Semi-Automated and Easily Interpretable
Side-Channel Analysis for Modern JavaScript
Iliana FAYOLLE, Jan WICHELMANN, Anja KÖHL,
Walter RUDAMETKIN, Thomas EISENBARTH, Clémentine MAURICE
5 March 2025
Cryptology and Network Security 2024, Cambridge
FACT
More and more developers are turning to web technologies to build their applications.
Application
Side-channel
Secret Data
non-secured
Side-channel leakage
Side-channel leakage in software
- Control flow
- Memory usage / allocation
Application
Secret Data
Constant-time
secured
Side-channel
Constant-time implementations
A countermeasure?
No branching depending on a secret.
1.
No memory access or allocation depending on a secret.
2.
Do we have tools for this?
CacheAudit
Binsec/Rel
ctgrind
CacheQL
DiffFuzz
ct-fuzz
Microwalk
YES! A LOT!
BUT ... No one uses them.
BUT ... No one uses them.
- Poor usability,
- not well documented,
- compatibility problems,
- not integrated into development processes.
Microwalk-CI (CCS'22)
Practical leakage detection framework:
Great!
How do I use it?
:)
- Quickly locates and quantifies leakages.
- Analyses during Continuous Integration (CI).
- Is cross platform (Binary, C, JavaScript).
Microwalk-CI (CCS'22) tutorial
1. Provide at least one target, that calls a library function
(i.e., a cryptographic primitive) to analyze.
Microwalk-CI (CCS'22) tutorial
2. Create a number of test case files, i.e., secret inputs.
ÕH-T»ED·sÚ±4Èž|
bE,lÃiCµW·lµ§
Microwalk-CI (CCS'22) tutorial
3. Push a new commit (that triggers the CI workflow).
Download the artifacts.
But how does Microwalk detect leakages?
Remember those two?
testcase 0
testcase 1
Will their execution paths be different?
Will their execution paths be different?
2 possibilities:
No differences between traces.
No leakage found.
At least 1 difference between traces.
A leakage is found.
testcase 0
testcase 1
Will their execution paths be different?
testcase 0
testcase 1
Will their execution paths be different?
+
testcase 2
merged traces for testcases 0
; 1
Will their execution paths be different?
; 2
; 3; 4
3 leakages
What are the limits of Microwalk-CI?
For each test ...
We are encouraged to write some testcases.
Writing tests is tedious and error-prone.
What are the limits of Microwalk-CI?
Its use requires some effort and time.
Are the tests sufficient to uncover all vulnerabilities?
Contributions
AST-based Trace Generation
Semi-Automated Leakage Analysis
Evaluation
Leakage Report with Coverage
Semi-Automated Leakage Analysis
Why?
Tedious test writing.
Introduce semi-automation for (sub)target and test case generation.
How?
How?
How?
How?
We designed a new generic analysis template.
Introduce Subtargets.
Automate test case generation.
Result
Result
Mandatory lines for a 1st subtarget
(aes-ecb).
New lines to add another subtarget (aes-cbc).
New lines to add another target test (utilHex) with a custom test cases generator.
Leakage Report with Coverage
Why?
Report interpretability.
Enhance the vulnerability report.
How?
How?
The library's code
The JSON report
The code coverage of the test suite
(with c8)
Result
Result
Header with most important details.
Information box on the detected leak.
Code that was not executed during tests.
Conclusion
Find more vulnerabilities with less effort.
New
trace generator
New
test template
New
final report
Thank you!
(◠‿◕)
Our paper
Summary
The usability of side-channel leakage analysis tools can be further improved to aid their practical adoption.
- AST-based Trace Generation.
- Semi-Automated Leakage Analysis.
- Leakage Report with Coverage.
- Evaluation.
Our contributions:
Microwalk-CI (CCS'22) tutorial
- Choose an analysis template.
Copy the template into the root of your library repository.
Merge or adjust the CI configuration and package files.
Microwalk-CI (CCS'22) tutorial
-
Choose an analysis template.
Copy the template into the root of your library repository.
Merge or adjust the CI configuration and package files.
Microwalk-CI (CCS'22) tutorial
-
Choose an analysis template.
Copy the template into the root of your library repository.
Merge or adjust the CI configuration and package files.
Microwalk-CI (CCS'22) tutorial
4. Push a new commit (that triggers the CI workflow).
Download the artifacts.
What are the limits of Microwalk-CI?
Modern JavaScript libraries cannot be analyzed.
relies on
Jalangi2 framework
post-2015 versions of ECMAScript
classes
asynchronous programming
ES modules (ESM)
deferred execution
What are the limits of Microwalk-CI?
P1. Compatibility problem.
P2. Tedious test writing.
P3. Report interpretability.
Improve the compatibility of the trace generator.
Introduce semi-automation for (sub)target and test case generation.
Enhance the vulnerability report.
Why?
P1. Compatibility problem.
Improve the compatibility of the trace generator.
How?
AST-based Trace Generation
Transform the AST and enrich it with tracing code.
Modern JavaScript code
Converted code into a backwards compatible version of JavaScript.
Custom plugin for Babel
Represents a JavaScript program as an abstract syntax tree (AST).
How?
Result
The execution traces cover the analyzed library
modern JavaScript (ES2023)
classes
asynchronous programming
ES modules (ESM)
deferred execution
New tracer
package dependencies
written in older versions of JavaScript
no longer maintained
AND
its dependencies.
Evaluation
Why?
How do our enhancements allow a developer to fully analyze cryptographic libraries with minimal effort?
To sum up
- Performance:
New tracer:
- Development effort and coverage:
- Vulnerabilities:
- Need only one target file for each library.
- Findings from Wichelmann CCS'22 are validated.
Performs better.
Supports modern JavaScript.
- Maximize their coverage.
- More leakages are found.
- Previously missed code paths are identified.
135sec vs 73 sec ; < 2 GB
aes-js 80%; node-forge 45%; noble@ciphers 93%; noble@curves 72%
464 lines vs 206 lines
Comparison between Microwalk V3.2.0 and Microwalk using the enhanced analysis toolchain on aes-js and node-forge libraries.
Results of using the enhanced analysis toolchain with 2 modern JavaScript cryptographic libraries: @noble/ciphers ; @noble/curves
Future Work
What about Just-in-time (JIT) compiled code?
To develop a JIT mode that does not insert new side channels.
Could the combined coverage/leakage reports be further integrated into developer workflows?
Yes!
What about randomized implementations?
To provide a randomization-capable analysis module.
Could our approach be applied to other programming languages?
Yes!
testcase 0
; 1
Will their execution paths be different?
+
testcase 2
testcase 3
testcase 0
; 1
Will their execution paths be different?
+
; 2
testcase 3
testcase 4
Side-channel
System
Computation
Measurements
Attacker
(secret) input
(secret) output
?
?
Microwalk-CI (CCS2022)
It combines a dynamic analysis approach and statistical methods to quickly locate and quantify side-channel leaks.
This tool automates side-channel analyses during Continuous Integration (CI).
It can be used on:
- Binary software,
- C,
- JavaScript libraries.
Great!
How do I use it?
:)
What are the limits of Microwalk-CI?
P1. Compatibility problem.
P2. Tedious test writing.
P3. Report interpretability.
Improve the compatibility of the trace generator by designing a new one.
Introduce semi-automation for (sub)target and test case generation.
Enhance the interpretability of the vulnerability report.
To sum up:
- Performance:
Our new tracer performs better than the legacy backend in most aspects, while supporting modern JavaScript.
- Development effort and coverage:
- Vulnerabilities:
We wrote a single target for each library, aiming for conciseness and maintainability, while maximizing their coverage.
We validate the findings from prior work and find more leakages.
Also, coverage helps to identify previoulsy missed code paths.
BUT nothing is perfect...
Chasse au trésor et fuite d'informations
Viens, je t'explique...
Iliana FAYOLLE
Mardi 15 octobre 2024
