Please use this identifier to cite or link to this item:
https://hdl.handle.net/2440/139484
Citations | ||
Scopus | Web of Science® | Altmetric |
---|---|---|
?
|
?
|
Type: | Conference paper |
Title: | Spectre Declassified: Reading from the Right Place at the Wrong Time |
Author: | Shivakumar, B.A. Barnes, J. Barthe, G. Cauligi, S. Chuengsatiansup, C. Genkin, D. O'Connell, S. Schwabe, P. Sim, R.Q. Yarom, Y. |
Citation: | Proceedings / IEEE Symposium on Security and Privacy; sponsored by IEEE Computer Society, IEEE Computer Society Technical Committee on Security and Privacy in cooperation with the International Association for Cryptologic Research (IARC..., 2023, vol.2023-May, pp.1753-1770 |
Publisher: | IEEE |
Publisher Place: | Online |
Issue Date: | 2023 |
Series/Report no.: | IEEE Symposium on Security and Privacy |
ISBN: | 9781665493369 |
ISSN: | 1081-6011 |
Conference Name: | IEEE Symposium on Security and Privacy (SP) (21 May 2023 - 25 May 2023 : San Francisco, CA, USA) |
Statement of Responsibility: | Basavesh Ammanaghatta Shivakumar, Jack Barnes, Gilles Barthe, Sunjay Cauligi, Chitchanok Chuengsatiansup, Daniel Genkin, Sioli O'Connell, Peter Schwabe, Rui Qi Sim, Yuval Yarom |
Abstract: | Practical information-flow programming languages commonly allow controlled leakage via a declassify construct— programmers can use this construct to declare intentional leakage. For instance, cryptographic signatures and ciphertexts, which are computed from private keys, are viewed as secret by informationflow analyses. Cryptographic libraries can use declassify to make this data public, as it is no longer sensitive. In this paper, we study the interaction between speculative execution and declassification. We show that speculative execution leads to unintended leakage from declassification sites. Concretely, we present a PoC that recovers keys from AES implementations. Our PoC is an instance of a Spectre attack, and remains effective even when programs are compiled with speculative load hardening (SLH), a widespread compiler-based countermeasure against Spectre. We develop formal countermeasures against these attacks, including a significant improvement to SLH we term selective speculative load hardening (selSLH). These countermeasures soundly enforce relative non-interference (RNI): Informally, the speculative leakage of a protected program is limited to the existing sequential leakage of the original program. We implement our simplest countermeasure in the FaCT language and compiler— which is designed specifically for high-assurance cryptography— and we see performance overheads of at most 10%. Finally, although we do not directly implement selSLH, our preliminary evaluation suggests a significant reduction in performance cost for cryptographic functions as compared to traditional SLH. |
Keywords: | spectre cryptography side-channels declassification |
Rights: | © 2023, Basavesh Ammanaghatta Shivakumar. Under license to IEEE. |
DOI: | 10.1109/SP46215.2023.10179355 |
Grant ID: | http://purl.org/au-research/grants/arc/DE200101577 http://purl.org/au-research/grants/arc/DP210102670 |
Published version: | http://dx.doi.org/10.1109/sp46215.2023.10179355 |
Appears in Collections: | Computer Science publications |
Files in This Item:
There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.