Paper 2018/808

Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing

Jiyong Yu, Lucas Hsiung, Mohamad El Hajj, and Christopher W. Fletcher

Abstract

Blocking microarchitectural (digital) side channels is one of the most pressing challenges in hardware security today. Recently, there has been a surge of effort that attempts to block these leakages by writing programs data obliviously. In this model, programs are written to avoid placing sensitive data-dependent pressure on shared resources. Despite recent efforts, however, running data oblivious programs on modern machines today is insecure and low performance. First, writing programs obliviously assumes certain instructions in today's ISAs will not leak privacy, whereas today's ISAs and hardware provide no such guarantees. Second, writing programs to avoid data-dependent behavior is inherently high performance overhead. This paper tackles both the security and performance aspects of this problem by proposing a Data Oblivious ISA extension (OISA). On the security side, we present ISA design principles to block microarchitectural side channels, and embody these ideas in a concrete ISA capable of safely executing existing data oblivious programs. On the performance side, we design the OISA with support for efficient memory oblivious computation, and with safety features that allow modern hardware optimizations, e.g., out-of-order speculative execution, to remain enabled in the common case. We provide a complete hardware prototype of our ideas, built on top of the RISC-V out-of-order, speculative BOOM processor, and prove that the OISA can provide the advertised security through a formal analysis of an abstract BOOM-style machine. We evaluate area overhead of hardware mechanisms needed to support our prototype, and provide performance experiments showing how the OISA speeds up a variety of existing data oblivious codes (including ``constant time'' cryptography and memory oblivious data structures), in addition to improving their security and portability.

Note: - Expanded on security analysis- Re-phrased contributions (Section 1.A) and main ideas in analysis (Section 5.A) for clarity- Fixed bug in Figure 2 related to how labels are set for branches, jumps, and the RNG instructions

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Published elsewhere. Minor revision. 26th Network and Distributed System Security Symposium (NDSS), 2019
DOI
10.14722/ndss.2019.23xxx
Keywords
Data oblivious computingconstant time computingsecure hardwarecircuit abstractionspeculative execution
Contact author(s)
cwfletch @ illinois edu
History
2019-06-13: last of 3 revisions
2018-09-06: received
See all versions
Short URL
https://ia.cr/2018/808
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/808,
      author = {Jiyong Yu and Lucas Hsiung and Mohamad El Hajj and Christopher W.  Fletcher},
      title = {Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing},
      howpublished = {Cryptology ePrint Archive, Paper 2018/808},
      year = {2018},
      doi = {10.14722/ndss.2019.23xxx},
      note = {\url{https://eprint.iacr.org/2018/808}},
      url = {https://eprint.iacr.org/2018/808}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.