Testing side-channel security of cryptographic implementations against future microarchitectures (2402.00641v1)

Abstract: How will future microarchitectures impact the security of existing cryptographic implementations? As we cannot keep reducing the size of transistors, chip vendors have started developing new microarchitectural optimizations to speed up computation. A recent study (Sanchez Vicarte et al., ISCA 2021) suggests that these optimizations might open the Pandora's box of microarchitectural attacks. However, there is little guidance on how to evaluate the security impact of future optimization proposals. To help chip vendors explore the impact of microarchitectural optimizations on cryptographic implementations, we develop (i) an expressive domain-specific language, called LmSpec, that allows them to specify the leakage model for the given optimization and (ii) a testing framework, called LmTest, to automatically detect leaks under the specified leakage model within the given implementation. Using this framework, we conduct an empirical study of 18 proposed microarchitectural optimizations on 25 implementations of eight cryptographic primitives in five popular libraries. We find that every implementation would contain secret-dependent leaks, sometimes sufficient to recover a victim's secret key, if these optimizations were realized. Ironically, some leaks are possible only because of coding idioms used to prevent leaks under the standard constant-time model.

• The paper introduces a framework with LmSpec and LmTest to preemptively test cryptographic side-channel vulnerabilities.
• It evaluates 25 crypto implementations across 5 libraries under 18 proposed microarchitectural optimizations, revealing secret-dependent leaks.
• The study underscores the need for proactive collaboration between hardware designers and software developers to safeguard constant-time security.

Overview of the Paper

The paper "Testing Side-Channel Security of Cryptographic Implementations Against Future Microarchitectures" explores the implications of potential microarchitectural optimizations on the security of cryptographic implementations. As transistor miniaturization approaches its physical limits, chip manufacturers are increasingly relying on microarchitectural optimizations to boost computational performance. These innovations, however, risk exposing systems to microarchitectural attacks such as side-channel attacks. This paper presents methodologies to preemptively evaluate the security impacts of such potential optimizations.

Core Contributions

The authors propose a framework that includes a domain-specific language named LmSpec and an accompanying automated testing framework, LmTest. The two main components of the framework are:

1. LmSpec: This expressive language enables users to specify leakage models associated with different microarchitectural optimizations. It allows for the encapsulation of potential side-channel vulnerabilities as they relate to specified architectural changes.
2. LmTest: This testing framework operates with the LmSpec language to detect indicative leaks in cryptographic implementations. It functions by testing against these user-defined leakage models among real implementations to predict vulnerabilities.

Empirical Study

To demonstrate the utility and potency of their approach, the authors conduct an empirical paper evaluating the impact of 18 proposed microarchitectural optimizations on 25 cryptographic implementations spread across five cryptographic libraries. The paper confirms the presence of secret-dependent leaks across all implementations under certain optimization models. Some of these leaks are significant enough to potentially allow recovering secret keys.

Results and Implications

A comprehensive result of the paper is that cryptographic implementations, even when designed with security in mind using known leak-mitigation techniques like constant-time operations, can become vulnerable if new microarchitectural optimizations are adopted. Such optimizations might include the suppression of silent stores, register file compression, and computation reuse.

Additionally, the paper showcases that the framework can determine crucial glitches that intervene with traditional constant-time programming - ironically, in some cases, introduced through mechanisms meant to enforce security. This highlights that preemptive assessments of architectural changes are crucial for maintaining cryptographic security.

Future Outlook

The implications of this research are significant, advocating for a proactive approach where potential threats are identified and addressed proactively during the design phase of new architectures. One critical outlook presented by the paper is the merging necessity of holistic cooperation between hardware designers and software developers to anticipate and mitigate potential vulnerabilities. This could further influence the development of new cryptographic standards specifically tailored to withstand future microarchitectural challenges.

Conclusion

This work emphasizes the necessity of testing frameworks like LmSpec and LmTest in the evolving landscape of microarchitecture as a preventive tool against unforeseen vulnerabilities. It nudges industry and academia toward developing proactive methodologies and reminds us that software security must continuously adapt in the face of advancing hardware technologies. The proposed framework is thus positioned as a valuable research tool to test and fortify cryptographic implementations against speculative and emerging architectural threats. This paves the way for robust cryptographic systems equipped to meet the demands and challenges of future technological landscapes.