Automating Countermeasures and Security Evaluation Against Software Side-Channel Attacks
Lead PI
Co PIs
Abstract
Side-channel attacks (SCA) have been a realistic threat to various cryptographic implementations that do not feature dedicated protection. While many effective countermeasures have been found and applied manually, they are application-specific and labor intensive. In addition, security evaluation tends to be incomplete, with no guarantee that all the vulnerabilities in the target system have been identified and addressed by such manual countermeasures. This SaTC project aims to shift the paradigm of side-channel attack research, and proposes to build an automation framework for information leakage analysis, multi-level countermeasure application, and formal security evaluation against software side-channel attacks.
The proposed framework provides common sound metrics for information leakage, methodologies for automatic countermeasures, and formal and thorough evaluation methods. The approach unifies power analysis and cache-based timing attacks into one framework. It defines new metrics of information leakage and uses them to automatically identify possible leakage of a given cryptosystem at an early stage with no implementation details. The conventional compilation process is extended along the new dimension of optimizing for security, to generate side-channel resilient code and ensure its secure execution at run-time. Side-channel security is guaranteed to be at a certain confidence level with formal methods. The three investigators on the team bring complementary expertise to this challenging interdisciplinary research, to develop the advanced automation framework and the associated software tools, metrics, and methodologies. The outcome significantly benefits security system architects and software developers alike, in their quest to build verifiable SCA security into a broad range of applications they design. The project also builds new synergy among fundamental statistics, formal methods, and practical system security. The automation tools, when introduced in new courses developed by the PIs, help improving students’ hands-on experience greatly. The project also leverages the experiential education model of Northeastern University to engage undergraduates, women, and minority students in independent research projects.