FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San - PowerPoint PPT Presentation

Transform everything? Slower but necessary if (secret) { x = -secret & 19 | (secret-1) & x; x = 19; } if (public) { y = -public & 42 | (public-1) & y; y = 42; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transform everything? Slower but necessary if (secret) { x = -secret & 19 | (secret-1) & x; x = 19; } Slower and unnecessary ! if (public) { y = -public & 42 | (public-1) & y; y = 42; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transform everything? Slower but necessary if (secret) { x = -secret & 19 | (secret-1) & x; x = 19; } Slower and unnecessary ! if (public) { y = -public & 42 | (public-1) & y; y = 42; } Only transform if code leaks secret values FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Explicit secrecy in the type system secret uint32 decrypt( secret uint32 key, public uint32 msg) { if (key > 40) { ... } ... } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Explicit secrecy in the type system secret uint32 decrypt( secret uint32 key, public uint32 msg) { if (key > 40) { ... } We can detect secret leakage! ... } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Type system detects leaks via... ● Conditional branches ● Early termination ● Function side effects ● Memory access patterns ● Direct assignment ● … FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Type system detects leaks via... ● Conditional branches ● Early termination FaCT transforms these ● Function side effects ● Memory access patterns ● Direct assignment ● … FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Type system detects leaks via... ● Conditional branches ● Early termination FaCT transforms these ● Function side effects ● Memory access patterns FaCT disallows these ● Direct assignment ● … FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transforming to constant-time ● What to transform? ● How to transform? ● What not to transform? ● Evaluation FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transforming control flow ● Conditional branches ● Early termination ● Function side effects FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transform secret conditionals if (s) { x = 40; } else { x = 19; y = x + 2; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transform secret conditionals if (s) { x = 40; x = -s & 40 | (s-1) & x; } else { x = 19; y = x + 2; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Transform secret conditionals if (s) { x = 40; x = -s & 40 | (s-1) & x; } else { x = (s-1) & 19 | -s & x; x = 19; y = x + 2; y = (s-1) & (x + 2) | -s & y; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Secret returns are conditionals too if (s) { return 40; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Secret returns are conditionals too if (s) { if (!done) { if (s) { rval = 40; return 40; done = true; } } } ... return rval; FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Secret returns are conditionals too if (s) { if (!done) { if (s) { rval = 40; return 40; done = true; } } } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Secret returns are conditionals too if (s) { if (!done) { if (s) { rval = 40; rval = (-s & (done-1)) & 40 | ... return 40; done = (-s & (done-1)) & true | ... done = true; } } } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Not all transformations are good ● May produce inefficient code ● May produce unsafe code FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Not all transformations are good ● May produce inefficient code ● May produce unsafe code Type system rejects such programs FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Inefficient transformations x = buffer[ secret_index ]; FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Inefficient transformations for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[ secret_index ]; x = buffer[i]; } } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Inefficient transformations O(1) O(n) for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[ secret_index ]; x = buffer[i]; } } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Inefficient transformations O(1) O(n) for (uint32 i from 0 to len buffer) { if (i == secret_index) { x = buffer[ secret_index ]; x = buffer[i]; } } Reject if transformation is inefficient FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Unsafe transformations if (j < secret_len) { x = arr[j]; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Unsafe transformations x = -(j < secret_len) & arr[j] if (j < secret_len) { | ((j < secret_len)-1) & x; x = arr[j]; } FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Unsafe transformations x = -(j < secret_len) & arr[j] if (j < secret_len) { | ((j < secret_len)-1) & x; x = arr[j]; } What if j > len arr ? FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Unsafe transformations x = -(j < secret_len) & arr[j] if (j < secret_len) { | ((j < secret_len)-1) & x; x = arr[j]; } What if j > len arr ? Out of bounds access! FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Type system checks safety Check for out-of-bounds accesses Solve constraints using Z3 Path sensitive except secret branches Reject if transformation is unsafe FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Evaluating FaCT ● Can FaCT express real code? ● Is FaCT code as fast as C? ● Is FaCT more readable than C? FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Porting code to FaCT ● Rewrite the whole library ● Rewrite a function (and callees) ● Rewrite a chunk of code FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Porting code to FaCT ● Rewrite the whole library ● Rewrite a function (and callees) ● Rewrite a chunk of code FaCT obj .fact FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Porting code to FaCT ● Rewrite the whole library ● Rewrite a function (and callees) ● Rewrite a chunk of code FaCT obj .fact clang linker Final binary .c obj FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Porting code to FaCT ● Rewrite the whole library: donna curve25519 ● Rewrite a function (and callees): libsodium secretbox ● Rewrite a chunk of code: OpenSSL ssl3/TLS record verification FaCT obj .fact clang linker Final binary .c obj FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Porting code to FaCT ● Rewrite the whole library: donna curve25519 ● Rewrite a function (and callees): libsodium secretbox ● Rewrite a chunk of code: OpenSSL ssl3/TLS record verification Lines of code donna secretbox ssl3 TLS FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify ○ ○ ● Assume ○ ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify secrets to public ○ ○ ● Assume ○ ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify secrets to public ○ secretbox: if (! declassify (crypto_verify(...)) return false; ○ ● Assume ○ ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify secrets to public ○ secretbox: if (! declassify (crypto_verify(...)) return false; ○ TLS: b = pmac[ declassify (i)]; ● Assume ○ ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify secrets to public ○ secretbox: if (! declassify (crypto_verify(...)) return false; ○ TLS: b = pmac[ declassify (i)]; ● Assume constraints for solver ○ ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

Real code needs escape hatches ● Declassify secrets to public ○ secretbox: if (! declassify (crypto_verify(...)) return false; ○ TLS: b = pmac[ declassify (i)]; ● Assume constraints for solver ○ Function preconditions ○ ● Extern FaCT: A DSL for Timing-Sensitive Computation PLDI 2019 Sunjay Cauligi

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San - PowerPoint PPT Presentation

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan What does this code do? for (i =

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer,

Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Timing-Sensitive Information-Flow Security Danfeng Zhang , Yao Wang, G. Edward Suh and Andrew C.

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

Coherence Spaces for Resource-Sensitive Computation in Analysis K e i M a t s u mo t o

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Value-Sensitive Design Informatics 161: Group 2 Overview What is Value Sensitive Design

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion & & inst

Timing and Coordination Essential Knowledge 2.E.2 and 2.E.3 Timing and Coordination Timing

Locality sensitive hashing for the edit distance Guillaume Marc ais, Dan DeBlasio, Prashant

A Highly Compressed Timing Macro-modeling Algorithm for Hierarchical and Incremental Timing

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Digital Design Discussion: RTL Storage Components Shift Register Timing Register File Timing

Timing Library Format (TLF) Advanced VLSI Design CMPE 414 Timing Library Format (TLF) TLF is an

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Sensitive / Proprietary Sensitive / Proprietary Study Area Characteristics Four Bridge

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San - PowerPoint PPT Presentation

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi , UC San Diego Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, Deian Stefan What does this code do? for (i =

FaCT: A DSL for Timing-Sensitive Computation Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer,

Structure of Talk Workload-sensitive Timing Behavior Anomaly Detection 1 Motivation in Large

Timing-Sensitive Information-Flow Security Danfeng Zhang , Yao Wang, G. Edward Suh and Andrew C.

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

Coherence Spaces for Resource-Sensitive Computation in Analysis K e i M a t s u mo t o

What solves this equation? Equation: n : if n = 0 then 1 else n 1 ) ? fact fact ( n

FaCT A Flexible, Constant-Time Sunjay Cauligi , Gary Soeller, Programming Language Fraser Brown,

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Constant-time programming in FaCT Sunjay Cauligi , UC San Diego Fraser Brown, Ranjit Jhala, Brian

Protecting Sensitive Data Implementation of a Sensitive Data Manager Recommendation Briefed

Value-Sensitive Design Informatics 161: Group 2 Overview What is Value Sensitive Design

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

FORMAL MODELING AND VERIFICATION FOR TIMING PREDICTABILITY Mathieu Jan, Mihail Asavoae, Belgacem

Top 5 Timing Closure Techniques Greg Daughtry Correct Timing Constraints Analyze Before

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion &amp; &amp; inst

Timing and Coordination Essential Knowledge 2.E.2 and 2.E.3 Timing and Coordination Timing

Locality sensitive hashing for the edit distance Guillaume Marc ais, Dan DeBlasio, Prashant

A Highly Compressed Timing Macro-modeling Algorithm for Hierarchical and Incremental Timing

Context Sensitive Solutions Context Context Sensitive Solutions (CSS) is a collaborative approach

Digital Design Discussion: RTL Storage Components Shift Register Timing Register File Timing

Timing Library Format (TLF) Advanced VLSI Design CMPE 414 Timing Library Format (TLF) TLF is an

Hiding the Input Size in Secure Two-Party Computation Yehuda Lindell , Kobbi Nissim, Claudio

Sensitive / Proprietary Sensitive / Proprietary Study Area Characteristics Four Bridge

X-ray ray Timing and Timing and Polarizati Polarization on mi missi ssion & & inst