摘要
Side-channel attacks allow adversaries to infer sensitive information,such as cryptographic keys or private user data,by monitoring unintentional information leaks of running programs.Prior side-channel detection methods can identify numerous potential vulnerabilities in cryptographic implementations with a small amount of execution traces due to the high diffusion of secret inputs in crypto primitives.However,because non-cryptographic programs cover different paths under various sensitive inputs,extending existing tools for identifying information leaks to non-cryptographic applications suffers from either insufficient path coverage or redundant testing.To address these limitations,we propose a new dynamic analysis framework named SPIDER that uses fuzzing,execution profiling,and clustering for a high path coverage and test suite reduction,and then speeds up the dynamic analysis of side-channel vulnerability detection in non-cryptographic programs.We analyze eight non-cryptographic programs and ten cryptographic algorithms under SPIDER in a fully automated way,and our results confirm the effectiveness of test suite reduction and the vulnerability detection accuracy of the whole framework.
基金
supported in part by the National Natural Science Foundation of China (Nos.61272452 and 61872430)
the National Key Basic Research and Development (973)Program of China (No.2014CB340601)
the Key R&D Program of Hubei Province (No.2020BAA003)
the Prospective Applied Research Program of Suzhou City (No.SYG201845).
