Universal patching method for side-channel vulnerabilities based on atomic obfuscation
Executing code containing side-channel vulnerabilities exhibits different non-functional behaviors related to inputs.Attackers can obtain these behaviors by leveraging micro architecture side-channel attacks and then analyze the pattern between the behaviors and the inputs to access sensitive data.V...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2022-04-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022014 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841529809455284224 |
|---|---|
| author | Deqing ZOU Pan ZHANG Wei LIU Weijie CHEN Yifan LU |
| author_facet | Deqing ZOU Pan ZHANG Wei LIU Weijie CHEN Yifan LU |
| author_sort | Deqing ZOU |
| collection | DOAJ |
| description | Executing code containing side-channel vulnerabilities exhibits different non-functional behaviors related to inputs.Attackers can obtain these behaviors by leveraging micro architecture side-channel attacks and then analyze the pattern between the behaviors and the inputs to access sensitive data.Vulnerability repairing at the software layer brings low overheads to a program’s execution.Besides, it does not require modifying hardware or system, which enables fast patching and widespread deployment.It becomes the mainstream strategy applied to the current cryptographic implementations.However, existing solutions are deeply bound to the program’s implementation and requires manual intervention.This brings challenge to implement and is not versatile enough.A general patching method was proposed for side-channel vulnerabilities that combined dynamic obfuscated execution with hardware atomic transaction.To hide the real accesses of the side-channel vulnerabilities of a program, the proposed method inserted dynamic confusing accesses into the vulnerabilities.To avoid an attacker using fine-grained side-channel attack to distinguish the real access and the confusing access, both of them were encapsulated as transactions and they were guaranteed to be uninterrupted during the running period.In addition, a prototype system called SC-Patcher was implemented based on the LLVM compiler.Various optimization strategies were supported, including secure springboard and transaction aggregation, to further improve system security and performance.Experimental results show that the proposed method makes it impossible for an attacker to restore accurate sensitive data through side-channel attack, and it also brings almost no additional performance overhead to the program. |
| format | Article |
| id | doaj-art-967074d2b472422fb0b6b0c7cd94be76 |
| institution | Kabale University |
| issn | 2096-109X |
| language | English |
| publishDate | 2022-04-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj-art-967074d2b472422fb0b6b0c7cd94be762025-01-15T03:15:29ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2022-04-01810011159570588Universal patching method for side-channel vulnerabilities based on atomic obfuscationDeqing ZOUPan ZHANGWei LIUWeijie CHENYifan LUExecuting code containing side-channel vulnerabilities exhibits different non-functional behaviors related to inputs.Attackers can obtain these behaviors by leveraging micro architecture side-channel attacks and then analyze the pattern between the behaviors and the inputs to access sensitive data.Vulnerability repairing at the software layer brings low overheads to a program’s execution.Besides, it does not require modifying hardware or system, which enables fast patching and widespread deployment.It becomes the mainstream strategy applied to the current cryptographic implementations.However, existing solutions are deeply bound to the program’s implementation and requires manual intervention.This brings challenge to implement and is not versatile enough.A general patching method was proposed for side-channel vulnerabilities that combined dynamic obfuscated execution with hardware atomic transaction.To hide the real accesses of the side-channel vulnerabilities of a program, the proposed method inserted dynamic confusing accesses into the vulnerabilities.To avoid an attacker using fine-grained side-channel attack to distinguish the real access and the confusing access, both of them were encapsulated as transactions and they were guaranteed to be uninterrupted during the running period.In addition, a prototype system called SC-Patcher was implemented based on the LLVM compiler.Various optimization strategies were supported, including secure springboard and transaction aggregation, to further improve system security and performance.Experimental results show that the proposed method makes it impossible for an attacker to restore accurate sensitive data through side-channel attack, and it also brings almost no additional performance overhead to the program.http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022014side-channel defensevulnerability repairatomic transactionobfuscated execution |
| spellingShingle | Deqing ZOU Pan ZHANG Wei LIU Weijie CHEN Yifan LU Universal patching method for side-channel vulnerabilities based on atomic obfuscation 网络与信息安全学报 side-channel defense vulnerability repair atomic transaction obfuscated execution |
| title | Universal patching method for side-channel vulnerabilities based on atomic obfuscation |
| title_full | Universal patching method for side-channel vulnerabilities based on atomic obfuscation |
| title_fullStr | Universal patching method for side-channel vulnerabilities based on atomic obfuscation |
| title_full_unstemmed | Universal patching method for side-channel vulnerabilities based on atomic obfuscation |
| title_short | Universal patching method for side-channel vulnerabilities based on atomic obfuscation |
| title_sort | universal patching method for side channel vulnerabilities based on atomic obfuscation |
| topic | side-channel defense vulnerability repair atomic transaction obfuscated execution |
| url | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022014 |
| work_keys_str_mv | AT deqingzou universalpatchingmethodforsidechannelvulnerabilitiesbasedonatomicobfuscation AT panzhang universalpatchingmethodforsidechannelvulnerabilitiesbasedonatomicobfuscation AT weiliu universalpatchingmethodforsidechannelvulnerabilitiesbasedonatomicobfuscation AT weijiechen universalpatchingmethodforsidechannelvulnerabilitiesbasedonatomicobfuscation AT yifanlu universalpatchingmethodforsidechannelvulnerabilitiesbasedonatomicobfuscation |