High-assurance zeroization

Santiago Arranz Olmos; Gilles Barthe; Ruben Gonzalez; Benjamin Grégoire; Vincent Laporte; Jean-Christophe Léchenet; Tiago Oliveira; Peter Schwabe

Paper 2023/1713

High-assurance zeroization

Santiago Arranz Olmos, Max Planck Institute for Security and Privacy

Gilles Barthe

, Max Planck Institute for Security and Privacy, IMDEA Software

Ruben Gonzalez, Max Planck Institute for Security and Privacy, Neodyme AG

Benjamin Grégoire

, Inria Sophia Antipolis - Méditerranée

Vincent Laporte, Inria Nancy - Grand-Est research centre

Jean-Christophe Léchenet

, Inria Sophia Antipolis - Méditerranée

Tiago Oliveira

, Max Planck Institute for Security and Privacy

Peter Schwabe

, Max Planck Institute for Security and Privacy, Radboud University

Abstract

In this paper we revisit the problem of erasing sensitive data from memory and registers during return from a cryptographic routine. While the problem and related attacker model is fairly easy to phrase, it turns out to be surprisingly hard to guarantee security in this model when implementing cryptography in common languages such as C/C++ or Rust. We revisit the issues surrounding zeroization and then present a principled solution in the sense that it guarantees that sensitive data is erased and it clearly defines when this happens. We implement our solution as extension to the formally verified Jasmin compiler and extend the correctness proof of the compiler to cover zeroization. We show that the approach seamlessly integrates with state-of-the-art protections against microarchitectural attacks by integrating zeroization into Libjade, a cryptographic library written in Jasmin with systematic protections against timing and Spectre-v1 attacks. We present benchmarks showing that in many cases the overhead of zeroization is barely measurable and that it stays below 2% except for highly optimized symmetric crypto routines on short inputs.

Metadata

Available format(s): PDF
Category: Implementation
Publication info: Published by the IACR in TCHES 2024
DOI: 10.46586/tches.v2024.i1.375-397
Keywords: Secret erasure clear stack memory defense in depth high-assurance cryptography
Contact author(s): santiago arranz-olmos @ mpi-sp org
gilles barthe @ mpi-sp org
mail @ ruben-gonzalez de
benjamin gregoire @ inria fr
Vincent Laporte @ inria fr
jean-christophe lechenet @ inria fr
tiago oliveira @ mpi-sp org
History: 2023-12-11: last of 2 revisions; 2023-11-05: received; See all versions
Short URL: https://ia.cr/2023/1713
License: CC0

BibTeX

@misc{cryptoeprint:2023/1713,
      author = {Santiago Arranz Olmos and Gilles Barthe and Ruben Gonzalez and Benjamin Grégoire and Vincent Laporte and Jean-Christophe Léchenet and Tiago Oliveira and Peter Schwabe},
      title = {High-assurance zeroization},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1713},
      year = {2023},
      doi = {10.46586/tches.v2024.i1.375-397},
      note = {\url{https://eprint.iacr.org/2023/1713}},
      url = {https://eprint.iacr.org/2023/1713}
}