A Systematic Evaluation of Automated Tools ...
Type de document :
Communication dans un congrès avec actes
DOI :
Titre :
A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries
Auteur(s) :
Geimer, Antoine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Analyse sémantique et compilation pour la sécurité des environnements d'exécution [EPICURE]
Vergnolle, Mathéo [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Recoules, Frédéric [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Daniel, Lesly-Ann [Auteur]
Distributed Systems and Computer Networks [DistriNet]
Bardin, Sébastien [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Maurice, Clementine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Self-adaptation for distributed services and large software systems [SPIRALS]
Analyse sémantique et compilation pour la sécurité des environnements d'exécution [EPICURE]
Vergnolle, Mathéo [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Recoules, Frédéric [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Daniel, Lesly-Ann [Auteur]
Distributed Systems and Computer Networks [DistriNet]
Bardin, Sébastien [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Maurice, Clementine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Titre de la manifestation scientifique :
CCS 2023 - ACM SIGSAC Conference on Computer and Communications Security
Ville :
Copenhagen
Pays :
Danemark
Date de début de la manifestation scientifique :
2023-11-26
Éditeur :
ACM
Date de publication :
2024
Discipline(s) HAL :
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Résumé en anglais : [en]
To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. ...
Lire la suite >To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place. To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.Lire moins >
Lire la suite >To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place. To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.Lire moins >
Langue :
Anglais
Comité de lecture :
Oui
Audience :
Internationale
Vulgarisation :
Non
Projet ANR :
Collections :
Source :
Fichiers
- document
- Accès libre
- Accéder au document
- ccs23_geimer.pdf
- Accès libre
- Accéder au document