Skip to main content
SpringerLink
Log in

Quantitative estimation of side-channel leaks with neural networks

  • General
  • Special Issue: RV 2019
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Information leaks via side channels remain a challenging problem to guarantee confidentiality. Static analysis is a prevalent approach for detecting side channels. However, the side-channel analysis poses challenges to the static techniques since they arise from non-functional aspects of systems and require an analysis of multiple traces. In addition, the outcome of static analysis is usually restricted to binary answers. In practice, real-world applications may need to disclose some aspects of the confidential information to ensure desired functionality. Therefore, quantification techniques are necessary to evaluate the resulting threats. In this paper, we propose a dynamic analysis technique to detect and quantify side channels. Our novel approach is to split the problem into two tasks. First, we learn a timing model of the program as a neural network. While the program implements the functionality, the neural network models the non-functional property that does not exist in the syntax or semantics of programs. Second, we analyze the neural network to quantify information leaks. As demonstrated in our experiments, both of these tasks are feasible in practice—making the approach a significant improvement over state-of-the-art side channel detectors and quantifiers. Thus, our key technical contributions are (a) a binarized neural network architecture that enables side-channel discovery and (b) a novel MILP-based counting algorithm to estimate the side-channel strength. On a set of benchmarks, we show that neural network models the timing of programs with thousands of methods precisely. We also show that neural networks with thousands of neurons can be efficiently analyzed to quantify information leaks via timing side channels.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. American fuzzy lop (2016)

  2. Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M. et al.: Tensorflow: A system for large-scale machine learning. In: OSDI’16, pp 265–283 (2016)

  3. Agat, J.: Transforming out timing leaks. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, pp 40–53 (2000)

  4. Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In USENIX Security Symposium, pp. 53–70 (2016)

  5. Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of self-composition for proving the absence of timing channels. In: PLDI, pp 362–375. ACM (2017)

  6. Apogee-Research.: Space/time analysis for cybersecurity (stac) repository. https://github.com/Apogee-Research/STAC

  7. Arar, O.F., Ayan, K.: Software defect prediction using cost-sensitive neural network. Appl. Soft Comput. 33, 263–277 (2015)

    Article  Google Scholar 

  8. Arora, R., Basu, A., Mianjy, P., Mukherjee, A.: Understanding deep neural networks with rectified linear units. arXiv e-prints (2016)

  9. Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, pp 297–307 (2010)

  10. Backes, M., Köpf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: S&P’09 (2009)

  11. Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Computer Security Foundations Workshop, 2004. Proceedings. 17th IEEE. IEEE, pp. 100–114 (2004)

  12. Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)

    Article  Google Scholar 

  13. Chen, J., Feng, Y., Dillig, I.: Precise detection of side-channel vulnerabilities using quantitative cartesian hoare logic. In: CCS (2017)

  14. Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: S&P’10 (2010)

  15. Courbariaux, M., Hubara, I., Soudry, D., El-Yaniv, R., Bengio, Y.: Binarized neural networks: training deep neural networks with weights and activations constrained to+ 1 or-1. arXiv preprint arXiv:1602.02830 (2016)

  16. Cybenko, G.: Approximation by superpositions of a sigmoidal function. Math. Control Signals Syst. 2, 303–314 (1989)

    Article  MathSciNet  Google Scholar 

  17. Doychev, G., Köpf, B., Mauborgne, L., Reineke, J.: Cacheaudit: a tool for the static analysis of cache side channels. ACM Trans. Inf. Syst. Secur. 18(1), 4 (2015)

    Article  Google Scholar 

  18. Eldib, H., Wang, C.: Synthesis of masking countermeasures against side channel attacks. In: International Conference on Computer Aided Verification. Springer, pp. 114–130 (2014)

  19. Eldib, H., Wang, C., Schaumont, P.: Formal verification of software countermeasures against side-channel attacks. ACM Trans. Softw. Eng. Methodol. 24(2), 11 (2014)

    Article  Google Scholar 

  20. Fischetti, M., Jo, J.: Deep neural networks and mixed integer linear optimization. Constraints 23(3), 296–309 (2018)

    Article  MathSciNet  Google Scholar 

  21. Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy. IEEE, pp. 11–11 (1982)

  22. Goldsmith, S.F., Aiken, A.S., Wilkerson, D.S.: Measuring empirical computational complexity. In: FSE’07. ACM, pp. 395–404 (2007)

  23. Guo, S., Wu, M., Wang, C.: Adversarial symbolic execution for detecting concurrency-related cache timing leaks. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, pp. 377–388 (2018)

  24. LLC Gurobi Optimization. Gurobi Optimizer Reference Manual (2018)

  25. Hornik, K., Stinchcombe, M.B., White, H.: Multilayer feedforward networks are universal approximators. Neural Netw. 2, 359–366 (1989)

    Article  Google Scholar 

  26. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space aslr. In: 2013 IEEE Symposium on Security and Privacy. IEEE, pp. 191–205 (2013)

  27. Kersten, R., Luckow, K., Păsăreanu, C.S.: Poster: Afl-based fuzzing for java with kelinci. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, pp. 2511–2513 (2017)

  28. Kingma, D.P., Adam, J.B.: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)

  29. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Annual International Cryptology Conference. Springer, pp. 104–113 (1996)

  30. Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: CCS’07, pp. 286–296 (2007)

  31. Köpf, B., Dürmuth, M.: A provably secure and efficient countermeasure against timing attacks. In: CSF’09 (2009)

  32. Landman, D., Serebrenik, A., Vinju, J.J.: Challenges for static analysis of java reflection-literature review and empirical study. In: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, pp. 507–518 (2017)

  33. Nate Lawson. Timing attack in google keyczar library. Online post at: https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ (2009)

  34. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436 (2015)

    Article  Google Scholar 

  35. Google libFuzzer team. Libfuzzer: coverage-based fuzz testing. http://llvm.org/docs/LibFuzzer.html (2016)

  36. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: USENIX security symposium, vol. 14, pp. 18–18 (2005)

  37. Milushev, D., Beck, W., Clarke, D.: Noninterference via symbolic execution. In: Formal Techniques for Distributed Systems. Springer, pp. 152–168 (2012)

  38. Nagelkerke, N.J.D., et al.: A note on a general definition of the coefficient of determination. Biometrika 78(3), 691–692 (1991)

    Article  MathSciNet  Google Scholar 

  39. Narodytska, N., Kasiviswanathan, S., Ryzhyk, L., Sagiv, M., Walsh, T.: Verifying properties of binarized deep neural networks. In: AAAI’18 (2018)

  40. Nilizadeh, S., Noller, Y., Pasareanu, C.S.: Diffuzz: differential fuzzing for side-channel analysis. In: ICSE (2019)

  41. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. (2003)

  42. Smith, G.: On the foundations of quantitative information flow. In: FoSSaCS’09 (2009)

  43. Sung, Chungha, Paulsen, Brandon, Wang, Chao: Canal: A cache timing analysis framework via llvm transformation. ASE 904–907 (2018)

  44. Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: International Static Analysis Symposium. Springer, pp. 352–367 (2005)

  45. Tizpaz-Niari, S., Černý, P., Chang, B.-Y.E., Trivedi, A.: Differential performance debugging with discriminant regression trees. In: AAAI’18, pp. 2468–2475 (2018)

  46. Tizpaz-Niari, S., Černý, P., Sankaranarayanan, S., Trivedi, A.: Efficient detection and quantification of timing leaks with neural networks. In: Runtime Verification, pp. 329–348 (2019)

  47. Tizpaz-Niari, S., Černý, P., Trivedi, A.: Quantitative mitigation of timing side channels. In: Computer Aided Verification (CAV), pp. 140–160 (2019)

  48. Tizpaz-Niari, S., Černý, P., Trivedi, A.: Data-driven debugging for functional side channels. NDSS (2020)

  49. Tizpaz-Niari, S., Černý, P., Trivedi, A.: Detecting and understanding real-world differential performance bugs in machine learning libraries. In: ISSTA 2020, pp. 189–199 (2020)

  50. Wang, J., Sung, C., Wang, C.: Mitigating power side channels during compilation. In: ESEC/FSE (2019)

  51. Wang, S., Wang, P., Liu, X., Zhang, D., Wu, D.: Cached: Identifying cache-based timing channels in production software. In: 26th USENIX Security Symposium, pp. 235–252 (2017)

  52. Wu, M., Guo, S., Schaumont, P., Wang, C.: Eliminating timing side-channel leaks using program repair. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, pp. 15–26 (2018)

  53. Zhang, K., Li, Z., Wang, R., Wang, X., Chen, S.: Sidebuster: automated detection and quantification of side-channel leaks in web application development. In: CCS, pp. 595–606 (2010)

Download references

Acknowledgements

This work utilized resources from the University of Colorado Boulder Research Computing Group, which is supported by NSF, CU Boulder, and CSU. This research was partially supported by DARPA under agreement FA8750-15-2-0096.

Author information

Authors and Affiliations

  1. University of Texas at El Paso, El Paso, USA

    Saeid Tizpaz-Niari

  2. TU Wien, Vienna, Austria

    Pavol Černý

  3. University of Colorado Boulder, Boulder, USA

    Sriram Sankaranarayanan & Ashutosh Trivedi

Authors
  1. Saeid Tizpaz-Niari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pavol Černý
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sriram Sankaranarayanan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ashutosh Trivedi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saeid Tizpaz-Niari.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tizpaz-Niari, S., Černý, P., Sankaranarayanan, S. et al. Quantitative estimation of side-channel leaks with neural networks. Int J Softw Tools Technol Transfer 23, 641–654 (2021). https://doi.org/10.1007/s10009-021-00622-2

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-021-00622-2

Keywords

Search

Navigation