UCSB Verification Lab (VLab) discovers a new type of security vulnerability in modern software systems that leaks information

In two recent papers to be presented at the IEEE Symposium on Security and Privacy (S&P) and the International Conference on Software Engineering (ICSE), Tegan Brennan, a PhD student in VLab, and her advisor and director of VLab Prof. Tevfik Bultan, report a new type of side-channel that leaks information in modern software systems. S&P and ICSE are the top publication venues in computer security and software engineering research, respectively.

Side channels are a class of information leaks where secret information can be captured through the observation of non-functional side effects of software systems. For example, an attacker might gain knowledge about sensitive data by observing a system’s execution time, memory usage, size and timing of network packets, and power consumption.

We trust computer systems with our sensitive data daily. Apps might store and handle our banking information, medical diagnoses and personal identification credentials. Providing this data to online systems makes our lives more convenient, but means that we are reliant on the security of these systems to protect our privacy. Unfortunately, cyber-attacks stealing confidential information are becoming increasingly frequent and devastating. Many software development practices, such as the encryption of packages sent over a network, aim to protect the confidentiality of private data. Under these protections, the software system’s main communication channels, such as the content of the network packets it sends or the output it writes to a public file, should not leak information about private data. However, many software systems still contain serious security vulnerabilities due to side channels.

Recently, Tegan Brennan and Prof. Bultan identified a new class of side-channel vulnerabilities: JIT-induced side channels. The key insight behind their discovery is that, just-in-time (JIT) compilation, which is crucial to the performance of modern programming languages such as Java and Javascript, can introduce timing side channels into programs as it attempts to optimize for the most common use cases. Just-in-time compilation is the mechanism that converts source code or bytecode into highly-optimized machine code while the program is running. How it optimizes the machine code is based on profiling data about how the software is most frequently used. What Tegan Brennan, Nicolas Rosner (a former postdoctoral researcher from VLab who recently joined Amazon) and Prof. Bultan show in their paper titled “JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation” to be presented at the 41st IEEE Symposium on Security and Privacy (S&P 2020) is that this optimization can be leveraged by an attacker to learn sensitive information.

In a follow up paper titled “JVM Fuzzing for JIT-Induced Side-Channel Detection” that was accepted to be presented at the 42nd International Conference on Software Engineering (ICSE 2020), Tegan Brennan, Seemanta Saha (a PhD student at VLab) and Prof. Bultan, describe an automated approach for detection and evaluation of JIT-induced side channels in programs. Their approach allows software developers to automatically evaluate whether a Java program might be vulnerable to this class of side-channels and under what runtime conditions the program is susceptible. This approach allows a developer to detect JIT-induces side-channels automatically before a software system is deployed and can be exploited. Tegan Brenan and Prof. Bultan are currently working on mitigation techniques that would eliminate JIT-induced side channels in programs once they are detected without sacrificing the performance of the program.