 8th International Conference, Seoul, Korea, December 1-2, 2005, Revised Selected Papers (Lecture Notes in Computer Science), Dongho Won and Seungjoo Kim (Eds.), Vol. 3935. Springer, 156–168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Toby C. Murray, Robert Sison, Edward Pierzchalski, and Christine Rizkallah. 2016. Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27 - July 1, 2016. IEEE Computer Society, 417–431. Google ScholarGoogle ScholarCross RefCross Ref
  41. Van Chan Ngo, Mario Dehesa-Azuara, Matthew Fredrikson, and Jan Hoffmann. 2017. Verifying and Synthesizing ConstantResource Implementations with Types. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. IEEE Computer Society, 710–728. Google ScholarGoogle ScholarCross RefCross Ref
  42. OpenSSL. 2019. OpenSSL. https://www.openssl.org/Google ScholarGoogle Scholar
  43. Scott Owens, Michael Norrish, Ramana Kumar, Magnus O. Myreen, and Yong Kiam Tan. 2017. Verifying efficient function calls in CakeML. PACMPL 1, ICFP (2017), 18:1–18:27. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work. ACM Comput. Surv. 51, 6, Article 125 (Feb. 2019), 36 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Nadia Polikarpova, Jean Yang, Shachar Itzhaky, and Armando Solar-Lezama. 2016. Type-Driven Repair for Information Flow Security. CoRR abs/1607.03445 (2016). arXiv: 1607.03445 http://arxiv.org/abs/1607.03445Google ScholarGoogle Scholar
  46. Jonathan Protzenko, Jean Karim Zinzindohoué, Aseem Rastogi, Tahina Ramananandro, Peng Wang, Santiago Zanella Béguelin, Antoine Delignat-Lavaud, Catalin Hritcu, Karthikeyan Bhargavan, Cédric Fournet, and Nikhil Swamy. 2017. Verified low-level programming embedded in F. PACMPL 1, ICFP (2017), 17:1–17:29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Bruno Rodrigues, Fernando Magno Quintão Pereira, and Diego F. Aranha. 2016. Sparse representation of implicit flows with applications to side-channel detection. In Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, March 12-18, 2016, Ayal Zaks and Manuel V. Hermenegildo (Eds.). ACM, 110–120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Eyal Ronen, Kenneth G. Paterson, and Adi Shamir. 2018. Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1397–1414. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Jaroslav Sevcík, Viktor Vafeiadis, Francesco Zappa Nardelli, Suresh Jagannathan, and Peter Sewell. 2013. CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency. J. ACM 60, 3 (2013), 22:1–22:50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Robert Sison and Toby Murray. 2019. Verifying that a compiler preserves concurrent value-dependent information-flow security. In International Conference on Interactive Theorem Proving (Lecture Notes in Computer Science). Springer-Verlag.Google ScholarGoogle Scholar
  51. SUPERCOP. 2019. SUPERCOP. https://bench.cr.yp.to/supercop.htmlGoogle ScholarGoogle Scholar
  52. Yong Kiam Tan, Magnus O. Myreen, Ramana Kumar, Anthony C. J. Fox, Scott Owens, and Michael Norrish. 2016. A new verified compiler backend for CakeML. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016, Jacques Garrigue, Gabriele Keller, and Eijiro Sumii (Eds.). ACM, 60–73. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Filippo Del Tedesco, David Sands, and Alejandro Russo. 2016. Fault-Resilient Non-interference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27 - July 1, 2016. IEEE Computer Society, 401–416. Google ScholarGoogle ScholarCross RefCross Ref
  54. Klaus von Gleissenthall, Rami Gökhan Kıcı, Deian Stefan, and Ranjit Jhala. 2019. IODINE: Verifying Constant-Time Execution of Hardware. In USENIX Security Symposium. USENIX.Google ScholarGoogle Scholar
  55. David J Wheeler and Roger M Needham. 1994. TEA, a tiny encryption algorithm. In International Workshop on Fast Software Encryption. Springer, 363–366.Google ScholarGoogle ScholarCross RefCross Ref
  56. Meng Wu, Shengjian Guo, Patrick Schaumont, and Chao Wang. 2018. Eliminating timing side-channel leaks using program repair. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2018, Amsterdam, The Netherlands, July 16-21, 2018, Frank Tip and Eric Bodden (Eds.). ACM, 15–26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of mbedTLS HMAC-DRBG. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 2007–2020. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Jianzhou Zhao, Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Formalizing the LLVM intermediate representation for verified program transformations. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22-28, 2012, John Field and Michael Hicks (Eds.). ACM, 427–440. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Jianzhou Zhao, Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2013. Formal verification of SSA-based optimizations for LLVM. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’13, Seattle, WA, USA, June 16-19, 2013, Hans-Juergen Boehm and Cormac Flanagan (Eds.). ACM, 175–186. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Jean Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A Verified Modern Cryptographic Library. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 1789–1806. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Formal verification of a constant-time preserving C compiler

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!