Human-on-the-Loop Automation for Detecting Software Side-Channel Vulnerabilities | SpringerLink
Skip to main content
Springer Nature Link
Log in

Human-on-the-Loop Automation for Detecting Software Side-Channel Vulnerabilities

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10717))

Included in the following conference series:

Abstract

Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to identify vulnerable code, formulation of plausible side-channel hypotheses, and gathering evidence to prove or refute each hypothesis. This paper describes human-on-the-loop automation to empower analysts to detect SSCVs. The proposed automation is founded on novel ideas for canonical side channel patterns, program artifact filters, and parameterized program graph models for efficient, accurate, and interactive program analyses. The detection process is exemplified through a case study. The paper also presents metrics that bring out the complexity of detecting SSCVs.

This material is based on research sponsored by DARPA under agreement numbers FA8750-15-2-0080 and FA8750-12-2-0126. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Klocwork source code analysis (2001). http://www.klocwork.com

  2. Coverity static analysis (2002). http://www.coverity.com

  3. Space/time analysis for cybersecurity (2015). http://www.darpa.mil/program/space-time-analysis-for-cybersecurity. Accessed Mar 2016

  4. Software side channel vulnerabilities repository (2017). https://github.com/kcsl/SSCV/. Accessed 18 Aug 2017

  5. Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh aah... just a little bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_5

    Google Scholar 

  6. Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: the case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium, pp. 327–338 (2002)

    Google Scholar 

  7. Bosman, E., Razavi, K., Bos, H., Giuffrida, C.: Dedup Est Machina: memory deduplication as an advanced exploitation vector. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 987–1004 (2016)

    Google Scholar 

  8. Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)

    Article  Google Scholar 

  9. Chen, S., Zhang, K., Wang, R., Wang, X.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 191–206 (2010)

    Google Scholar 

  10. Cummings, M.: Supervising automation: humans on the loop (2008). http://web.mit.edu/aeroastro/news/magazine/aeroastro5/cummings.html. Accessed 10 May 2017

  11. Deering, T., Kothari, S., Sauceda, J., Mathews, J.: Atlas: a new way to explore software, build analysis tools. In: Proceedings of International Conference on Software Engineering, pp. 588–591. ACM (2014)

    Google Scholar 

  12. Demme, J., Martin, R., Waksman, A., Sethumadhavan, S.: Side-channel vulnerability factor: a metric for measuring information leakage. SIGARCH Comput. Archit. News 40(3), 106–117 (2012)

    Article  Google Scholar 

  13. Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: CacheAudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4:1–4:32 (2015)

    Article  Google Scholar 

  14. Ge, Q., Yarom, Y., Cock, D., et al.: J. Cryptogr. Eng. (2016). https://doi.org/10.1007/s13389-016-0141-6

  15. Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU (2017)

    Google Scholar 

  16. Gullasch, D., Bangerter, E., Krenn, S.: Cache games-bringing access-based cache attacks on AES to practice. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 490–505. IEEE Computer Society (2011)

    Google Scholar 

  17. Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 79–84 (2016)

    Google Scholar 

  18. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Google Scholar 

  19. Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 286–296. ACM (2007)

    Google Scholar 

  20. Lawson, N.: Side-channel attacks on cryptographic software. IEEE Secur. Priv. 7(6), 65–68 (2009)

    Article  Google Scholar 

  21. Matthews, A.: Side-channel attacks on smartcards. Netw. Secur. 2006(12), 18–20 (2006)

    Article  Google Scholar 

  22. Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of power analysis attacks on smartcards. In: Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology, p. 17. USENIX Association (1999)

    Google Scholar 

  23. Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1406–1418. ACM (2015)

    Google Scholar 

  24. Polakis, I., Argyros, G., Petsios, T., Sivakorn, S., Keromytis, A.D.: Where’s wally?: precise user discovery attacks in location proximity services. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 817–828. ACM (2015)

    Google Scholar 

  25. Saura, D., Futoransky, A., Waissbein, A.: Timing attacks for recovering private entries from database engines. Black Hat USA (2007). https://www.blackhat.com/presentations/bh-usa-07/Waissbein_Futoransky_and_Saura/Presentation/bh-usa-07-waissbein_futoransky_and_saura.pdf

  26. Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: Proceedings of the 10th Conference on USENIX Security Symposium, vol. 10 (2001)

    Google Scholar 

  27. Tamrawi, A., Kothari, S.: Projected control graph for accurate and efficient analysis of safety and security vulnerabilities. In: Asia-Pacific Software Engineering Conference (APSEC), pp. 113–120, December 2016

    Google Scholar 

  28. Vila, P., Köpf, B.: Loophole: timing attacks on shared event loops in chrome. arXiv preprint arXiv:1702.06764 (2017)

  29. Wei, T., Mao, J., Zou, W., Chen, Y.: A new algorithm for identifying loops in decompilation. In: Nielson, H.R., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 170–183. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74061-2_11

    Chapter  Google Scholar 

  30. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 719–732. USENIX Association, Berkeley, CA, USA (2014)

    Google Scholar 

  31. Zhang, K., Li, Z., Wang, R., Wang, X., Chen, S.: Sidebuster: automated detection and quantification of side-channel leaks in web application development. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 595–606. ACM (2010)

    Google Scholar 

  32. Zhang, T., Liu, F., Chen, S., Lee, R.B.: Side channel vulnerability metrics: the promise and the pitfalls. In: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, pp. 2:1–2:8. ACM (2013)

    Google Scholar 

Download references

Acknowledgements

We thank our colleagues from Iowa State University and EnSoft for their help with this paper. Dr. Kothari is the founder President and a financial stakeholder in EnSoft.

Author information

Authors and Affiliations

  1. Iowa State University, Ames, IA, 50011, USA

    Ganesh Ram Santhanam, Benjamin Holland & Suresh Kothari

  2. Ensoft Corp., Ames, IA, 50010, USA

    Nikhil Ranade

Authors
  1. Ganesh Ram Santhanam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Holland
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Suresh Kothari
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nikhil Ranade
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ganesh Ram Santhanam .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

  2. Indian Institute of Technology Bombay, Mumbai, India

    Virendra Singh

  3. Rutgers University, Newark, New Jersey, USA

    Jaideep Vaidya

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Santhanam, G.R., Holland, B., Kothari, S., Ranade, N. (2017). Human-on-the-Loop Automation for Detecting Software Side-Channel Vulnerabilities. In: Shyamasundar, R., Singh, V., Vaidya, J. (eds) Information Systems Security. ICISS 2017. Lecture Notes in Computer Science(), vol 10717. Springer, Cham. https://doi.org/10.1007/978-3-319-72598-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72598-7_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72597-0

  • Online ISBN: 978-3-319-72598-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics