Semi-Automated and Easily Interpretable Side-Channel Analysis for Modern JavaScript

Fayolle, Iliana; Wichelmann, Jan; Köhl, Anja; Rudametkin, Walter; Eisenbarth, Thomas; Maurice, Clémentine

Type de document :

Communication dans un congrès avec actes

Titre :

Semi-Automated and Easily Interpretable Side-Channel Analysis for Modern JavaScript

Auteur(s) :

Fayolle, Iliana [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]
Wichelmann, Jan [Auteur]
Universität zu Lübeck = University of Lübeck [Lübeck]
Köhl, Anja [Auteur]
Universität zu Lübeck = University of Lübeck [Lübeck]
Rudametkin, Walter [Auteur]

Diversity-centric Software Engineering [DiverSe]
Eisenbarth, Thomas [Auteur]
Universität zu Lübeck = University of Lübeck [Lübeck]
Maurice, Clémentine [Auteur]
Self-adaptation for distributed services and large software systems [SPIRALS]

Titre de la manifestation scientifique :

CANS 2024 - 23rd International Conference on Cryptology And Network Security

Ville :

Cambridge

Pays :

Royaume-Uni

Date de début de la manifestation scientifique :

2024-09-24

Date de publication :

2024

Mot(s)-clé(s) en anglais :

Side channels
Vulnerabilities
Cryptography
Automated detection
Instrumentation
Constant Time

Discipline(s) HAL :

Informatique [cs]/Cryptographie et sécurité [cs.CR]

Résumé en anglais : [en]

Over the years, developers have become increasingly reliant on web technologies to build their applications, raising concerns about side-channel attacks, especially on cryptographic libraries. Despite the efforts of ...
Lire la suite >Over the years, developers have become increasingly reliant on web technologies to build their applications, raising concerns about side-channel attacks, especially on cryptographic libraries. Despite the efforts of researchers to ensure constant-time security by proposing tools and methods to find vulnerabilities, challenges remain due to inadequate tools and integration issues in development processes.We tackle the main limitations of state-of-the-art detection tools. While Microwalk is the first and, to the best of our knowledge, only tool to find side-channel vulnerabilities in JavaScript libraries, the instrumentation framework it relies on does not support modern JavaScript features. Moreover, and common to most state-of-the-art detection tools not aimed at JavaScript, writing tests is a tedious process due to the complexity of libraries, the lack of information about test coverage, and the rudimentary interpretability of the report. Furthermore, recent studies show that developers do not use these tools due to compatibility issues, poor usability, and a lack of integration into workflows.We extend Microwalk in several directions. First, we design a generic AST-level tracing technique that is tailored to source-based dynamic side-channel leakage analysis, providing support for the latest language features. Second, we bring semi-automation to Microwalk analysis templates, considerably reducing the manual effort necessary to integrate side-channel analyses into development workflows. Third, we are the first to combine leakage reporting with coverage visualization. We evaluate the new toolchain on a set of cryptographic libraries and show that it can quickly and comprehensively uncover more vulnerabilities while writing tests with half as many lines of code as the previous Microwalk version. By open sourcing our new tracer and analysis template, we hope to increase the adoption of automated side-channel leakage analyses in cryptographic library development.Lire moins >

Langue :

Anglais

Comité de lecture :

Oui

Audience :

Internationale

Vulgarisation :

Non

Projet ANR :

Fingerprinting et exploration des attaques et défenses sur CPU depuis des scripts web

Collections :

Centre de Recherche en Informatique, Signal et Automatique de Lille (CRIStAL) - UMR 9189

Source :

Harvested from HAL

Fichiers

document
Accès libre
Accéder au document

cans24_fayolle.pdf
Accès libre
Accéder au document

document
Accès libre
Accéder au document

cans24_fayolle.pdf
Accès libre
Accéder au document

Semi-Automated and Easily Interpretable ... BibTeX CSV Excel RIS

Fichiers

Semi-Automated and Easily Interpretable ...

BibTeX

CSV

Excel

RIS