Side Channel Attacks: an attack that exploits information from the physical implementation rather than in algorithm.
timing attacks
power consumption
memory access patterns
sequence of instructions executed
electromagnetic radiation
e.g. attacker can train branch predictor to put some memory in cache, then measure the time to access that memory to infer some information about the program state.
The following code takes more time when lower bits of the guess are correct:
auth := 1;
i := 0;
while (i < len) {
if pin[i] = guess[i] then
i := i + 1;
else
auth := 0;
i = len;
}
We can determine the pin in 2 \times len guesses.
Time-Sensitive Noninterference
\Sigma \models \alpha \text{ secure }^t (program \alpha satisfies time-sensitive noninterference with respect to security policy \Sigma) iff:
Note that short-circuiting in boolean operation is a common source of timing attack. We also need to assume 64 bits or 256 bits integer with modular arithmetic.
"constant time" programming: writing code that takes the same amount of time regardless of the high-security variable values. (which is different from O(1) time complexity)
For branching, it is unrealistic to have two branches take exactly the same amount of time, as compiler optimizations may change timing. Instead, we require conditioning to not depend on high-security variables, and eliminate branching just like writing shader code:
auth := 1;
i := 0;
while (i < len) {
auth := auth \land (pin[i] = guess[i]);
i := i + 1;
}
Randomization
The following code is secure given random is uniform in integer domain and + can overflow:
r := random();
pin := pin + r;
guess := guess + r;
auth := 1;
i := 0;
while (i < len) {
if pin[i] = guess[i] then
i := i + 1;
else
auth := 0;
i = len;
}