Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
Yan F, Wu R, Zhang L, et al. SPIDER: Speeding up Side-Channel Vulnerability Detection via Test Suite Reduction. Tsinghua Science and Technology, 2023, 28(1): 47-58. https://doi.org/10.26599/TST.2021.9010078
Side-channel attacks allow adversaries to infer sensitive information, such as cryptographic keys or private user data, by monitoring unintentional information leaks of running programs. Prior side-channel detection methods can identify numerous potential vulnerabilities in cryptographic implementations with a small amount of execution traces due to the high diffusion of secret inputs in crypto primitives. However, because non-cryptographic programs cover different paths under various sensitive inputs, extending existing tools for identifying information leaks to non-cryptographic applications suffers from either insufficient path coverage or redundant testing. To address these limitations, we propose a new dynamic analysis framework named SPIDER that uses fuzzing, execution profiling, and clustering for a high path coverage and test suite reduction, and then speeds up the dynamic analysis of side-channel vulnerability detection in non-cryptographic programs. We analyze eight non-cryptographic programs and ten cryptographic algorithms under SPIDER in a fully automated way, and our results confirm the effectiveness of test suite reduction and the vulnerability detection accuracy of the whole framework.
Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
Abstract
Side-channel attacks allow adversaries to infer sensitive information, such as cryptographic keys or private user data, by monitoring unintentional information leaks of running programs. Prior side-channel detection methods can identify numerous potential vulnerabilities in cryptographic implementations with a small amount of execution traces due to the high diffusion of secret inputs in crypto primitives. However, because non-cryptographic programs cover different paths under various sensitive inputs, extending existing tools for identifying information leaks to non-cryptographic applications suffers from either insufficient path coverage or redundant testing. To address these limitations, we propose a new dynamic analysis framework named SPIDER that uses fuzzing, execution profiling, and clustering for a high path coverage and test suite reduction, and then speeds up the dynamic analysis of side-channel vulnerability detection in non-cryptographic programs. We analyze eight non-cryptographic programs and ten cryptographic algorithms under SPIDER in a fully automated way, and our results confirm the effectiveness of test suite reduction and the vulnerability detection accuracy of the whole framework.
Keywords:dynamic analysis, side-channel detection, test suite reduction
P. C. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, in Proc. of the 16th Annu. Int. Cryptology Conf., Santa Barbara, CA, USA, 1996, pp. 104–113.
Y. Yarom and K. Falkner, FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack, in Proc. 23rd USENIX Conf. Security Symp., San Diego, CA, USA, 2014, pp. 719–732.
D. Gullasch, E. Bangerter, and S. Krenn, Cache games–bringing access-based cache attacks on AES to practice, in Proc. of 2011 IEEE Symp. Security and Privacy, Oakland, CA, USA, 2011, pp. 490–505.
D. Gruss, R. Spreitzer, and S. Mangard, Cache template attacks: Automating attacks on inclusive last-level caches, in Proc. 24th USENIX Conf. Security Symp., Washington, DC, USA, 2015, pp. 897–912.
P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard, DRAMA: Exploiting DRAM addressing for cross–CPU attacks, in Proc. 25th USENIX Conf. Security Symp., Austin, TX, USA, 2016, pp. 565–581.
Y. Z. Xu, W. D. Cui, and M. Peinado, Controlled-channel attacks: Deterministic side channels for untrusted operating systems, in Proc. of 2015 IEEE Symp. Security and Privacy, San Jose, CA, USA, 2015, pp. 640–656.
G. Irazoqui, T. Eisenbarth, and B. Sunar, S$A: A shared cache attack that works across cores and defies VM sandboxing–and its application to AES, in Proc. of 2015 IEEE Symp. Security and Privacy, San Jose, CA, USA, 2015, pp. 591–604.
C. P. García, B. B. Brumley, and Y. Yarom, Make sure DSA signing exponentiations really are constant-time, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016, pp. 1639–1650.
R. Brotzman, S. Liu, D. F. Zhang, G. Tan, and M. Kandemir, CaSym: Cache aware symbolic execution for side channel detection and mitigation, in Proc. of 2019 IEEE Symp. Security and Privacy, San Francisco, CA, USA, 2019, pp. 505–521.
G. Doychev, B. Köpf, L. Mauborgne, and J. Reineke, Cacheaudit: A tool for the static analysis of cache side channels, ACM Trans. Inf. Syst. Secur., vol. 18, no. 1, p. 4, 2015.
S. Wang, Y. Y. Bao, X. Liu, P. Wang, D. F. Zhang, and D. H. Wu, Identifying cache-based side channels through secret-augmented abstract interpretation, in Proc. 28th USENIX Security Symp., Santa Clara, CA, USA, 2019, pp. 657–674.
Y. Xiao, M. Y. Li, S. C. Chen, and Y. Q. Zhang, STACCO: Differentially analyzing side-channel traces for detecting SSL/TLS vulnerabilities in secure enclaves, in Proc. 2017 ACM SIGSAC Conf. Computer and Communications Security, Dallas, TX, USA, 2017, pp. 859–874.
A. Zankl, J. Heyszl, and G. Sigl, Automated detection of instruction cache leaks in modular exponentiation software, in Proc. of the 15th Int. Conf. Smart Card Research and Advanced Applications, Cannes, France, 2016, pp. 228–244.
S. Weiser, A. Zankl, R. Spreitzer, K. Miller, S. Mangard, and G. Sigl, DATA–differential address trace analysis: Finding address-based side-channels in binaries, in Proc. 27th USENIX Conf. Security Symp., Baltimore, MD, USA, 2018, pp. 603–620.
WichelmannJ., MoghimiA., EisenbarthT., and SunarB., MicroWalk: A framework for finding side channels in binaries, inProc. 34th Annu. Computer Security Applications Conf., San Juan, PR, USA, 2018, pp. 161–173.10.1145/3274694.3274741
Q. K. Bao, Z. H. Wang, X. T. Li, J. R. Larus, and D. H. Wu, Abacus: Precise side-channel analysis, in Proc. of 2021 IEEE/ACM 43rd Int. Conf. Software Engineering (ICSE), Madrid, Spain, 2021, pp. 797–809.
S. Nilizadeh, Y. Noller, and C. S. Pasareanu, DifFuzz: Differential fuzzing for side-channel analysis, in Proc. of 2019 IEEE/ACM 41st Int. Conf. Software Engineering (ICSE), Montreal, Canada, 2019, pp. 176–187.
D. A. Osvik, A. Shamir, and E. Tromer, Cache attacks and countermeasures: The case of AES, in Proc. of Cryptographers’ Track at the RSA Conf., San Jose, CA, USA, 2006, pp. 1–20.
S. Shinde, Z. L. Chua, V. Narayanan, and P. Saxena, Preventing page faults from telling your secrets, in Proc. 11th ACM on Asia Conf. Computer and Communications Security, Xi’an, China, 2016, pp. 317–328.
B. Subashini and D. JeyaMala, Reduction of test cases using clustering technique, Int. J. Innov. Res. Sci. Eng. Technol., vol. 3, no. 3, pp. 1992–1996, 2014.
R. C. Wang, B. B. Qu, and Y. S. Lu, Empirical study of the effects of different profiles on regression test case reduction, IET Softw., vol. 9, no. 2, pp. 29–38, 2015.
C. K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood, Pin: Building customized program analysis tools with dynamic instrumentation, ACM SIGPLAN Notices, vol. 40, no. 6, pp. 190–200, 2005.
W. B. Wang, Y. Q. Zhang, and Z. Q. Lin, Time and order: Towards automatically identifying side-channel vulnerabilities in enclave binaries, in Proc. of the 22nd Int. Symp. Research in Attacks, Intrusions and Defenses (RAID 2019), Beijing, China, 2019, pp. 443–457.
N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Y. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting fuzzing through selective symbolic execution, in Proc. of the 23rd Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2016, pp. 1–16.
S. Wang, P. Wang, X. Liu, D. F. Zhang, and D. H. Wu, Cached: Identifying cache-based timing channels in production software, in Proc. 26th USENIX Conf. Security Symp., Vancouver, Canada, 2017, pp. 235–252.
J. C. Hu, J. F. Chen, L. Zhang, Y. S. Liu, Q. H. Bao, H. Ackah-Arthur, and C. Zhang, A memory-related vulnerability detection approach based on vulnerability features, Tsinghua Science and Technology, vol. 25, no. 5, pp. 604–613, 2020.
J. W. Tang, R. X. Li, K. P. Wang, X. W. Gu, and Z. Y. Xu, A novel hybrid method to analyze security vulnerabilities in Android applications, Tsinghua Science and Technology, vol. 25, no. 5, pp. 589–603, 2020.
G. Dessouky, T. Frassetto, and A. R. Sadeghi, HybCache: Hybrid side-channel-resilient caches for trusted execution environments, in Proc. of the 29th USENIX Security Symp., Boston, MA, USA, 2020, pp. 451–468.
Z. H. Wang and R. B. Lee, New cache designs for thwarting software cache-based side channel attacks, in Proc. 34th Annu. Int. Symp. Computer Architecture, New York, NY, USA, 2007, pp. 494–505.
M. Werner, T. Unterluggauer, L. Giner, M. Schwarz, D. Gruss, and S. Mangard, SCATTERCACHE: Thwarting cache attacks via cache set randomization, in Proc. 28th USENIX Conf. Security Symp., Santa Clara, CA, USA, 2019, pp. 675–692.
M. Tiwari, J. K. Oberg, X. Li, J. Valamehr, T. Levin, B. Hardekopf, R. Kastner, F. T. Chong, and T. Sherwood, Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security, in Proc. 38th Annu. Int. Symp. Computer Architecture, San Jose, CA, USA, 2011, pp. 189–199.
R. Könighofer, A fast and cache-timing resistant implementation of the AES, in Proc. of Cryptographers’ Track at the RSA Conf., San Francisco, CA, USA, 2008, pp. 187–202.
C. Rebeiro, D. Selvakumar, and A. S. L. Devi, Bitslice implementation of AES, in Proc. of the 5th Int. Conf. Cryptology and Network Security, Suzhou, China, 2006, pp. 203–212.
B. Coppens, I. Verbauwhede, K. De Bosschere, and B. De Sutter, Practical mitigations for timing-based side-channel attacks on modern x86 processors, in Proc. of 2009 30th IEEE Symp. Security and Privacy, Oakland, CA, USA, 2009, pp. 45–60.
S. Crane, A. Homescu, S. Brunthaler, P. Larsen, and M. Franz, Thwarting cache side-channel attacks through dynamic software diversity, in Proc. of 22nd Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2015, pp. 8–11.
This work was supported in part by the National Natural Science Foundation of China (Nos. 61272452 and 61872430), the National Key Basic Research and Development (973) Program of China (No. 2014CB340601), the Key R&D Program of Hubei Province (No. 2020BAA003), and the Prospective Applied Research Program of Suzhou City (No. SYG201845).
Rights and permissions
The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
Open Access
Issue
Published:
21 July 2022
),
Download citation
FEEDBACK 
TOP