skip to main content

Automatically eliminating speculative leaks from cryptographic code with blade

Published:04 January 2021Publication History
Skip Abstract Section

Abstract

We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect.

References

  1. Alex Aiken. 1996. Constraint-based program analysis. In Static Analysis, Radhia Cousot and David A. Schmidt (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1-1.Google ScholarGoogle Scholar
  2. José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-Assurance and High-Speed Cryptography. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) ( CCS '17). Association for Computing Machinery, New York, NY, USA, 1807-1823. https://doi.org/10.1145/3133956.3134078 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Intel. 2020. An Optimized Mitigation Approach for Load Value Injection. https://software.intel.com/security-softwareguidance/insights/optimized-mitigation-approach-load-value-injection.Google ScholarGoogle Scholar
  4. Vladimir Kiriansky and Carl Waldspurger. 2018. Speculative Bufer Overflows: Attacks and Defenses. CoRR abs/ 1807.03757 ( 2018 ). arXiv: 1807.03757 http://arxiv.org/abs/ 1807.03757Google ScholarGoogle Scholar
  5. Paul Kocher, Jann Horn, Anders Fogh,, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19).Google ScholarGoogle Scholar
  6. Esmaeil Mohammadian Koruyeh, Khaled N. Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks Using the Return Stack Bufer. In Proceedings of the 12th USENIX Conference on Ofensive Technologies (Baltimore, MD, USA) ( WOOT'18). USENIX Association, Berkeley, CA, USA, 3-3. http://dl.acm.org/citation.cfm?id= 3307423. 3307426Google ScholarGoogle Scholar
  7. J. Landauer and T. Redmond. 1993. A lattice of information. In Proceedings Computer Security Foundations Workshop VI. 65-70. https://doi.org/10.1109/CSFW. 1993.246638 Google ScholarGoogle ScholarCross RefCross Ref
  8. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18).Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Giorgi Maisuradze and Christian Rossow. 2018. Ret2Spec: Speculative Execution Using Return Stack Bufers. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) ( CCS '18). ACM, New York, NY, USA, 2109-2122. https://doi.org/10.1145/3243734.3243761 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ross McIlroy, Jaroslav Sevcík, Tobias Tebbi, Ben L. Titzer, and Toon Verwaest. 2019. Spectre is here to stay: An analysis of side-channels and speculative execution. CoRR abs/ 1902.05178 ( 2019 ). arXiv: 1902.05178 http://arxiv.org/abs/ 1902.05178Google ScholarGoogle Scholar
  11. Tyler McMullen. 2020. Lucet: A Compiler and Runtime for High-Concurrency Low-Latency Sandboxing. Principles of Secure Compilation (PriSC).Google ScholarGoogle Scholar
  12. Daniel Moghimi, Moritz Lipp, Berk Sunar, and Michael Schwarz. 2020. Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi-medusaGoogle ScholarGoogle Scholar
  13. Mozilla Wiki 2018. Security/Sandbox. https://wiki.mozilla.org/Security/Sandbox.Google ScholarGoogle Scholar
  14. A. C. Myers, A. Sabelfeld, and S. Zdancewic. 2004. Enforcing robust declassification. In Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004. 172-186. https://doi.org/10.1109/CSFW. 2004.1310740 Google ScholarGoogle ScholarCross RefCross Ref
  15. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for c. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (Dublin, Ireland) ( PLDI '09). Association for Computing Machinery, New York, NY, USA, 245-258. https://doi.org/10.1145/1542476.1542504 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Hanne Riis Nielson and Flemming Nielson. 1998. Flow logics for constraint based analysis. In Compiler Construction, Kai Koskimies (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 109-127.Google ScholarGoogle Scholar
  17. Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology (CT-RSA'06). Springer-Verlag.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Andrew Pardoe. 2018. Spectre mitigations in MSVC. https://devblogs.microsoft.com/cppblog/spectre-mitigations-in-msvc/.Google ScholarGoogle Scholar
  19. Jonathan Protzenko, Benjamin Beurdouche, Denis Merigoux, and Karthikeyan Bhargavan. 2019. Formally Verified Cryptographic Web Applications in WebAssembly. In Security and Privacy.Google ScholarGoogle Scholar
  20. Charles Reis, Alexander Moshchuk, and Nasko Oskov. 2019. Site Isolation: Process Separation for Web Sites within the Browser. In USENIX Security Symposium.Google ScholarGoogle Scholar
  21. Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, and Daniel Gruss. 2020. ConTExT: A Generic Approach for Mitigating Spectre. In Proc. Network and Distributed System Security Symposium. https: //doi.org/10.14722/ndss. 2020.24271 Google ScholarGoogle ScholarCross RefCross Ref
  22. Vedvyas Shanbhogue, Deepak Gupta, and Ravi Sahita. 2019. Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity. In International Workshop on Hardware and Architectural Support for Security and Privacy (HASP).Google ScholarGoogle Scholar
  23. Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) ( ASPLOS '19). Association for Computing Machinery, New York, NY, USA, 395-410. https://doi.org/10.1145/3297858.3304060 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Vadim Tkachenko. 2018. 20-30 % Performance Hit from the Spectre Bug Fix on Ubuntu. https://www.percona.com/blog/2018/01/23/20-30-performance-hit-spectre-bug-fix-ubuntu/.Google ScholarGoogle Scholar
  25. Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Eficient Cache Attacks on AES, and Countermeasures. J. Cryptol. 23, 1 (Jan. 2010 ), 37-71. https://doi.org/10.1007/s00145-009-9049-y Google ScholarGoogle ScholarCross RefCross Ref
  26. Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yarom Yuval, Berk Sunar, Daniel Gruss, and Frank Piessens. 2020. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In 41th IEEE Symposium on Security and Privacy (S&P'20).Google ScholarGoogle ScholarCross RefCross Ref
  27. Marco Vassena, Craig Disselkoen, Klaus V. Gleissenthall, Sunjay Cauligi, Rami Gökhan Kici, Ranjit Jhala, Dean Tullsen, and Deian Stefan. 2020. Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade. CoRR abs/ 2005.00294 ( 2020 ). arXiv: 2005.00294 https://arxiv.org/abs/ 2005.00294Google ScholarGoogle Scholar
  28. Arnaud Venet and Guillaume Brat. 2004. Precise and Eficient Static Array Bound Checking for Large Embedded C Programs. SIGPLAN Not. 39, 6 ( June 2004 ), 231-242. https://doi.org/10.1145/996893.996869 Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. D. Volpano, G. Smith, and C. Irvine. 1996. A Sound Type System for Secure Flow Analysis. J. Computer Security 4, 3 ( 1996 ), 167-187.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Guanhua Wang, Sudipta Chattopadhyay, Ivan Gotovchits, Tulika Mitra, and Abhik Roychoudhury. 2018. oo7: Lowoverhead Defense against Spectre Attacks via Binary Analysis. CoRR abs/ 1807.05843 ( 2018 ). arXiv: 1807.05843 http://arxiv.org/abs/ 1807.05843Google ScholarGoogle Scholar
  31. Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. 2019. CT-wasm: Type-driven Secure Cryptography for the Web Ecosystem. Proc. ACM Program. Lang. 3, POPL, Article 77 ( Jan. 2019 ), 29 pages. https: //doi.org/10.1145/3290390 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Meng Wu and Chao Wang. 2019. Abstract Interpretation Under Speculative Execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (Phoenix, AZ, USA) ( PLDI 2019). ACM, New York, NY, USA, 802-815. https://doi.org/10.1145/3314221.3314647 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas. 2018. InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy. In Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (Fukuoka, Japan) (MICRO-51). IEEE Press, Piscataway, NJ, USA, 428-441. https: //doi.org/10.1109/MICRO. 2018.00042 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 719-732. https: //www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yaromGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  35. Jiyong Yu, Mengjia Yan, Artem Khyzha, Adam Morrison, Josep Torrellas, and Christopher W. Fletcher. 2019. Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2019, Columbus, OH, USA, October 12-16, 2019. 954-968. https://doi.org/10.1145/3352460.3358274 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL * : A Verified Modern Cryptographic Library. In ACM Conference on Computer and Communications Security (CCS). Dallas, United States. https://hal.inria.fr/hal-01588421Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Automatically eliminating speculative leaks from cryptographic code with blade

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!