Skip to main content
eScholarship
Open Access Publications from the University of California

Scholarly Works (2 results)

  • Thesis
  • Peer Reviewed
UC San Diego Electronic Theses and Dissertations (2020)

To be secure, cryptographic algorithms crucially rely on the underlying hardware

to avoid inadvertent leakage of secrets through timing side channels.

Unfortunately, such timing channels are ubiquitous in modern hardware, due to

its labyrinthine fast-paths and optimizations. A promising way to avoid timing

vulnerabilities is to devise—and verify—conditions under which a hardware design

is free of timing variability, i.e., executes in constant-time. While there have

been significant strides in verifying constant time execution for software,

these efforts focus on sequential, cryptographic code. Unfortunately, this makes

them unsuitable for hardware designs which are inherently concurrent and

long-lived.

First, we present Iodine: a clock-precise, constant-time approach to eliminating

timing side channels in hardware. To realize Iodine, we first define a new

notion of constant-time execution that is suitable for concurrent and long lived

computations. Our definition is based on the notion of influence sets containing

all cycles whose inputs influenced the current computation. We then show how to

reduce the problem of verifying constant time execution to the standard problem

of verifying assertion validity.

Second, we present Xenon, which extends Iodine and scales to realistic hardware

designs by exploiting modularity in VERILOG code via a notion of module

summaries. Xenon drastically reduces the effort needed to localize the causes of

verification failure via a novel constant-time counterexamples which are used to

automatically synthesize minimal secrecy assumptions that enable constant-time

verification. We show how Xenon’s summaries and assumption synthesis enable the

verification of a variety of circuits including a highly modular AES-256

implementation where modularity cuts verification from six hours to under three

seconds, and ScarV, a timing channel hardened RISC-V micro-controller whose size

exceeds previously verified designs by an order of magnitude.

We find that Iodine and Xenon present a practical way to specify and verify the

absence of timing channels in hardware. They succeed in verifying various open

source hardware designs in seconds and with little developer effort thanks to

generated secrecy assumptions. They also discovered two constant-time

violations: one in a floating-point unit and another one in an RSA encryption

module.

    Cover page: Verifying Constant-Time Execution of Hardware
    • Article
    • Peer Reviewed
    UC San Diego Previously Published Works (2021)
    We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets ( sources ) to those that leak them through the cache ( sinks ), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient , i.e., possibly containing speculative secrets or as being stable , and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect , to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protect s to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically , without user intervention, and efficiently even when using fences to implement protect .
      Creative Commons 'BY' version 4.0 license
      Top