Formal Hardware/Software Models for Cache Locking Enabling Fast and Secure Code

Abstract

Constant-time programming is the de facto standard to protect security-sensitive software against cache-based timing attacks. This software countermeasure is effective but may incur a significant performance overhead and require a substantial rewrite of the code. In this work, we study a secure cache-locking hardware mechanism which eases the writing of secure code and has little execution overhead. To reason about the security of software, we propose a high-level leakage model such that accesses to locked memory addresses do not generate any observable leakage. To ensure the adequacy of this leakage model, we also propose a concrete hardware leakage model for a RISC-V microcontroller where the secure code may be interrupted, at any time, by some arbitrary malicious code. Using the Observational Non-Interference setting, we show formally that the security of the software model is preserved at the hardware level. We evaluate the effectiveness and performance of this mechanism, notably on block ciphers. We also propose and evaluate a new constant-time sorting algorithm.

Appendices

A Evaluation of Algorithms with Input Dependent Locks

The evaluation results for Histogram, Permuation, Heap-pop and Dijkstra can be found in Fig. 5, Fig. 6, Fig. 7 and Fig. 8.

B Semantics of Instructions

The semantics of instructions is given in Fig. 9.

Fig. 5.

Histogram Overhead

Fig. 6.

Permutation Overhead

Fig. 7.

Heap-pop Overhead

Fig. 8.

Dijkstra Overhead

C Proof of Theorem 1

Proof

To prove \( ONI (\psi ,H)\), we suppose that we have two derivations \(\alpha \xrightarrow [\textbf{H}]{t} ^{n} \beta \) and \(\alpha ' \xrightarrow [\textbf{H}]{t'} ^{n} \beta '\) and two inputs \((i,i')\) such that \(\alpha \in I_\textbf{H}(i)\) and \(\beta \in I_\textbf{H}(i')\) and \(\psi (\alpha , \alpha ')\). By the backward simulation, there is also a pair of software states \((a,a')\in I_\textbf{S}(i) \times I_\textbf{S}(i')\) such that \( a \approx \alpha \) and \(a' \approx \alpha '\). By definition of the lockstep 2-simulation we also have \(a \equiv _\textbf{S}a'\) and \(\alpha \equiv _\textbf{H}\alpha '\).

We need to prove that \(t=t'\) and that \(\beta \in \mathcal {F}(H) \iff \beta ' \in \mathcal {F}(H)\). The proof is by induction over the length of the derivation.

• Base case. 0-step derivations generate the empty trace: the traces are equal. \( ONI \) gives us \(a\in \mathcal {F}(\textbf{S}) \iff a' \in \mathcal {F}(\textbf{S})\). We prove that \(\alpha \in \mathcal {F}(\textbf{H}) \iff \alpha ' \in \mathcal {F}(\textbf{H})\).

  • If \(a\in \mathcal {F}(\textbf{S})\), then \(a' \in \mathcal {F}(\textbf{S})\), and by the backward simulation, we get that \(\alpha \in \mathcal {F}(\textbf{H})\) and \(\alpha '\in \mathcal {F}(\textbf{H})\).

  • If \(a\notin \mathcal {F}\), there exist t, b, \(t'\) and \(b'\) such that \(a \xrightarrow [\textbf{S}]{t} b\) and \(a' \xrightarrow [\textbf{S}]{t'} {b'}\). By \( ONI \), \(t=t'\). The property follows by the lockstep 2-simulation.

• Inductive case. Suppose that we have two derivations of length \(n+1\) of the form \( \alpha \xrightarrow [\textbf{H}]{\tau _1} ^{1} \beta _1 \xrightarrow [\textbf{H}]{\tau } ^{n} \beta \mathrm {~and~} \alpha ' \xrightarrow [\textbf{H}]{\tau _1'} ^{1} \beta '_1 \xrightarrow [\textbf{H}]{\tau '} ^{n} \beta ' \). We need to prove that \(\tau _1\cdot \tau = \tau _1' \cdot \tau '\) and \(\beta \in \mathcal {F}\iff \beta ' \in \mathcal {F}\). By the backward simulation, we can exhibit two software derivations \(a\xrightarrow [\textbf{S}]{t_1} ^{1} b_1\) and \(a'\xrightarrow [\textbf{S}]{t_1'} ^{1} b_1'\) for some \(t_1\), \(b_1\), \(t_1'\) and \(b_1'\) such that \(b_1 \approx \beta _1\) and \(b_1' \approx \beta _1'\). By \( ONI \), \(t_1 = t_1'\), and by the lockstep 2-simulation, \(\tau _1 = \tau _1'\). The property then follows by the induction hypothesis.   \(\square \)

Fig. 9.

Program semantics