skip to main content
research-article

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

Published:14 April 2023Publication History
Skip Abstract Section

Abstract

This article tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure. These properties are crucial for cryptographic implementations but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel, we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4,148 and 1,156 binaries, respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret-erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling that might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary level.

REFERENCES

  1. [1] Alpern Bowen and Schneider Fred B.. 1987. Recognizing safety and liveness. Distrib. Comput. 2, 3 (1987), 117126. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. [2] Cadar Cristian, Dunbar Daniel, and Engler Dawson R.. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI’08), Draves Richard and Renesse Robbert van (Eds.). USENIX Association, 209224.Google ScholarGoogle Scholar
  3. [3] Godefroid Patrice, Levin Michael Y., and Molnar David A.. 2012. SAGE: Whitebox fuzzing for security testing. Commun. ACM 55, 3 (2012), 4044. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Kirchner Florent, Kosmatov Nikolai, Prevosto Virgile, Signoles Julien, and Yakobowski Boris. 2015. Frama-C: A software analysis perspective. Formal Aspects Comput. 27, 3 (2015), 573609. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Havelund Klaus and Pressburger Thomas. 2000. Model checking JAVA programs using JAVA PathFinder. Int. J. Softw. Tools Technol. Transf. 2, 4 (2000), 366381. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  6. [6] Jourdan Jacques-Henri, Laporte Vincent, Blazy Sandrine, Leroy Xavier, and Pichardie David. 2015. A formally-verified C static analyzer. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15), Rajamani Sriram K. and Walker David (Eds.). ACM, 247259. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. [7] Cousot Patrick, Cousot Radhia, Feret Jérôme, Mauborgne Laurent, Miné Antoine, Monniaux David, and Rival Xavier. 2005. The ASTREÉ analyzer. In Proceedings of the 14th European Symposium on Programming Languages and Systems (ESOP’05), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’05),Lecture Notes in Computer Science, Sagiv Shmuel (Ed.), Vol. 3444. Springer, 2130. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. [8] Avgerinos Thanassis, Brumley David, Davis John, Goulden Ryan, Nighswander Tyler, Rebert Alexandre, and Williamson Ned. 2018. The mayhem cyber reasoning system. IEEE Secur. Priv. 16, 2 (2018), 5260. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Clarkson Michael R. and Schneider Fred B.. 2008. Hyperproperties. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF’08). IEEE Computer Society, 5165. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Barthe Gilles, Betarte Gustavo, Campo Juan Diego, Luna Carlos Daniel, and Pichardie David. 2014. System-level non-interference for constant-time cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Ahn Gail-Joon, Yung Moti, and Li Ninghui (Eds.). ACM, 12671279. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] BearSSL–Constant-Time Crypto. Retrieved from https://bearssl.org/constanttime.html.Google ScholarGoogle Scholar
  12. [12] Bernstein Daniel J., Lange Tanja, and Schwabe Peter. 2012. The security impact of a new cryptographic library. In Proceedings of the 2nd International Conference on Cryptology and Information Security in Latin America (LATINCRYPT’12) (Lecture Notes in Computer Science), Hevia Alejandro and Neven Gregory (Eds.), Vol. 7533. Springer, 159176. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. [13] Zinzindohoué Jean Karim, Bhargavan Karthikeyan, Protzenko Jonathan, and Beurdouche Benjamin. 2017. HACL*: A verified modern cryptographic library. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17), Thuraisingham Bhavani, Evans David, Malkin Tal, and Xu Dongyan (Eds.). ACM, 17891806. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. [14] Chong Stephen and Myers Andrew C.. 2005. Language-based information erasure. In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW’05). IEEE Computer Society, 241254. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. [15] Simon Laurent, Chisnall David, and Anderson Ross J.. 2018. What you get is what you C: Controlling side effects in mainstream c compilers. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’18). IEEE, 115. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] D’Silva Vijay, Payer Mathias, and Song Dawn Xiaodong. 2015. The correctness-security gap in compiler optimization. In Proceedings of the IEEE Symposium on Security and Privacy Workshops (SPW’15). IEEE Computer Society, 7387. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Besson Frédéric, Dang Alexandre, and Jensen Thomas P.. 2019. Information-flow preservation in compiler optimisations. In Proceedings of the 32nd IEEE Computer Security Foundations Symposium (CSF’19). IEEE, 230242. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  18. [18] Yang Zhaomo, Johannesmeyer Brian, Olesen Anders Trier, Lerner Sorin, and Levchenko Kirill. 2017. Dead store elimination (still) considered harmful. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), Kirda Engin and Ristenpart Thomas (Eds.). USENIX Association, 10251040.Google ScholarGoogle Scholar
  19. [19] CWE-14: Compiler Removal of Code to Clear Buffers. Retrieved from https://cwe.mitre.org/data/definitions/14.html.Google ScholarGoogle Scholar
  20. [20] Almeida J. Bacelar, Barbosa Manuel, Pinto Jorge S., and Vieira Bárbara. 2013. Formal verification of side-channel countermeasures using self-composition. Sci. Comput. Program. 78, 7 (2013), 796812. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. [21] Blazy Sandrine, Pichardie David, and Trieu Alix. 2017. Verifying constant-time implementations by abstract interpretation. In Proceedings of the 22nd European Symposium on Research in Computer Security (ESORICS’17), Part I,Lecture Notes in Computer Science, Foley Simon N., Gollmann Dieter, and Snekkenes Einar (Eds.), Vol. 10492. Springer, 260277. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  22. [22] Almeida José Bacelar, Barbosa Manuel, Barthe Gilles, Dupressoir François, and Emmi Michael. 2016. Verifying constant-time implementations. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16), Holz Thorsten and Savage Stefan (Eds.). USENIX Association, 5370.Google ScholarGoogle Scholar
  23. [23] Brotzman Robert, Liu Shen, Zhang Danfeng, Tan Gang, and Kandemir Mahmut T.. 2019. CaSym: Cache aware symbolic execution for side channel detection and mitigation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 505521. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  24. [24] Kaufmann Thierry, Pelletier Hervé, Vaudenay Serge, and Villegas Karine. 2016. When constant-time source yields variable-time binary: Exploiting curve25519-donna built with MSVC 2015. In Proceedings of the 15th International Conference on Cryptology and Network Security (CANS’16)Lecture Notes in Computer Science, Foresti Sara and Persiano Giuseppe (Eds.), Vol. 10052. 573582. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  25. [25] Langley Adam. ImperialViolet—Checking That Functions Are Constant Time with Valgrind. Retrieved from https://www.imperialviolet.org/2010/04/01/ctgrind.html.Google ScholarGoogle Scholar
  26. [26] Chattopadhyay Sudipta, Beck Moritz, Rezine Ahmed, and Zeller Andreas. 2017. Quantifying the information leak in cache attacks via symbolic execution. In Proceedings of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE’17), Talpin Jean-Pierre, Derler Patricia, and Schneider Klaus (Eds.). ACM, 2535. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. [27] Wang Shuai, Wang Pei, Liu Xiao, Zhang Danfeng, and Wu Dinghao. 2017. CacheD: Identifying cache-based timing channels in production software. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), Kirda Engin and Ristenpart Thomas (Eds.). USENIX Association, 235252.Google ScholarGoogle Scholar
  28. [28] Wichelmann Jan, Moghimi Ahmad, Eisenbarth Thomas, and Sunar Berk. 2018. MicroWalk: A framework for finding side channels in binaries. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC’18). ACM, 161173. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. [29] Köpf Boris, Mauborgne Laurent, and Ochoa Martín. 2012. Automatic quantification of cache side-channels. In Proceedings of the 24th International Conference on Computer Aided Verification (CAV’12),Lecture Notes in Computer Science, Madhusudan P. and Seshia Sanjit A. (Eds.), Vol. 7358. Springer, 564580. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Doychev Goran, Feld Dominik, Köpf Boris, Mauborgne Laurent, and Reineke Jan. 2013. CacheAudit: A tool for the static analysis of cache side channels. In Proceedings of the 22th USENIX Security Symposium, King Samuel T. (Ed.). USENIX Association, 431446.Google ScholarGoogle Scholar
  31. [31] Doychev Goran and Köpf Boris. 2017. Rigorous analysis of software countermeasures against cache attacks. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’17), Cohen Albert and Vechev Martin T. (Eds.). ACM, 406421. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. [32] Secretgrind. Retrieved from https://github.com/lmrs2/secretgrind.Google ScholarGoogle Scholar
  33. [33] Barthe Gilles, D’Argenio Pedro R., and Rezk Tamara. 2004. Secure information flow by self-composition. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW’04). IEEE Computer Society, 100114. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  34. [34] Terauchi Tachio and Aiken Alexander. 2005. Secure information flow as a safety problem. In Proceedings of the 12th International Symposium Static Analysis (SAS’05),Lecture Notes in Computer Science, Hankin Chris and Siveroni Igor (Eds.), Vol. 3672. Springer, 352367. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Djoudi Adel, Bardin Sébastien, and Goubault Éric. 2016. Recovering high-level conditions from binary programs. In Proceedings of the 21st International Symposium on Formal Methods (FM’16),Lecture Notes in Computer Science, Fitzgerald John S., Heitmeyer Constance L., Gnesi Stefania, and Philippou Anna (Eds.), Vol. 9995. 235253. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  36. [36] Balakrishnan Gogul and Reps Thomas W.. 2010. WYSINWYX: What you see is not what you eXecute. ACM Trans. Program. Lang. Syst. 32, 6 (2010), 23:1–23:84. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. [37] Cadar Cristian and Sen Koushik. 2013. Symbolic execution for software testing: three decades later. Commun. ACM 56, 2 (2013), 8290. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. [38] Bounimova Ella, Godefroid Patrice, and Molnar David A.. 2013. Billions and billions of constraints: Whitebox fuzz testing in production. In Proceedings of the 35th International Conference on Software Engineering (ICSE’13), Notkin David, Cheng Betty H. C., and Pohl Klaus (Eds.). IEEE Computer Society, 122131. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  39. [39] Balliu Musard, Dam Mads, and Guanciale Roberto. 2014. Automating information flow analysis of low level code. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Ahn Gail-Joon, Yung Moti, and Li Ninghui (Eds.). ACM, 10801091. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. [40] Do Quoc Huy, Bubel Richard, and Hähnle Reiner. 2015. Exploit generation for information flow leaks in object-oriented programs. In Proceedings of the 30th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection (SEC’15),IFIP Advances in Information and Communication Technology, Federrath Hannes and Gollmann Dieter (Eds.), Vol. 455. Springer, 401415. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  41. [41] Milushev Dimiter, Beck Wim, and Clarke Dave. 2012. Noninterference via symbolic execution. In Proceedings of the Joint 14th IFIP WG 6.1 International Conference on Formal Techniques for Distributed Systems (FMOODS’12) and the 32nd IFIP WG 6.1 International Conference (FORTE’12),Lecture Notes in Computer Science, Giese Holger and Rosu Grigore (Eds.), Vol. 7273. Springer, 152168. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Subramanyan Pramod, Malik Sharad, Khattri Hareesh, Maiti Abhranil, and Fung Jason M.. 2016. Verifying information flow properties of firmware using symbolic execution. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE’16), Fanucci Luca and Teich Jürgen (Eds.). IEEE, 337342. https://ieeexplore.ieee.org/document/7459333/.Google ScholarGoogle ScholarCross RefCross Ref
  43. [43] Benton Nick. 2004. Simple relational correctness proofs for static analyses and program transformations. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’04), Jones Neil D. and Leroy Xavier (Eds.). ACM, 1425. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. [44] Barthe Gilles, Crespo Juan Manuel, and Kunz César. 2011. Relational verification using product programs. In Proceedings of the 17th International Symposium on Formal Methods,Lecture Notes in Computer Science, Butler Michael J. and Schulte Wolfram (Eds.), Vol. 6664. Springer, 200214. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  45. [45] Austin Thomas H. and Flanagan Cormac. 2012. Multiple facets for dynamic information flow. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’12), Field John and Hicks Michael (Eds.). ACM, 165178. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. [46] Ngo Minh, Bielova Nataliia, Flanagan Cormac, Rezk Tamara, Russo Alejandro, and Schmitz Thomas. 2018. A better facet of dynamic information flow control. In Companion of the Web Conference (WWW’18), Champin Pierre-Antoine, Gandon Fabien, Lalmas Mounia, and Ipeirotis Panagiotis G. (Eds.). ACM, 731739. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. [47] Palikareva Hristina, Kuchta Tomasz, and Cadar Cristian. 2016. Shadow of a doubt: Testing for divergences between software versions. In Proceedings of the 38th International Conference on Software Engineering (ICSE’16), Dillon Laura K., Visser Willem, and Williams Laurie A. (Eds.). ACM, 11811192. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. [48] Farina Gian Pietro, Chong Stephen, and Gaboardi Marco. Relational symbolic execution. In Proceedings of the International Symposium on Principles and Practice of Declarative Programming (PPDP’19). ACM, 10:1–10:14.Google ScholarGoogle Scholar
  49. [49] Daniel Lesly-Ann, Bardin Sébastien, and Rezk Tamara. 2022. Binsec/Rel: Symbolic binary analyzer for security with applications to constant-time and secret-erasure. CoRR abs/2209.01129 (2022). DOI:Google ScholarGoogle ScholarCross RefCross Ref
  50. [50] AlFardan Nadhem J. and Paterson Kenneth G.. 2013. Lucky thirteen: Breaking the TLS and DTLS record protocols. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE Computer Society, 526540. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. [51] Daniel Lesly-Ann, Bardin Sébastien, and Rezk Tamara. 2020. Binsec/Rel: Efficient relational symbolic execution for constant-time at binary-level. In Proceedings of the IEEE Symposium on Security and Privacy (SP’20). IEEE, 10211038. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  52. [52] Denning Dorothy E. and Denning Peter J.. 1977. Certification of programs for secure information flow. Commun. ACM 20, 7 (1977), 504513. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. [53] Chow Jim, Pfaff Ben, Garfinkel Tal, Christopher Kevin, and Rosenblum Mendel. 2004. Understanding data lifetime via whole system simulation (awarded best paper!). In Proceedings of the 13th USENIX Security Symposium, Blaze Matt (Ed.). USENIX, 321336. http://www.usenix.org/publications/library/proceedings/sec04/tech/chow.html.Google ScholarGoogle Scholar
  54. [54] Chipounov Vitaly, Kuznetsov Volodymyr, and Candea George. 2012. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst. 30, 1 (2012), 2:1–2:49. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. [55] Shoshitaishvili Yan, Wang Ruoyu, Salls Christopher, Stephens Nick, Polino Mario, Dutcher Andrew, Grosen John, Feng Siji, Hauser Christophe, Krügel Christopher, and Vigna Giovanni. 2016. SOK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE Computer Society, 138157. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  56. [56] David Robin, Bardin Sébastien, Ta Thanh Dinh, Mounier Laurent, Feist Josselin, Potet Marie-Laure, and Marion Jean-Yves. 2016. BINSEC/SE: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of the IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER’16), Volume 1. IEEE Computer Society, 653656. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  57. [57] King James C.. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385394. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. [58] Vanegue Julien and Heelan Sean. 2012. SMT solvers in software security. In Proceedings of the 6th USENIX Workshop on Offensive Technologies (WOOT’12), Bursztein Elie and Dullien Thomas (Eds.). USENIX Association, 8596.Google ScholarGoogle Scholar
  59. [59] Avgerinos Thanassis, Cha Sang Kil, Hao Brent Lim Tze, and Brumley David. 2011. AEG: Automatic exploit generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11). The Internet Society.Google ScholarGoogle Scholar
  60. [60] Schwartz Edward J., Avgerinos Thanassis, and Brumley David. 2011. Q: Exploit hardening made easy. In Proceedings of the 20th USENIX Security Symposium. USENIX Association.Google ScholarGoogle Scholar
  61. [61] Yadegari Babak, Johannesmeyer Brian, Whitely Ben, and Debray Saumya. 2015. A generic approach to automatic deobfuscation of executable code. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE Computer Society, 674691. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. [62] Bardin Sébastien, David Robin, and Marion Jean-Yves. 2017. Backward-bounded DSE: Targeting infeasibility questions on obfuscated codes. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). IEEE Computer Society, 633651. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  63. [63] Salwan Jonathan, Bardin Sébastien, and Potet Marie-Laure. 2018. Symbolic deobfuscation: From virtualized code back to the original. In Proceedings of the 15th International Conferenc on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’18)Lecture Notes in Computer Science, Giuffrida Cristiano, Bardin Sébastien, and Blanc Gregory (Eds.), Vol. 10885. Springer, 372392. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  64. [64] Djoudi Adel and Bardin Sébastien. 2015. BINSEC: Binary code analysis with low-level regions. In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’15), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS’15),Lecture Notes in Computer Science, Baier Christel and Tinelli Cesare (Eds.), Vol. 9035. Springer, 212217. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. [65] Brumley David, Jager Ivan, Avgerinos Thanassis, and Schwartz Edward J.. 2011. BAP: A binary analysis platform. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11),Lecture Notes in Computer Science, Gopalakrishnan Ganesh and Qadeer Shaz (Eds.), Vol. 6806. Springer, 463469. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  66. [66] Barrett Clark, Fontaine Pascal, and Tinelli Cesare. The SMT-LIB Standard: Version 2.6.Google ScholarGoogle Scholar
  67. [67] FixedSizeBitVectors Theory, SMT-LIB. Retrieved from http://smtlib.cs.uiowa.edu/theories-FixedSizeBitVectors.shtml.Google ScholarGoogle Scholar
  68. [68] ArraysEx Theory, SMT-LIB. Retrieved from http://smtlib.cs.uiowa.edu/theories-ArraysEx.shtml.Google ScholarGoogle Scholar
  69. [69] Phan Quoc-Sang. 2013. Self-composition by symbolic execution. In Proceedings of the Imperial College Computing Student Workshop (ICCSW’13), Jones Andrew V. and Ng Nicholas (Eds.), Vol. 35. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 95102. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  70. [70] Moura Leonardo Mendonça de and Bjørner Nikolaj S.. 2008. Z3: An efficient SMT solver. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’08),Lecture Notes in Computer Science, Ramakrishnan C. R. and Rehof Jakob (Eds.), Vol. 4963. Springer, 337340. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  71. [71] Bernstein Daniel J.. 2006. Curve25519: New diffie-hellman speed records. In Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC’06),Lecture Notes in Computer Science, Yung Moti, Dodis Yevgeniy, Kiayias Aggelos, and Malkin Tal (Eds.), Vol. 3958. Springer, 207228. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. [72] Bardin Sébastien, Herrmann Philippe, Leroux Jérôme, Ly Olivier, Tabary Renaud, and Vincent Aymeric. The BINCOA framework for binary code analysis. In Proceedings of the International Conference on Computer Aided Verification (CAV’11),Lecture Notes in Computer Science, Vol. 6806. Springer, 165170.Google ScholarGoogle Scholar
  73. [73] Barthe Gilles, Grégoire Benjamin, and Laporte Vincent. 2018. Secure compilation of side-channel countermeasures: The case of cryptographic “constant-time.” In Proceedings of the 31st IEEE Computer Security Foundations Symposium (CSF’18). IEEE Computer Society, 328343. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  74. [74] Farinier Benjamin, David Robin, Bardin Sébastien, and Lemerre Matthieu. 2018. Arrays made simpler: An efficient, scalable and thorough preprocessing. In Proceedings of the 22nd International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR-22),EPiC Series in Computing, Barthe Gilles, Sutcliffe Geoff, and Veanes Margus (Eds.), Vol. 57. EasyChair, 363380. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  75. [75] Nelson Greg and Oppen Derek C.. 1979. Simplification by cooperating decision procedures. ACM Trans. Program. Lang. Syst. 1, 2 (1979), 245257. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. [76] Niemetz Aina, Preiner Mathias, and Biere Armin. Boolector 2.0 system description. 9, 5358.Google ScholarGoogle Scholar
  77. [77] SMT-COMP. Retrieved from https://smt-comp.github.io/2019/results.html.Google ScholarGoogle Scholar
  78. [78] Imdea-Software/Verifying-Constant-Time. Retrieved from https://github.com/imdea-software/verifying-constant-time.Google ScholarGoogle Scholar
  79. [79] OpenSSL, Cryptography and SSL/TLS Toolkit. Retrieved from https://www.openssl.org/.Google ScholarGoogle Scholar
  80. [80] Wheeler David J. and Needham Roger M.. 1994. TEA, a tiny encryption algorithm. In Proceedings of the 2nd International Workshop on Fast Software Encryption,Lecture Notes in Computer Science, Preneel Bart (Ed.), Vol. 1008. Springer, 363366. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  81. [81] Pornin Thomas. BearSSL. Retrieved from https://www.bearssl.org/.Google ScholarGoogle Scholar
  82. [82] Sprenkels Daan. LLVM Provides No Side-channel Resistance. Retrieved from https://dsprenkels.com/cmov-conversion.html.Google ScholarGoogle Scholar
  83. [83] Borrello Pietro, D’Elia Daniele Cono, Querzoni Leonardo, and Giuffrida Cristiano. 2021. Constantine: Automatic side-channel resistance using efficient control and data flow linearization. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’21), Kim Yongdae, Kim Jong, Vigna Giovanni, and Shi Elaine (Eds.). ACM, 715733. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. [84] Rane Ashay, Lin Calvin, and Tiwari Mohit. 2015. Raccoon: Closing digital side-channels through obfuscated execution. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15), Jung Jaeyeon and Holz Thorsten (Eds.). USENIX Association, 431446.Google ScholarGoogle Scholar
  85. [85] OpenSSL, OPENSSL_cleanse Function. Retrieved from https://github.com/openssl/openssl/blob/master/crypto/mem_clr.cGoogle ScholarGoogle Scholar
  86. [86] Libgcrypt, wipememory Function. Retrieved from https://github.com/equalitie/libgcrypt/blob/libgcrypt-1.6.3/src/gcryptrnd.c.Google ScholarGoogle Scholar
  87. [87] wolfSSL, ForceZero Function. Retrieved from https://github.com/equalitie/libgcrypt/blob/libgcrypt-1.6.3/src/gcryptrnd.c.Google ScholarGoogle Scholar
  88. [88] Miller Todd C.. sudo, explicit_bzero Function. Retrieved from https://github.com/sudo-project/sudo/blob/SUDO_1_9_6/lib/util/explicit_bzero.c.Google ScholarGoogle Scholar
  89. [89] libsodium, sodium_memzero Function. Retrieved from https://github.com/jedisct1/libsodium/blob/1.0.18/src/libsodium/sodium/utils.c.Google ScholarGoogle Scholar
  90. [90] HACL*, Lib_Memzero0_memzero Function. Retrieved from https://github.com/project-everest/hacl-star/blob/v0.3.0/lib/c/Lib_Memzero0.c.Google ScholarGoogle Scholar
  91. [91] Urban Reini. Safeclib, MEMORY_BARRIER Macro. Retrieved from https://github.com/rurban/safeclib/blob/v31082020/src/mem/mem_primitives_lib.h.Google ScholarGoogle Scholar
  92. [92] 6.47.2 Extended Asm—Assembler Instructions with C Expression Operands. Retrieved from https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html.Google ScholarGoogle Scholar
  93. [93] Bug 15495—Dead Store Pass Ignores Memory Clobbering ASM Statement. Retrieved from https://bugs.llvm.org/show_bug.cgi?id=15495.Google ScholarGoogle Scholar
  94. [94] Urban Reini. Safeclib, memset_s Function. Retrieved from https://github.com/rurban/safeclib/blob/v31082020/src/mem/memset_s.c.Google ScholarGoogle Scholar
  95. [95] Kocher Paul, Horn Jann, Fogh Anders, Genkin Daniel, Gruss Daniel, Haas Werner, Hamburg Mike, Lipp Moritz, Mangard Stefan, Prescher Thomas, Schwarz Michael, and Yarom Yuval. 2019. Spectre attacks: Exploiting speculative execution. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19). IEEE, 119. DOI:.Google ScholarGoogle ScholarCross RefCross Ref
  96. [96] Recoules Frédéric, Bardin Sébastien, Bonichon Richard, Mounier Laurent, and Potet Marie-Laure. 2019. Get rid of inline assembly through verification-oriented lifting. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE’19). IEEE, 577589. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. [97] Farinier Benjamin, Bardin Sébastien, Bonichon Richard, and Potet Marie-Laure. 2018. Model generation for quantified formulas: A taint-based approach. In Proceedings of the 30th International Conference on Computer Aided Verification (CAV’18), Held as Part of the Federated Logic Conference (FloC’18), Part II,Lecture Notes in Computer Science, Chockler Hana and Weissenbacher Georg (Eds.), Vol. 10982. Springer, 294313. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  98. [98] David Robin, Bardin Sébastien, Feist Josselin, Mounier Laurent, Potet Marie-Laure, Ta Thanh Dinh, and Marion Jean-Yves. 2016. Specification of concretization and symbolization policies in symbolic execution. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA’16), Zeller Andreas and Roychoudhury Abhik (Eds.). ACM, 3646. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. [99] Kim Soomin, Faerevaag Markus, Jung Minkyu, Jung Seungil, Oh DongYeop, Lee JongHyup, and Cha Sang Kil. 2017. Testing intermediate representations for binary analysis. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17), Rosu Grigore, Penta Massimiliano Di, and Nguyen Tien N. (Eds.). IEEE Computer Society, 353364. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  100. [100] Balliu Musard, Dam Mads, and Guernic Gurvan Le. 2012. ENCoVer: Symbolic exploration for information flow security. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12), Chong Stephen (Ed.). IEEE Computer Society, 3044. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  101. [101] Cadar Cristian and Palikareva Hristina. 2014. Shadow symbolic execution for better testing of evolving software. In Proceedings of the 36th International Conference on Software Engineering (ICSE ’14), Jalote Pankaj, Briand Lionel C., and Hoek André van der (Eds.). ACM, 432435. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  102. [102] Reparaz Oscar, Balasch Josep, and Verbauwhede Ingrid. 2017. Dude, is my code constant time? In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE’17), Atienza David and Natale Giorgio Di (Eds.). IEEE, 16971702. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  103. [103] He Shaobo, Emmi Michael, and Ciocarlie Gabriela F.. 2020. ct-fuzz: Fuzzing for timing leaks. In Proceedings of the 13th IEEE International Conference on Software Testing, Validation and Verification (ICST’20). IEEE, 466471. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  104. [104] Agat Johan. 2000. Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’00), Wegman Mark N. and Reps Thomas W. (Eds.). ACM, 4053. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  105. [105] Molnar David, Piotrowski Matt, Schultz David, and Wagner David A.. 2005. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Proceedings of the 8th International Conference on Information Security and Cryptology (ICISC’05),Lecture Notes in Computer Science, Won Dongho and Kim Seungjoo (Eds.), Vol. 3935. Springer, 156168. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. [106] Rodrigues Bruno, Pereira Fernando Magno Quintão, and Aranha Diego F.. 2016. Sparse representation of implicit flows with applications to side-channel detection. In Proceedings of the 25th International Conference on Compiler Construction (CC’16), Zaks Ayal and Hermenegildo Manuel V. (Eds.). ACM, 110120. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  107. [107] Almeida José Bacelar, Barbosa Manuel, Barthe Gilles, Blot Arthur, Grégoire Benjamin, Laporte Vincent, Oliveira Tiago, Pacheco Hugo, Schmidt Benedikt, and Strub Pierre-Yves. 2017. Jasmin: High-assurance and high-speed cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17), Thuraisingham Bhavani, Evans David, Malkin Tal, and Xu Dongyan (Eds.). ACM, 18071823. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  108. [108] Bond Barry, Hawblitzel Chris, Kapritsos Manos, Leino K. Rustan M., Lorch Jacob R., Parno Bryan, Rane Ashay, Setty Srinath T. V., and Thompson Laure. 2017. Vale: Verifying high-performance cryptographic assembly code. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17), Kirda Engin and Ristenpart Thomas (Eds.). USENIX Association, 917934.Google ScholarGoogle Scholar
  109. [109] Cauligi Sunjay, Soeller Gary, Brown Fraser, Johannesmeyer Brian, Huang Yunlu, Jhala Ranjit, and Stefan Deian. 2017. FaCT: A flexible, constant-time programming language. In Proceedings of the IEEE Cybersecurity Development Conference (SecDev’17). IEEE Computer Society, 6976. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  110. [110] Köpf Boris and Mantel Heiko. 2007. Transformational typing and unification for automatically correcting insecure programs. Int. J. Inf. Sec. 6, 2–3 (2007), 107131. DOI:.Google ScholarGoogle ScholarCross RefCross Ref
  111. [111] Chattopadhyay Sudipta and Roychoudhury Abhik. 2018. Symbolic verification of cache side-channel freedom. IEEE Trans. Comput. Aid. Des. Integr. Circ. Syst. 37, 11 (2018), 28122823. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  112. [112] Wu Meng, Guo Shengjian, Schaumont Patrick, and Wang Chao. 2018. Eliminating timing side-channel leaks using program repair. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18), Tip Frank and Bodden Eric (Eds.). ACM, 1526. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  113. [113] Coppens Bart, Verbauwhede Ingrid, Bosschere Koen De, and Sutter Bjorn De. 2009. Practical mitigations for timing-based side-channel attacks on modern x86 processors. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P’09). IEEE Computer Society, 4560. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  114. [114] Soares Luigi and Pereira Fernando Magno Quintão. 2021. Memory-safe elimination of side channels. In Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization (CGO’21), Lee Jae W., Soffa Mary Lou, and Zaks Ayal (Eds.). IEEE, 200210. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  115. [115] Chow Jim, Pfaff Ben, Garfinkel Tal, and Rosenblum Mendel. 2005. Shredding your garbage: Reducing data lifetime through secure deallocation. In Proceedings of the 14th USENIX Security Symposium, McDaniel Patrick D. (Ed.). USENIX Association. https://www.usenix.org/conference/14th-usenix-security-symposium/shredding-your-garbage-reducing-data-lifetime-through.Google ScholarGoogle ScholarDigital LibraryDigital Library
  116. [116] Garfinkel Tal, Pfaff Ben, Chow Jim, and Rosenblum Mendel. 2004. Data lifetime is a systems problem. In Proceedings of the 11st ACM SIGOPS European Workshop, Berbers Yolande and Castro Miguel (Eds.). ACM, 10. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. [117] Tedesco Filippo Del, Hunt Sebastian, and Sands David. 2011. A semantic hierarchy for erasure policies. In Proceedings of the 7th International Conference on Information Systems Security (ICISS’11),Lecture Notes in Computer Science, Jajodia Sushil and Mazumdar Chandan (Eds.), Vol. 7093. Springer, 352369. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  118. [118] Askarov Aslan, Moore Scott, Dimoulas Christos, and Chong Stephen. 2015. Cryptographic enforcement of language-based information erasure. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF’15), Fournet Cédric, Hicks Michael W., and Viganò Luca (Eds.). IEEE Computer Society, 334348. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  119. [119] Hansen René Rydhof and Probst Christian W.. Non-interference and erasure policies for java card bytecode. In Proceedings of the 6th International Workshop on Issues in the Theory of Security (WITS’06).Google ScholarGoogle Scholar
  120. [120] Hunt Sebastian and Sands David. 2008. Just forget it - the semantics and enforcement of information erasure. In Proceedings of the 17th European Symposium on Programming Languages and Systems (ESOP’08), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS’08),Lecture Notes in Computer Science, Drossopoulou Sophia (Ed.), Vol. 4960. Springer, 239253. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  121. [121] Chong Stephen and Myers Andrew C.. 2008. End-to-end enforcement of erasure and declassification. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF’08). IEEE Computer Society, 98111. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  122. [122] Tedesco Filippo Del, Russo Alejandro, and Sands David. 2010. Implementing erasure policies using taint analysis. In Proceedings of the 15th Nordic Conference on Secure IT Systems and Information Security Technology for Applications (NordSec’10)Lecture Notes in Computer Science, Aura Tuomas, Järvinen Kimmo, and Nyberg Kaisa (Eds.), Vol. 7127. Springer, 193209. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  123. [123] Nanevski Aleksandar, Banerjee Anindya, and Garg Deepak. 2011. Verification of information flow and access control policies with dependent types. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (S&P’11). IEEE Computer Society, 165179. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  124. [124] Nethercote Nicholas and Seward Julian. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, Ferrante Jeanne and McKinley Kathryn S. (Eds.). ACM, 89100. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  125. [125] Leroy Xavier. 2009. Formal verification of a realistic compiler. Commun. ACM 52, 7 (2009), 107115. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 26, Issue 2
          May 2023
          335 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3572849
          Issue’s Table of Contents

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 14 April 2023
          • Online AM: 12 September 2022
          • Accepted: 17 August 2022
          • Revised: 2 June 2022
          • Received: 13 May 2021
          Published in tops Volume 26, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Full Text

        View this article in Full Text.

        View Full Text

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!