Tegan Brennan PhD Proposal

Friday, May 24, 2019 - 10:00am to 12:00pm
HFH 1132
Static and Dynamic Software Side Channels
Tegan Brennan
Tevfik Bultan(Chair), Subhash Suri, Giovanni Vigna


Modern software systems frequently store and manipulate personal data, such as location, credit card information or medical history. Guaranteeing the confidentiality of such private data is necessary to protect the users of these systems. This aim is complicated by side channel attacks, which have been increasingly demonstrated as a practical threat to the secrecy of personal user information.  Side channel attacks use non-functional properties of the program’s output such as time or memory consumption to obtain information about private data. 

My research focuses on the automated detection and quantification of side-channel vulnerabilities. Ultimately, side channels arise from an imbalance across program paths that can be correlated with some secret value. In the first part of this talk, I will present a scalable, static analysis technique for side channel detection. I will then show that imbalance across programs paths can be introduced not only at the source code level, but also at runtime. Just-in-time (JIT) compilation, which is crucial to the performance of modern programming languages such as Java and Javascript, can introduce timing side channels into deceptively secure-looking code fragments when it attempts to optimize paths it deems “hot”. I will show how JIT-based side channels can be induced and leveraged, demonstrating such side-channels in the Apache Shiro security framework and the GraphHopper route planning server that are large enough in magnitude to be observable over the public internet.

These side-channels are not detectable with any current program analysis approach. I will end my talk with a discussion of an automated technique for inducing and evaluating JIT-based side channels. 

Everyone welcome!