Abstract
This article tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure. These properties are crucial for cryptographic implementations but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel, we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4,148 and 1,156 binaries, respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret-erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling that might break secret-erasure. We also discovered that
- [1] . 1987. Recognizing safety and liveness. Distrib. Comput. 2, 3 (1987), 117–126.
DOI: Google ScholarDigital Library
- [2] . 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI’08), and (Eds.). USENIX Association, 209–224.Google Scholar
- [3] . 2012. SAGE: Whitebox fuzzing for security testing. Commun. ACM 55, 3 (2012), 40–44.
DOI: Google ScholarDigital Library
- [4] . 2015. Frama-C: A software analysis perspective. Formal Aspects Comput. 27, 3 (2015), 573–609.
DOI: Google ScholarDigital Library
- [5] . 2000. Model checking JAVA programs using JAVA PathFinder. Int. J. Softw. Tools Technol. Transf. 2, 4 (2000), 366–381.
DOI: Google ScholarCross Ref
- [6] . 2015. A formally-verified C static analyzer. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15), and (Eds.). ACM, 247–259.
DOI: Google ScholarDigital Library
- [7] . 2005. The ASTREÉ analyzer. In Proceedings of the 14th European Symposium on Programming Languages and Systems (ESOP’05), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’05),
Lecture Notes in Computer Science , (Ed.), Vol. 3444. Springer, 21–30.DOI: Google ScholarDigital Library
- [8] . 2018. The mayhem cyber reasoning system. IEEE Secur. Priv. 16, 2 (2018), 52–60.
DOI: Google ScholarCross Ref
- [9] . 2008. Hyperproperties. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF’08). IEEE Computer Society, 51–65.
DOI: Google ScholarDigital Library
- [10] . 2014. System-level non-interference for constant-time cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, , , and (Eds.). ACM, 1267–1279.
DOI: Google ScholarDigital Library
- [11] BearSSL–Constant-Time Crypto. Retrieved from https://bearssl.org/constanttime.html.Google Scholar
- [12] . 2012. The security impact of a new cryptographic library. In Proceedings of the 2nd International Conference on Cryptology and Information Security in Latin America (LATINCRYPT’12) (Lecture Notes in Computer Science), and (Eds.), Vol. 7533. Springer, 159–176.
DOI: Google ScholarDigital Library
- [13] . 2017. HACL*: A verified modern cryptographic library. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17), , , , and (Eds.). ACM, 1789–1806.
DOI: Google ScholarDigital Library
- [14] . 2005. Language-based information erasure. In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW’05). IEEE Computer Society, 241–254.
DOI: Google ScholarDigital Library
- [15] . 2018. What you get is what you C: Controlling side effects in mainstream c compilers. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’18). IEEE, 1–15.
DOI: Google ScholarCross Ref
- [16] . 2015. The correctness-security gap in compiler optimization. In Proceedings of the IEEE Symposium on Security and Privacy Workshops (SPW’15). IEEE Computer Society, 73–87.
DOI: Google ScholarCross Ref
- [17] . 2019. Information-flow preservation in compiler optimisations. In Proceedings of the 32nd IEEE Computer Security Foundations Symposium (CSF’19). IEEE, 230–242.
DOI: Google ScholarCross Ref
- [18] . 2017. Dead store elimination (still) considered harmful. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), and (Eds.). USENIX Association, 1025–1040.Google Scholar
- [19] CWE-14: Compiler Removal of Code to Clear Buffers. Retrieved from https://cwe.mitre.org/data/definitions/14.html.Google Scholar
- [20] . Formal verification of side-channel countermeasures using self-composition. Sci. Comput. Program. 78, 7 (2013), 796–812.
DOI: Google ScholarDigital Library
- [21] . 2017. Verifying constant-time implementations by abstract interpretation. In Proceedings of the 22nd European Symposium on Research in Computer Security (ESORICS’17), Part I,
Lecture Notes in Computer Science , , , and (Eds.), Vol. 10492. Springer, 260–277.DOI: Google ScholarCross Ref
- [22] . 2016. Verifying constant-time implementations. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16), and (Eds.). USENIX Association, 53–70.Google Scholar
- [23] . 2019. CaSym: Cache aware symbolic execution for side channel detection and mitigation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 505–521.
DOI: Google ScholarCross Ref
- [24] . 2016. When constant-time source yields variable-time binary: Exploiting curve25519-donna built with MSVC 2015. In Proceedings of the 15th International Conference on Cryptology and Network Security (CANS’16)
Lecture Notes in Computer Science , and (Eds.), Vol. 10052. 573–582.DOI: Google ScholarCross Ref
- [25] . ImperialViolet—Checking That Functions Are Constant Time with Valgrind. Retrieved from https://www.imperialviolet.org/2010/04/01/ctgrind.html.Google Scholar
- [26] . 2017. Quantifying the information leak in cache attacks via symbolic execution. In Proceedings of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE’17), , , and (Eds.). ACM, 25–35.
DOI: Google ScholarDigital Library
- [27] . 2017. CacheD: Identifying cache-based timing channels in production software. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), and (Eds.). USENIX Association, 235–252.Google Scholar
- [28] . 2018. MicroWalk: A framework for finding side channels in binaries. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC’18). ACM, 161–173.
DOI: Google ScholarDigital Library
- [29] . 2012. Automatic quantification of cache side-channels. In Proceedings of the 24th International Conference on Computer Aided Verification (CAV’12),
Lecture Notes in Computer Science , and (Eds.), Vol. 7358. Springer, 564–580.DOI: Google ScholarDigital Library
- [30] . 2013. CacheAudit: A tool for the static analysis of cache side channels. In Proceedings of the 22th USENIX Security Symposium, (Ed.). USENIX Association, 431–446.Google Scholar
- [31] . 2017. Rigorous analysis of software countermeasures against cache attacks. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’17), and (Eds.). ACM, 406–421.
DOI: Google ScholarDigital Library
- [32] Secretgrind. Retrieved from https://github.com/lmrs2/secretgrind.Google Scholar
- [33] . 2004. Secure information flow by self-composition. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW’04). IEEE Computer Society, 100–114.
DOI: Google ScholarCross Ref
- [34] . 2005. Secure information flow as a safety problem. In Proceedings of the 12th International Symposium Static Analysis (SAS’05),
Lecture Notes in Computer Science , and (Eds.), Vol. 3672. Springer, 352–367.DOI: Google ScholarDigital Library
- [35] . 2016. Recovering high-level conditions from binary programs. In Proceedings of the 21st International Symposium on Formal Methods (FM’16),
Lecture Notes in Computer Science , , , , and (Eds.), Vol. 9995. 235–253.DOI: Google ScholarCross Ref
- [36] . 2010. WYSINWYX: What you see is not what you eXecute. ACM Trans. Program. Lang. Syst. 32, 6 (2010), 23:1–23:84.
DOI: Google ScholarDigital Library
- [37] . 2013. Symbolic execution for software testing: three decades later. Commun. ACM 56, 2 (2013), 82–90.
DOI: Google ScholarDigital Library
- [38] . 2013. Billions and billions of constraints: Whitebox fuzz testing in production. In Proceedings of the 35th International Conference on Software Engineering (ICSE’13), , , and (Eds.). IEEE Computer Society, 122–131.
DOI: Google ScholarCross Ref
- [39] . 2014. Automating information flow analysis of low level code. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, , , and (Eds.). ACM, 1080–1091.
DOI: Google ScholarDigital Library
- [40] . 2015. Exploit generation for information flow leaks in object-oriented programs. In Proceedings of the 30th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection (SEC’15),
IFIP Advances in Information and Communication Technology , and (Eds.), Vol. 455. Springer, 401–415.DOI: Google ScholarCross Ref
- [41] . 2012. Noninterference via symbolic execution. In Proceedings of the Joint 14th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Systems (FMOODS’12) and the 32nd IFIP WG 6.1 International Conference (FORTE’12),
Lecture Notes in Computer Science , and (Eds.), Vol. 7273. Springer, 152–168.DOI: Google ScholarDigital Library
- [42] . 2016. Verifying information flow properties of firmware using symbolic execution. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE’16), and (Eds.). IEEE, 337–342. https://ieeexplore.ieee.org/document/7459333/.Google Scholar
Cross Ref
- [43] . 2004. Simple relational correctness proofs for static analyses and program transformations. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’04), and (Eds.). ACM, 14–25.
DOI: Google ScholarDigital Library
- [44] . 2011. Relational verification using product programs. In Proceedings of the 17th International Symposium on Formal Methods,
Lecture Notes in Computer Science , and (Eds.), Vol. 6664. Springer, 200–214.DOI: Google ScholarCross Ref
- [45] . 2012. Multiple facets for dynamic information flow. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’12), and (Eds.). ACM, 165–178.
DOI: Google ScholarDigital Library
- [46] . 2018. A better facet of dynamic information flow control. In Companion of the Web Conference (WWW’18), , , , and (Eds.). ACM, 731–739.
DOI: Google ScholarDigital Library
- [47] . 2016. Shadow of a doubt: Testing for divergences between software versions. In Proceedings of the 38th International Conference on Software Engineering (ICSE’16), , , and (Eds.). ACM, 1181–1192.
DOI: Google ScholarDigital Library
- [48] . Relational symbolic execution. In Proceedings of the International Symposium on Principles and Practice of Declarative Programming (PPDP’19). ACM, 10:1–10:14.Google Scholar
- [49] . 2022. Binsec/Rel: Symbolic binary analyzer for security with applications to constant-time and secret-erasure. CoRR abs/2209.01129 (2022).
DOI: Google ScholarCross Ref
- [50] . 2013. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE Computer Society, 526–540.
DOI: Google ScholarDigital Library
- [51] . 2020. Binsec/Rel: Efficient relational symbolic execution for constant-time at binary-level. In Proceedings of the IEEE Symposium on Security and Privacy (SP’20). IEEE, 1021–1038.
DOI: Google ScholarCross Ref
- [52] . 1977. Certification of programs for secure information flow. Commun. ACM 20, 7 (1977), 504–513.
DOI: Google ScholarDigital Library
- [53] . 2004. Understanding data lifetime via whole system simulation (awarded best paper!). In Proceedings of the 13th USENIX Security Symposium, (Ed.). USENIX, 321–336. http://www.usenix.org/publications/library/proceedings/sec04/tech/chow.html.Google Scholar
- [54] . 2012. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst. 30, 1 (2012), 2:1–2:49.
DOI: Google ScholarDigital Library
- [55] . 2016. SOK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE Computer Society, 138–157.
DOI: Google ScholarCross Ref
- [56] . 2016. BINSEC/SE: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of the IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Volume 1. IEEE Computer Society, 653–656.
DOI: Google ScholarCross Ref
- [57] . 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385–394.
DOI: Google ScholarDigital Library
- [58] . 2012. SMT solvers in software security. In Proceedings of the 6th USENIX Workshop on Offensive Technologies (WOOT’12), and (Eds.). USENIX Association, 85–96.Google Scholar
- [59] . 2011. AEG: Automatic exploit generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11). The Internet Society.Google Scholar
- [60] . 2011. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Security Symposium. USENIX Association.Google Scholar
- [61] . 2015. A generic approach to automatic deobfuscation of executable code. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE Computer Society, 674–691.
DOI: Google ScholarDigital Library
- [62] . 2017. Backward-bounded DSE: Targeting infeasibility questions on obfuscated codes. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, 633–651.
DOI: Google ScholarCross Ref
- [63] . 2018. Symbolic deobfuscation: From virtualized code back to the original. In Proceedings of the 15th International Conferenc on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’18)
Lecture Notes in Computer Science , , , and (Eds.), Vol. 10885. Springer, 372–392.DOI: Google ScholarCross Ref
- [64] . 2015. BINSEC: Binary code analysis with low-level regions. In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS’15),
Lecture Notes in Computer Science , and (Eds.), Vol. 9035. Springer, 212–217.DOI: Google ScholarDigital Library
- [65] . 2011. BAP: A binary analysis platform. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11),
Lecture Notes in Computer Science , and (Eds.), Vol. 6806. Springer, 463–469.DOI: Google ScholarCross Ref
- [66] . The SMT-LIB Standard: Version 2.6.Google Scholar
- [67] FixedSizeBitVectors Theory, SMT-LIB. Retrieved from http://smtlib.cs.uiowa.edu/theories-FixedSizeBitVectors.shtml.Google Scholar
- [68] ArraysEx Theory, SMT-LIB. Retrieved from http://smtlib.cs.uiowa.edu/theories-ArraysEx.shtml.Google Scholar
- [69] . 2013. Self-composition by symbolic execution. In Proceedings of the Imperial College Computing Student Workshop (ICCSW’13)
, and (Eds.), Vol. 35. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 95–102. DOI: Google ScholarCross Ref
- [70] . 2008. Z3: An efficient SMT solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’08),
Lecture Notes in Computer Science , and (Eds.), Vol. 4963. Springer, 337–340.DOI: Google ScholarCross Ref
- [71] . 2006. Curve25519: New diffie-hellman speed records. In Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC’06),
Lecture Notes in Computer Science , , , , and (Eds.), Vol. 3958. Springer, 207–228.DOI: Google ScholarDigital Library
- [72] . The BINCOA framework for binary code analysis. In Proceedings of the International Conference on Computer Aided Verification (CAV’11),
Lecture Notes in Computer Science , Vol. 6806. Springer, 165–170.Google Scholar - [73] . 2018. Secure compilation of side-channel countermeasures: The case of cryptographic “constant-time.” In Proceedings of the 31st IEEE Computer Security Foundations Symposium (CSF’18). IEEE Computer Society, 328–343.
DOI: Google ScholarCross Ref
- [74] . 2018. Arrays made simpler: An efficient, scalable and thorough preprocessing. In Proceedings of the 22nd International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR-22),
EPiC Series in Computing , , , and (Eds.), Vol. 57. EasyChair, 363–380.DOI: Google ScholarCross Ref
- [75] . 1979. Simplification by cooperating decision procedures. ACM Trans. Program. Lang. Syst. 1, 2 (1979), 245–257.
DOI: Google ScholarDigital Library
- [76] . Boolector 2.0 system description. 9, 53–58.Google Scholar
- [77] SMT-COMP. Retrieved from https://smt-comp.github.io/2019/results.html.Google Scholar
- [78] Imdea-Software/Verifying-Constant-Time. Retrieved from https://github.com/imdea-software/verifying-constant-time.Google Scholar
- [79] OpenSSL, Cryptography and SSL/TLS Toolkit. Retrieved from https://www.openssl.org/.Google Scholar
- [80] . 1994. TEA, a tiny encryption algorithm. In Proceedings of the 2nd International Workshop on Fast Software Encryption,
Lecture Notes in Computer Science , (Ed.), Vol. 1008. Springer, 363–366.DOI: Google ScholarCross Ref
- [81] . BearSSL. Retrieved from https://www.bearssl.org/.Google Scholar
- [82] . LLVM Provides No Side-channel Resistance. Retrieved from https://dsprenkels.com/cmov-conversion.html.Google Scholar
- [83] . 2021. Constantine: Automatic side-channel resistance using efficient control and data flow linearization. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’21), , , , and (Eds.). ACM, 715–733.
DOI: Google ScholarDigital Library
- [84] . 2015. Raccoon: Closing digital side-channels through obfuscated execution. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15), and (Eds.). USENIX Association, 431–446.Google Scholar
- [85] OpenSSL,
OPENSSL_cleanse Function. Retrieved from https://github.com/openssl/openssl/blob/master/crypto/mem_clr.cGoogle Scholar - [86] Libgcrypt,
wipememory Function. Retrieved from https://github.com/equalitie/libgcrypt/blob/libgcrypt-1.6.3/src/gcryptrnd.c.Google Scholar - [87] wolfSSL,
ForceZero Function. Retrieved from https://github.com/equalitie/libgcrypt/blob/libgcrypt-1.6.3/src/gcryptrnd.c.Google Scholar - [88] . sudo,
explicit_bzero Function. Retrieved from https://github.com/sudo-project/sudo/blob/SUDO_1_9_6/lib/util/explicit_bzero.c.Google Scholar - [89] libsodium,
sodium_memzero Function. Retrieved from https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/sodium/utils.c.Google Scholar - [90] HACL*,
Lib_Memzero0_memzero Function. Retrieved from https://github.com/project-everest/hacl-star/blob/v0.3.0/lib/c/Lib_Memzero0.c.Google Scholar - [91] . Safeclib,
MEMORY_BARRIER Macro. Retrieved from https://github.com/rurban/safeclib/blob/v31082020/src/mem/mem_primitives_lib.h.Google Scholar - [92] 6.47.2 Extended Asm—Assembler Instructions with C Expression Operands. Retrieved from https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html.Google Scholar
- [93] Bug 15495—Dead Store Pass Ignores Memory Clobbering ASM Statement. Retrieved from https://bugs.llvm.org/show_bug.cgi?id=15495.Google Scholar
- [94] . Safeclib,
memset_s Function. Retrieved from https://github.com/rurban/safeclib/blob/v31082020/src/mem/memset_s.c.Google Scholar - [95] . 2019. Spectre attacks: Exploiting speculative execution. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 1–19.
DOI: .Google ScholarCross Ref
- [96] . 2019. Get rid of inline assembly through verification-oriented lifting. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE’19). IEEE, 577–589.
DOI: Google ScholarDigital Library
- [97] . 2018. Model generation for quantified formulas: A taint-based approach. In Proceedings of the 30th International Conference on Computer Aided Verification (CAV’18), Held as Part of the Federated Logic Conference (FloC’18), Part II,
Lecture Notes in Computer Science , and (Eds.), Vol. 10982. Springer, 294–313.DOI: Google ScholarCross Ref
- [98] . 2016. Specification of concretization and symbolization policies in symbolic execution. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA’16), and (Eds.). ACM, 36–46.
DOI: Google ScholarDigital Library
- [99] . 2017. Testing intermediate representations for binary analysis. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17), , , and (Eds.). IEEE Computer Society, 353–364.
DOI: Google ScholarCross Ref
- [100] . 2012. ENCoVer: Symbolic exploration for information flow security. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12), (Ed.). IEEE Computer Society, 30–44.
DOI: Google ScholarDigital Library
- [101] . 2014. Shadow symbolic execution for better testing of evolving software. In Proceedings of the 36th International Conference on Software Engineering (ICSE ’14), , , and (Eds.). ACM, 432–435.
DOI: Google ScholarDigital Library
- [102] . 2017. Dude, is my code constant time? In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE’17), and (Eds.). IEEE, 1697–1702.
DOI: Google ScholarCross Ref
- [103] . 2020. ct-fuzz: Fuzzing for timing leaks. In Proceedings of the 13th IEEE International Conference on Software Testing, Validation and Verification (ICST’20). IEEE, 466–471.
DOI: Google ScholarCross Ref
- [104] . 2000. Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’00), and (Eds.). ACM, 40–53.
DOI: Google ScholarDigital Library
- [105] . 2005. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Proceedings of the 8th International Conference on Information Security and Cryptology (ICISC’05),
Lecture Notes in Computer Science , and (Eds.), Vol. 3935. Springer, 156–168.DOI: Google ScholarDigital Library
- [106] . 2016. Sparse representation of implicit flows with applications to side-channel detection. In Proceedings of the 25th International Conference on Compiler Construction (CC’16), and (Eds.). ACM, 110–120.
DOI: Google ScholarDigital Library
- [107] . 2017. Jasmin: High-assurance and high-speed cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17), , , , and (Eds.). ACM, 1807–1823.
DOI: Google ScholarDigital Library
- [108] . 2017. Vale: Verifying high-performance cryptographic assembly code. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), and (Eds.). USENIX Association, 917–934.Google Scholar
- [109] . 2017. FaCT: A flexible, constant-time programming language. In Proceedings of the IEEE Cybersecurity Development Conference (SecDev’17). IEEE Computer Society, 69–76.
DOI: Google ScholarCross Ref
- [110] . 2007. Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec. 6, 2–3 (2007), 107–131.
DOI: .Google ScholarCross Ref
- [111] . 2018. Symbolic verification of cache side-channel freedom. IEEE Trans. Comput. Aid. Des. Integr. Circ. Syst. 37, 11 (2018), 2812–2823.
DOI: Google ScholarCross Ref
- [112] . 2018. Eliminating timing side-channel leaks using program repair. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18), and (Eds.). ACM, 15–26.
DOI: Google ScholarDigital Library
- [113] . 2009. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P’09). IEEE Computer Society, 45–60.
DOI: Google ScholarDigital Library
- [114] . 2021. Memory-safe elimination of side channels. In Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization (CGO’21), , , and (Eds.). IEEE, 200–210.
DOI: Google ScholarDigital Library
- [115] . 2005. Shredding your garbage: Reducing data lifetime through secure deallocation. In Proceedings of the 14th USENIX Security Symposium, (Ed.). USENIX Association. https://www.usenix.org/conference/14th-usenix-security-symposium/shredding-your-garbage-reducing-data-lifetime-through.Google Scholar
Digital Library
- [116] . 2004. Data lifetime is a systems problem. In Proceedings of the 11st ACM SIGOPS European Workshop, and (Eds.). ACM, 10.
DOI: Google ScholarDigital Library
- [117] . 2011. A semantic hierarchy for erasure policies. In Proceedings of the 7th International Conference on Information Systems Security (ICISS’11),
Lecture Notes in Computer Science , and (Eds.), Vol. 7093. Springer, 352–369.DOI: Google ScholarDigital Library
- [118] . 2015. Cryptographic enforcement of language-based information erasure. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF’15), , , and (Eds.). IEEE Computer Society, 334–348.
DOI: Google ScholarDigital Library
- [119] . Non-interference and erasure policies for java card bytecode. In Proceedings of the 6th International Workshop on Issues in the Theory of Security (WITS’06).Google Scholar
- [120] . 2008. Just forget it - the semantics and enforcement of information erasure. In Proceedings of the 17th European Symposium on Programming Languages and Systems (ESOP’08), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’08),
Lecture Notes in Computer Science , (Ed.), Vol. 4960. Springer, 239–253.DOI: Google ScholarCross Ref
- [121] . 2008. End-to-end enforcement of erasure and declassification. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF’08). IEEE Computer Society, 98–111.
DOI: Google ScholarDigital Library
- [122] . 2010. Implementing erasure policies using taint analysis. In Proceedings of the 15th Nordic Conference on Secure IT Systems and Information Security Technology for Applications (NordSec’10)
Lecture Notes in Computer Science , , , and (Eds.), Vol. 7127. Springer, 193–209.DOI: Google ScholarDigital Library
- [123] . 2011. Verification of information flow and access control policies with dependent types. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (S&P’11). IEEE Computer Society, 165–179.
DOI: Google ScholarDigital Library
- [124] . 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, and (Eds.). ACM, 89–100.
DOI: Google ScholarDigital Library
- [125] . 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107–115.
DOI: Google ScholarDigital Library
Index Terms
Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure
Recommendations
Thresher: precise refutations for heap reachability
PLDI '13: Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of ...
Thresher: precise refutations for heap reachability
PLDI '13We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of ...
Analysis of Exception-Based Control Transfers
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyDynamic taint analysis and symbolic execution find many important applications in security-related program analyses. However, current techniques for such analyses do not take proper account of control transfers due to exceptions. As a result, they can ...






Comments