Projects per year
Abstract
The protection of cryptographic software implementations against power-analysis attacks is critical for applications in embedded systems. A commonly used algorithmic countermeasure against these attacks is masking, a secret-sharing scheme that splits a sensitive computation into computations on multiple random shares.
In practice, the security of masking schemes relies on several assumptions that are often violated by microarchitectural side-effects of CPUs. Many past works address this problem by studying these leakage effects and building corresponding leakage models that can then be integrated into a software verification workflow. However, these models have only been derived empirically, putting in question the otherwise rigorous security statements made with verification.
We solve this problem in two steps.
First, we introduce a contract layer between the (CPU) hardware and the software that allows the specification of microarchitectural side-effects on masked software in an intuitive language.
Second, we present a method for proving the correspondence between contracts and CPU netlists to ensure the completeness of the specified leakage models.
Then, any further security proofs only need to happen between software and contract, which brings benefits such as reduced verification runtime, improved user experience, and the possibility of working with vendor-supplied contracts of CPUs whose design is not available on netlist-level due to IP restrictions.
We apply our approach to the popular RISC-V IBEX core, provide a corresponding formally verified contract, and describe how this contract could be used to verify masked software implementations.
In practice, the security of masking schemes relies on several assumptions that are often violated by microarchitectural side-effects of CPUs. Many past works address this problem by studying these leakage effects and building corresponding leakage models that can then be integrated into a software verification workflow. However, these models have only been derived empirically, putting in question the otherwise rigorous security statements made with verification.
We solve this problem in two steps.
First, we introduce a contract layer between the (CPU) hardware and the software that allows the specification of microarchitectural side-effects on masked software in an intuitive language.
Second, we present a method for proving the correspondence between contracts and CPU netlists to ensure the completeness of the specified leakage models.
Then, any further security proofs only need to happen between software and contract, which brings benefits such as reduced verification runtime, improved user experience, and the possibility of working with vendor-supplied contracts of CPUs whose design is not available on netlist-level due to IP restrictions.
We apply our approach to the popular RISC-V IBEX core, provide a corresponding formally verified contract, and describe how this contract could be used to verify masked software implementations.
Original language | English |
---|---|
Title of host publication | CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | Association of Computing Machinery |
Pages | 381-395 |
Number of pages | 15 |
ISBN (Electronic) | 9781450394505 |
DOIs | |
Publication status | Published - 7 Nov 2022 |
Event | 2022 ACM SIGSAC Conference on Computer and Communications Security: ACM CSS 2022 - Los Angeles, United States Duration: 7 Nov 2022 → 11 Nov 2022 |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
ISSN (Print) | 1543-7221 |
Conference
Conference | 2022 ACM SIGSAC Conference on Computer and Communications Security |
---|---|
Abbreviated title | ACM CSS 2022 |
Country/Territory | United States |
City | Los Angeles |
Period | 7/11/22 → 11/11/22 |
Keywords
- Power side-channel
- Leakage model
- Verification
- Contract
- Domain-specific language
- Masking
- Probing security
- power side-channel
- masking
- contract
- leakage model
- domain-specific language
- probing security
- verification
ASJC Scopus subject areas
- Software
- Computer Networks and Communications
Fingerprint
Dive into the research topics of 'Power Contracts: Provably Complete Power Leakage Models for Processors'. Together they form a unique fingerprint.-
AWARE - Hardware-Ensured Software Security
Mangard, S. (Co-Investigator (CoI))
1/05/22 → 30/04/25
Project: Research project
-
FERMION - Formal Verification of Masked Hardware Implementations
2/01/19 → 1/01/22
Project: Research project
Activities
- 1 Talk at conference or symposium
-
Power Contracts: Provably Complete Power Leakage Models for Processors
Vedad Hadzic (Speaker)
10 Nov 2022Activity: Talk or presentation › Talk at conference or symposium › Science to science
Research output
- 2 Conference paper
-
Coco: Co-Design and Co-Verification of Masked Software Implementations on CPUs
Gigerl, B., Hadzic, V., Primas, R., Mangard, S. & Bloem, R., 2021, Proceedings of the 30th USENIX Security Symposium. USENIX Association, p. 1469-1486 18 p.Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review
Open AccessFile -
CocoAlma: A Versatile Masking Verifier
Hadzic, V. & Bloem, R., 9 Jul 2021, Proceedings of the 21st Formal Methods in Computer-Aided Design, FMCAD 2021. Piskac, R., Whalen, M. W., Hunt, W. A. & Weissenbacher, G. (eds.). p. 14-23 10 p. (Proceedings of the 21st Formal Methods in Computer-Aided Design, FMCAD 2021).Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review
Open AccessFile