A Systematic Evaluation of Automated Tools ...
Document type :
Communication dans un congrès avec actes
DOI :
Title :
A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries
Author(s) :
Geimer, Antoine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Analyse sémantique et compilation pour la sécurité des environnements d'exécution [EPICURE]
Vergnolle, Mathéo [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Recoules, Frédéric [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Daniel, Lesly-Ann [Auteur]
Distributed Systems and Computer Networks [DistriNet]
Bardin, Sébastien [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Maurice, Clementine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Self-adaptation for distributed services and large software systems [SPIRALS]
Analyse sémantique et compilation pour la sécurité des environnements d'exécution [EPICURE]
Vergnolle, Mathéo [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Recoules, Frédéric [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Daniel, Lesly-Ann [Auteur]
Distributed Systems and Computer Networks [DistriNet]
Bardin, Sébastien [Auteur]
Département Ingénierie Logiciels et Systèmes [DILS (CEA, LIST)]
Maurice, Clementine [Auteur]
![refId](/themes/Mirage2//images/idref.png)
Self-adaptation for distributed services and large software systems [SPIRALS]
Conference title :
CCS 2023 - ACM SIGSAC Conference on Computer and Communications Security
City :
Copenhagen
Country :
Danemark
Start date of the conference :
2023-11-26
Publisher :
ACM
Publication date :
2024
HAL domain(s) :
Informatique [cs]/Cryptographie et sécurité [cs.CR]
English abstract : [en]
To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. ...
Show more >To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place. To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.Show less >
Show more >To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place. To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.Show less >
Language :
Anglais
Peer reviewed article :
Oui
Audience :
Internationale
Popular science :
Non
ANR Project :
Collections :
Source :
Files
- document
- Open access
- Access the document
- ccs23_geimer.pdf
- Open access
- Access the document