如何减轻 Java 上的代码分支侧通道攻击?
当您使用密钥时,如果您的代码分支不均匀,则可能会通过侧通道泄露密钥的位。因此,对于某些算法,它应该独立于密钥而统一分支。
在 C/C++/Rust 上,您可以使用汇编来确保编译器优化不会干扰分支。然而,在Java上,情况就很困难了。首先,它在桌面上执行 JIT,在 Android 上执行 AOT,因此代码有 2 种可能以不可预测的方式进行优化,因为 JIT 和 AOT 总是在变化,并且对于每个设备都可能不同。那么,Java 上如何防止利用分支的侧通道攻击呢?
When you are working with secret keys, if your code branches unequally it could reveal bits of the secret keys via side channels. So for some algorithms it should branch uniformly independently of the secret key.
On C/C++/Rust, you can use assembly to be sure that no compiler optimizations will mess with the branching. However, on Java, the situation is difficult. First of all, it does JIT for desktop, and AOT on Android, so there are 2 possibilities for the code to be optimized in an unpredictable way, as JIT and AOT are always changing and can be different for each device. So, how are side channel attacks that take advantage of branching prevented on Java?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
执行旁道攻击时,主要方法之一是使用差分功耗分析 (DPA) 读取芯片的功耗。当代码中有分支(例如 if 语句)时,这可能会对功耗产生不利影响,从而可以对所做的选择进行关联。为了阻止这种分析,“线性”功耗将符合您的利益。这可以在一定程度上通过代码来缓解,但最终取决于设备本身。根据 Brennan 等人的说法 [1],一些人选择通过缓存指令来解决 java JIT 问题。在代码中,您能做的“最好的”就是使用金丝雀进行编程,以便迷惑攻击者,正如 Brennan 等人 [2] 所提出的,并在以下(非常简化的)示例代码中进行了演示
:
[1]:T. Brennan,“JIT 引起的侧通道的检测和缓解*”,2020 年 IEEE/ACM 第 42 届国际软件工程会议:配套论文集 (ICSE-Companion),2020 年,第 143-145 页。
[2]:T. Brennan、N. Rosner 和 T. Bultan,“JIT 泄漏:通过即时编译诱导定时侧通道”,2020 年 IEEE 安全与隐私研讨会 (SP),2020 年,第 1207 页- 1222,doi:10.1109/SP40000.2020.00007。
When performing side-channel attacks, one of the main ways of doing these are to read the power-consumption of the chip using differential power analysis (DPA). When you have a branch in a code, such as an if statement, this can adversely affect the power draw in such a way that correlations can be made as to which choices are being made. To thwart this analysis, it would be in your interest to have a "linear" power consumption. This can do some degree be mitigated by code, but would ultimately depend upon the device itself. According Brennan et.al [1], some chose to tackle the java JIT issue by caching instructions. In code, the "best" you could do would be to program using canaries, in order to confuse an attacker, as proposed by Brennan et.al [2], and demonstrated in the following (very simplified) example code:
versus;
[1]: T. Brennan, "Detection and Mitigation of JIT-Induced Side Channels*," 2020 IEEE/ACM 42nd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), 2020, pp. 143-145.
[2]: T. Brennan, N. Rosner and T. Bultan, "JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation," 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1207-1222, doi: 10.1109/SP40000.2020.00007.