Spectre Declassified: Reading from the Right Place at the Wrong Time

2023 IEEE Symposium on Security and Privacy (SP) Pub Date : 2023-05-01 DOI:10.1109/SP46215.2023.10179355

B. Shivakumar, J. Barnes, G. Barthe, S. Cauligi, C. Chuengsatiansup, Daniel Genkin, Sioli O'Connell, P. Schwabe, Rui Qi Sim, Y. Yarom

{"title":"Spectre Declassified: Reading from the Right Place at the Wrong Time","authors":"B. Shivakumar, J. Barnes, G. Barthe, S. Cauligi, C. Chuengsatiansup, Daniel Genkin, Sioli O'Connell, P. Schwabe, Rui Qi Sim, Y. Yarom","doi":"10.1109/SP46215.2023.10179355","DOIUrl":null,"url":null,"abstract":"Practical information-flow programming languages commonly allow controlled leakage via a declassify construct—programmers can use this construct to declare intentional leakage. For instance, cryptographic signatures and ciphertexts, which are computed from private keys, are viewed as secret by information-flow analyses. Cryptographic libraries can use declassify to make this data public, as it is no longer sensitive.In this paper, we study the interaction between speculative execution and declassification. We show that speculative execution leads to unintended leakage from declassification sites. Concretely, we present a PoC that recovers keys from AES implementations. Our PoC is an instance of a Spectre attack, and remains effective even when programs are compiled with speculative load hardening (SLH), a widespread compiler-based countermeasure against Spectre. We develop formal countermeasures against these attacks, including a significant improvement to SLH we term selective speculative load hardening (selSLH). These countermeasures soundly enforce relative non-interference (RNI): Informally, the speculative leakage of a protected program is limited to the existing sequential leakage of the original program. We implement our simplest countermeasure in the FaCT language and compiler—which is designed specifically for high-assurance cryptography—and we see performance overheads of at most 10%. Finally, although we do not directly implement selSLH, our preliminary evaluation suggests a significant reduction in performance cost for cryptographic functions as compared to traditional SLH.","PeriodicalId":439989,"journal":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","volume":"362 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP46215.2023.10179355","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

Abstract

Practical information-flow programming languages commonly allow controlled leakage via a declassify construct—programmers can use this construct to declare intentional leakage. For instance, cryptographic signatures and ciphertexts, which are computed from private keys, are viewed as secret by information-flow analyses. Cryptographic libraries can use declassify to make this data public, as it is no longer sensitive.In this paper, we study the interaction between speculative execution and declassification. We show that speculative execution leads to unintended leakage from declassification sites. Concretely, we present a PoC that recovers keys from AES implementations. Our PoC is an instance of a Spectre attack, and remains effective even when programs are compiled with speculative load hardening (SLH), a widespread compiler-based countermeasure against Spectre. We develop formal countermeasures against these attacks, including a significant improvement to SLH we term selective speculative load hardening (selSLH). These countermeasures soundly enforce relative non-interference (RNI): Informally, the speculative leakage of a protected program is limited to the existing sequential leakage of the original program. We implement our simplest countermeasure in the FaCT language and compiler—which is designed specifically for high-assurance cryptography—and we see performance overheads of at most 10%. Finally, although we do not directly implement selSLH, our preliminary evaluation suggests a significant reduction in performance cost for cryptographic functions as compared to traditional SLH.

查看原文本刊更多论文

幽灵党解密:在错误的时间从正确的地方阅读

实用的信息流编程语言通常允许通过解密构造控制泄漏——程序员可以使用该构造声明有意泄漏。例如，从私钥中计算出的加密签名和密文被信息流分析视为机密。加密库可以使用解密使这些数据公开，因为它不再敏感。在本文中，我们研究推测执行和解密之间的相互作用。我们表明，投机执行导致意外泄漏解密网站。具体地说，我们提出了一个PoC，从AES实现中恢复密钥。我们的PoC是Spectre攻击的一个实例，即使在使用推测负载强化(SLH)(一种广泛的基于编译器的针对Spectre的对策)编译程序时，PoC仍然有效。我们开发了针对这些攻击的正式对策，包括对SLH的重大改进，我们称之为选择性推测负载强化(selSLH)。这些对策很好地执行了相对不干扰(RNI):非正式地，受保护程序的推测泄漏仅限于原始程序的现有顺序泄漏。我们在FaCT语言和编译器中实现了最简单的对策——这是专门为高保证密码学设计的——我们发现性能开销最多只有10%。最后，虽然我们没有直接实现selSLH，但我们的初步评估表明，与传统的SLH相比，加密函数的性能成本显著降低。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量