Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revisionBoth sides next revision
public:papers:usablect_sp22 [2021-12-03 14:21] – created xjancarpublic:papers:usablect_sp22 [2021-12-10 16:12] – [“They’re not that hard to mitigate”: What Cryptographic Library Developers Think About Timing Attacks [IEEE S&P 2022]] xjancar
Line 40: Line 40:
  
 <panel type="default" title="Abstract"> <panel type="default" title="Abstract">
 +Timing attacks are among the most devastating side-channel  attacks,  allowing  remote  attackers  to  retrieve  secret material,  including  cryptographic  keys,  with  relative  ease.  In principle, “these attacks are not that hard to mitigate”: the basic intuition, captured by the constant-time criterion, is that control-flow  and  memory  accesses  should  be  independent  from  secrets.Furthermore,  there  is  a  broad  range  of  tools  for  automatically checking   adherence   to   this   intuition.   Yet,   these   attacks   still plague  popular  cryptographic  libraries  twenty-five  years  after their  discovery,  reflecting  a  dangerous  gap  between  academic research and cryptographic engineering. This gap can potentially undermine  the  emerging  shift  towards  high-assurance,  formally verified cryptographic libraries. However, the causes for this gap remain  uninvestigated.
  
 +To  understand  the  causes  of  this  gap,  we  conducted  a  survey with  44  developers  of  27  prominent  open-source  cryptographic libraries.  The  goal  of  the  survey  was  to  analyze  if  and  how the  developers  ensure  that  their  code  executes  in  constant  time.Our  main  findings  are  that  developers  are  aware  of  timing attacks  and  of  their  potentially  dramatic  consequences  and  yet often  prioritize  other  issues  over  the  perceived  huge  investment of  time  and  resources  currently  needed  to  make  their  code resistant  to  timing  attacks.  Based  on  the  survey,  we  identify several shortcomings in existing analysis tools for constant-time,and  issue  recommendations  that  can  make  writing  constant-time  libraries  less  difficult.  Our  recommendations  can  inform future  development  of  analysis  tools,  security-aware  compilers,and  cryptographic  libraries,  not  only  for  constant-timeness,  but in  the  broader  context  of  side-channel  attacks,  in  particular  for micro-architectural side-channel attacks, which are a still young and  too  recent  as  focus  for  this  survey.
 </panel> </panel>
  
 ===== Research artifacts (supplementary material) ===== ===== Research artifacts (supplementary material) =====