Breaking Bad: How Compilers Break Constant-Time~Implementations

Abstract: The implementations of most hardened cryptographic libraries use defensive programming techniques for side-channel resistance. These techniques are usually specified as guidelines to developers on specific code patterns to use or avoid. Examples include performing arithmetic operations to choose between two variables instead of executing a secret-dependent branch. However, such techniques are only meaningful if they persist across compilation. In this paper, we investigate how optimizations used by modern compilers break the protections introduced by defensive programming techniques. Specifically, how compilers break high-level constant-time implementations used to mitigate timing side-channel attacks. We run a large-scale experiment to see if such compiler-induced issues manifest in state-of-the-art cryptographic libraries. We develop a tool that can profile virtually any architecture, and we use it to run trace-based dynamic analysis on 44,604 different targets. Particularly, we focus on the most widely deployed cryptographic libraries, which aim to provide side-channel resistance. We are able to evaluate whether their claims hold across various CPU architectures, including x86-64, x86-i386, armv7, aarch64, RISC-V, and MIPS-32. Our large-scale study reveals that several compiler-induced secret-dependent operations occur within some of the most highly regarded hardened cryptographic libraries. To the best of our knowledge, such findings represent the first time these issues have been observed in the wild. One of the key takeaways of this paper is that the state-of-the-art defensive programming techniques employed for side-channel resistance are still inadequate, incomplete, and bound to fail when paired with the optimizations that compilers continuously introduce.

• The paper demonstrates that aggressive compiler optimizations can break constant-time implementations, reintroducing timing side-channel vulnerabilities.
• Researchers analyzed 44,604 targets across architectures, uncovering secret-dependent operations in well-known cryptographic libraries.
• The study advocates for continuous testing and closer collaboration between developers and compiler designers to enhance defensive coding techniques.

Overview of Compiler-Induced Vulnerabilities in Cryptographic Libraries

The paper "Breaking Bad: How Compilers Break Constant-Time Implementations" by Schneider et al. investigates the robustness of defensive programming techniques in cryptographic libraries against compiler optimizations that may reintroduce side-channel vulnerabilities, particularly focusing on constant-time implementations.

Context and Problem Statement

Cryptographic libraries employ defensive programming techniques, such as constant-time programming, to mitigate timing side-channel attacks. These techniques aim to eliminate secret-dependent operations, thereby reducing vulnerability to side-channel attacks. However, the efficacy of these techniques is contingent upon the compiler preserving them. This study specifically examines the extent to which modern compiler optimizations disrupt these constant-time properties in popular cryptographic libraries.

Methodology

This research conducted a large-scale analysis using a dynamic analysis tool capable of profiling 44,604 targets across various architectures—x86-64, x86-i386, armv7, aarch64, RISC-V, and MIPS-32. The tool detects secret-dependent control-flow decisions and memory accesses, which are indicative of potential side-channel vulnerabilities. Cryptographic libraries evaluated include OpenSSL, Libsodium, HACL*, BearSSL, and several others.

Findings

1. Prevalence of Issues Across Architectures: The study found that less popular architectures like MIPS, RISC-V, and x86-i386 were more affected by compiler-induced vulnerabilities compared to more mainstream architectures like x86-64.
2. Influence of Compiler Optimizations: Compiler versions and optimization levels significantly impact the introduction of secret-dependent operations. Aggressive optimization levels in recent compilers notably increased the likelihood of these issues.
3. Case Studies:
   • HACL*'s secp256: Compiler optimizations substituted bit-mask operations with branches, reintroducing secret-dependent control flow.
   • Botan's GHASH: Arithmetic simplifications resulted in exploitable branches.
   • BearSSL's Modular Exponentiation: Instructions were optimized into conditional moves and loads, leading to secret-dependent memory accesses.

Implications

The results highlight that currently employed defensive programming techniques are not always sufficient to ensure side-channel resistance. The fragile nature of these implementations suggests that robustness can vary greatly with compiler updates, architecture specifics, and optimization levels.

Recommendations for Future Work

1. Improved Testing and Certification: Continuous testing across architectures and compiler versions is crucial. Tools like the one developed in this study are vital for identifying vulnerabilities before deployment. Formal verification or certification of binaries could also mitigate these issues.
2. Collaboration Between Developers and Compiler Designers: Cryptographic library developers should engage with compiler communities to ensure dangerous optimizations do not compromise security objectives.
3. Enhancing Defensive Coding Techniques: Research into more resilient defensive programming practices that are less prone to compiler disruptions is necessary. This could involve the development of languages or compiler extensions that maintain constant-time properties by design.

Conclusion

This comprehensive study underscores the potential for modern compiler optimizations to undermine defensive programming techniques critical for side-channel attack mitigation in cryptographic libraries. The findings advocate for heightened awareness and adaptation strategies to preserve the integrity and security of cryptographic implementations across diverse computing environments.