2020 IEEE Symposium on Security and Privacy (SP) 2020
DOI: 10.1109/sp40000.2020.00074
|View full text |Cite
|
Sign up to set email alerts
|

Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level

Abstract: The constant-time programming discipline (CT) is an efficient countermeasure against timing side-channel attacks, requiring the control flow and the memory accesses to be independent from the secrets. Yet, writing CT code is challenging as it demands to reason about pairs of execution traces (2hypersafety property) and it is generally not preserved by the compiler, requiring binary-level analysis. Unfortunately, current verification tools for CT either reason at higher level (C or LLVM), or sacrifice bug-findi… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

1
47
0

Year Published

2020
2020
2024
2024

Publication Types

Select...
5
1

Relationship

1
5

Authors

Journals

citations
Cited by 48 publications
(48 citation statements)
references
References 70 publications
(94 reference statements)
1
47
0
Order By: Relevance
“…Proof (Sketch). The proof is a simple extension of the proofs of correctness and completeness of RelSE for constant-time [16], to the speculative semantics. The extension requires to show that 1) violations reported on transient paths in the symbolic execution correspond to violations in concrete transient execution, and 2) if there is a violation in concrete transient execution, then there is a path in symbolic execution that reports this violation.…”
Section: Theoremsmentioning
confidence: 99%
See 3 more Smart Citations
“…Proof (Sketch). The proof is a simple extension of the proofs of correctness and completeness of RelSE for constant-time [16], to the speculative semantics. The extension requires to show that 1) violations reported on transient paths in the symbolic execution correspond to violations in concrete transient execution, and 2) if there is a violation in concrete transient execution, then there is a path in symbolic execution that reports this violation.…”
Section: Theoremsmentioning
confidence: 99%
“…Symbolic analyzers for Spectre-PHT [3], [4], [12] and Spectre-STL [5] model the speculative behavior explicitly, by forking the execution to explore transient paths, which quickly leads to state explosion-especially for Spectre-STL which has to fork for each possible store and load interleaving. The adaptation of symbolic execution to constant-time-like properties, known as relational symbolic execution (RelSE), has proven very successful in terms of scalability and precision for binary level [16]. In order to address C2, our key technical insight is to adapt RelSE to execute transient executions at the same time as regular executions (i.e.…”
Section: Introductionmentioning
confidence: 99%
See 2 more Smart Citations
“…due to cache behavior. While this verification traditionally amounted to manual scrutiny of the generated assembly code by cryptographic engineers, recent work has shown progress in automatic verification to alleviate this burden [38,7,3,6,20,22].…”
Section: Contributionsmentioning
confidence: 99%