Constant-time programming is a widely deployed approach to harden cryptographic programs against side channel attacks. However, modern processors violate the underlying assumptions of constant-time policies by speculatively executing unintended paths of the program. In this work, we propose Cassandra, a novel hardware-software mechanism to protect constant-time cryptographic code against speculative control flow based attacks. Cassandra explores the radical design point of disabling the branch predictor and recording-and-replaying sequential control flow of the program. Two key insights that enable our design are that (1) the sequential control flow of a constant-time program is constant over different runs, and (2) cryptographic programs are highly looped and their control flow patterns repeat in a highly compressible way. These insights allow us to perform an offline branch analysis that significantly compresses control flow traces. We add a small component to a typical processor design, the Branch Trace Unit, to store compressed traces and determine fetch redirections according to the sequential model of the program. Moreover, we provide a formal security analysis and prove that our methodology adheres to a strong security contract by design. Despite providing a higher security guarantee, Cassandra counter-intuitively improves performance by 1.77% by eliminating branch misprediction penalties.
翻译:恒定时间编程是一种广泛部署的方法,用于强化密码学程序以抵御侧信道攻击。然而,现代处理器通过推测性地执行程序中的非预期路径,违反了恒定时间策略的基本假设。在本工作中,我们提出了Cassandra,一种新颖的软硬件协同机制,用于保护恒定时间密码学代码免受基于推测控制流的攻击。Cassandra探索了一个激进的设计点:禁用分支预测器,并记录与重放程序的顺序控制流。实现我们设计的两项关键洞见是:(1) 恒定时间程序的顺序控制流在不同运行中是恒定的;(2) 密码学程序具有高度循环性,其控制流模式以高度可压缩的方式重复。这些洞见使我们能够执行离线分支分析,从而显著压缩控制流轨迹。我们在典型处理器设计中增加了一个小型组件——分支轨迹单元,用于存储压缩轨迹并根据程序的顺序模型确定取指重定向。此外,我们提供了形式化的安全分析,并证明我们的方法在设计中遵循了严格的安全契约。尽管提供了更高的安全保证,Cassandra通过消除分支预测错误惩罚,反直觉地将性能提升了1.77%。