Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Constant-Time Wasmtime, for Real This Time: End-to-End Verified Zero-Overhead Constant-Time Programming for the Web and Beyond (2311.14246v1)

Published 24 Nov 2023 in cs.CR

Abstract: We claim that existing techniques and tools for generating and verifying constant-time code are incomplete, since they rely on assumptions that compiler optimization passes do not break constant-timeness or that certain operations execute in constant time on the hardware. We present the first end-to-end constant-time-aware compilation process that preserves constant-time semantics at every step from a high-level language down to microarchitectural guarantees, provided by the forthcoming ARM PSTATE.DIT feature. First, we present a new compiler-verifier suite based on the JIT-style runtime Wasmtime, modified to compile ct-wasm, a preexisting type-safe constant-time extension of WebAssembly, into ARM machine code while maintaining the constant-time property throughout all optimization passes. The resulting machine code is then fed into an automated verifier that requires no human intervention and uses static dataflow analysis in Ghidra to check the constant-timeness of the output. Our verifier leverages characteristics unique to ct-wasm-generated code in order to speed up verification while preserving both soundness and wide applicability. We also consider the resistance of our compilation and verification against speculative timing leakages such as Spectre. Finally, in order to expose ct-Wasmtime at a high level, we present a port of FaCT, a preexisting constant-time-aware DSL, to target ct-wasm.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (41)
  1. Verifying constant-time implementations. In 25th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 16), pages 53–70, 2016.
  2. On subnormal floating point and abnormal timing. In 2015 IEEE Symposium on Security and Privacy, pages 623–639. IEEE, 2015.
  3. Andrew W Appel. Verification of a cryptographic primitive: Sha-256. ACM Transactions on Programming Languages and Systems (TOPLAS), 37(2):1–31, 2015.
  4. Apple. Macbook Air (M1, 2020) Technical Specifications. https://support.apple.com/kb/SP825?locale=en_US.
  5. ARM. Arm Cortex-A53 MPCore Processor Technical Reference Manual. https://developer.arm.com/documentation/ddi0500/j/.
  6. ARM. Cortex-A - Arm Developer. https://developer.arm.com/ip-products/processors/cortex-a.
  7. ARM. DIT, Data Independent Timing. https://developer.arm.com/documentation/ddi0595/2021-03/AArch64-Registers/DIT--Data-Independent-Timing.
  8. Formal verification of a constant-time preserving c compiler. Proceedings of the ACM on Programming Languages, 4(POPL):1–30, 2019.
  9. Secure compilation of side-channel countermeasures: the case of cryptographic “constant-time”. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 328–343. IEEE, 2018.
  10. Verified correctness and security of openssl {{\{{HMAC}}\}}. In 24th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 15), pages 207–221, 2015.
  11. Implementing tls with verified cryptographic security. In 2013 IEEE Symposium on Security and Privacy, pages 445–459. IEEE, 2013.
  12. Constantine: Automatic side-channel resistance using efficient control and data flow linearization. arXiv preprint arXiv:2104.10749, 2021.
  13. Robust and efficient elimination of cache and timing side channels. arXiv preprint arXiv:1506.00189, 2015.
  14. Remote timing attacks are practical. Computer Networks, 48(5):701–716, 2005.
  15. Bytecode Alliance. Cranelift Code Generator. https://github.com/bytecodealliance/wasmtime/tree/main/cranelift.
  16. Constant-time foundations for the new spectre era. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 913–926, 2020.
  17. Fact: A flexible, constant-time programming language. In 2017 IEEE Cybersecurity Development (SecDev), pages 69–76. IEEE, 2017.
  18. MDN Web Docs. Understanding WebAssembly text format. https://developer.mozilla.org/en-US/docs/WebAssembly/Understanding_the_text_format.
  19. {{\{{IODINE}}\}}: Verifying constant-time execution of hardware. In 28th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 19), pages 1411–1428, 2019.
  20. Register allocation for programs in ssa-form. In International Conference on Compiler Construction, pages 247–262. Springer, 2006.
  21. Sfi safety for native-compiled wasm. NDSS. Internet Society, 2021.
  22. Dependence-based program analysis. In Proceedings of the ACM SIGPLAN 1993 conference on Programming language design and implementation, pages 78–89, 1993.
  23. Retpoline technique for mitigating spectre attack. In 2019 6th International Conference on Electrical and Electronics Engineering (ICEEE), pages 96–101. IEEE, 2019.
  24. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1–19. IEEE, 2019.
  25. Trusted browsers for uncertain times. In 25th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 16), pages 463–480, 2016.
  26. On the effectiveness of mitigations against floating-point timing channels. In 26th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 17), pages 69–81, 2017.
  27. Spectre returns! speculation attacks using the return stack buffer. In 12th {normal-{\{{USENIX}normal-}\}} Workshop on Offensive Technologies ({normal-{\{{WOOT}normal-}\}} 18), 2018.
  28. Swivel: Hardening webassembly against spectre. arXiv preprint arXiv:2102.12730, 2021.
  29. NSA. P-Code Reference Manual. https://ghidra.re/courses/languages/html/pcoderef.html.
  30. OpenSSL. OpenSSL. https://www.openssl.org.
  31. Thomas Pornin. BearSSL. https://www.bearssl.org, 2018.
  32. Thomas Pornin. BearSSL: Constant-Time Mul. https://www.bearssl.org/ctmul.html, 2018.
  33. RISC-V. RISC-V Instruction Latency Requirements. https://github.com/riscv/riscv-crypto/blob/master/doc/tex/sec-scalar-timing.tex.
  34. Roman Rohleder. Hands-on ghidra-a tutorial about the software reverse engineering framework. In Proceedings of the 3rd ACM Workshop on Software Protection, pages 77–78, 2019.
  35. Security by compilation: an automated approach to comprehensive side-channel resistance. ACM SIGLOG News, 4(2):76–89, 2017.
  36. wasi-crypto, GitHub. WebAssembly cryptography without WASI-crypto. https://github.com/WebAssembly/wasi-crypto/issues/21.
  37. Ct-wasm: type-driven secure cryptography for the web ecosystem. Proceedings of the ACM on Programming Languages, 3(POPL):1–29, 2019.
  38. WebAssembly, GitHub. Constant-Time Proposal for WebAssembly. https://github.com/webassembly/constant-time.
  39. Linear scan register allocation on ssa form. In Proceedings of the 8th annual IEEE/ACM international symposium on Code generation and optimization, pages 170–179, 2010.
  40. A hardware design language for timing-sensitive information-flow security. Acm Sigplan Notices, 50(4):503–516, 2015.
  41. Exploring branch predictors for constructing transient execution trojans. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 667–682, 2020.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now