Sort:
Open Access Issue
SPIDER: Speeding up Side-Channel Vulnerability Detection via Test Suite Reduction
Tsinghua Science and Technology 2023, 28(1): 47-58
Published: 21 July 2022
Abstract PDF (970.3 KB) Collect
Downloads:53

Side-channel attacks allow adversaries to infer sensitive information, such as cryptographic keys or private user data, by monitoring unintentional information leaks of running programs. Prior side-channel detection methods can identify numerous potential vulnerabilities in cryptographic implementations with a small amount of execution traces due to the high diffusion of secret inputs in crypto primitives. However, because non-cryptographic programs cover different paths under various sensitive inputs, extending existing tools for identifying information leaks to non-cryptographic applications suffers from either insufficient path coverage or redundant testing. To address these limitations, we propose a new dynamic analysis framework named SPIDER that uses fuzzing, execution profiling, and clustering for a high path coverage and test suite reduction, and then speeds up the dynamic analysis of side-channel vulnerability detection in non-cryptographic programs. We analyze eight non-cryptographic programs and ten cryptographic algorithms under SPIDER in a fully automated way, and our results confirm the effectiveness of test suite reduction and the vulnerability detection accuracy of the whole framework.

Open Access Issue
Leakage Is Prohibited: Memory Protection Extensions Protected Address Space Randomization
Tsinghua Science and Technology 2019, 24(5): 546-556
Published: 29 April 2019
Abstract PDF (2.1 MB) Collect
Downloads:31

Code reuse attacks pose a severe threat to modern applications. These attacks reuse existing code segments of vulnerable applications as attack payloads and hijack the control flow of a victim application. With high code entropy and a relatively low performance overhead, Address Space Layout Randomization (ASLR) has become the most widely explored defense against code reuse attacks. However, a single memory disclosure vulnerability is able to compromise this defense. In this paper, we present Memory Protection Extensions (MPX)-assisted Address Space Layout Randomization (M-ASLR), a novel code-space randomization scheme. M-ASLR uses several characteristics of Intel MPX to restrict code pointers in memory. We have developed a fully functioning prototype of M-ALSR, and our evaluation results show that M-ASLR: (1) offers no interference with normal operation; (2) protects against buffer overflow attacks, code reuse attacks, and other sophisticated modern attacks; and (3) adds a very low performance overhead (3.3%) to C/C++ applications.

Open Access Issue
Side-Channel Attacks in a Real Scenario
Tsinghua Science and Technology 2018, 23(5): 586-598
Published: 17 September 2018
Abstract PDF (3.4 MB) Collect
Downloads:32

Existing Side-Channel Attacks (SCAs) have several limitations and, rather than to be real attack methods, can only be considered to be security evaluation methods. Their limitations are mainly related to the sampling conditions, such as the trigger signal embedded in the source code of the encryption device, and the acquisition device that serves as the encryption-device controller. Apart from it being very difficult for an attacker to add a trigger into the original design before making an attack or to control the encryption device, there is a big gap in the capacity of existing SCAs to pose real threats to cipher devices. In this paper, we propose a new method, the sliding window SCA (SW-SCA), which can be applied in scenarios in which the acquisition device is independent of the encryption device and for which the encryption source code requires no trigger signal or modification. First, we describe the main issues in existing SCAs, then we theoretically analyze the effectiveness and complexity of our proposed SW-SCA —a method that can incorporate a sliding-window mechanism into almost all of the existing non-profiled SCAs. The experimental results for both simulated and physical traces verify the effectiveness of the SW-SCA and the appropriateness of its theoretical complexity.

Total 3