Poster: Symbolic Path Cost Analysis For Side-Channel Detection

We present a static, scalable analysis technique for detecting side channels in software systems. Our method is motivated by the observation that a sizable class of side-channel vulnerabilities occur when the value of private data results in multiple distinct control flow paths with differentiable observables. Given a set of secret variables, a type of side channel, and a program, our goal is to detect the set of branch conditions responsible for potential side channels of the given type in the program, and generate a pair of witness paths in the control flow graph for the detected side channel. Our technique achieves this by analyzing the control flow graph of the program with respect to a cost model (such as time or memory usage), and identifies if a change in the secret value can cause a detectable change in the observed cost of the program behavior. It also generates a pair of witness paths in the control flow graph, differing only on the branch conditions influenced by the secret, and whose observable output under the given side channel differs by more than some user defined threshold. We implemented our approach in a prototype tool, CoCo-Channel (Compositional Constraint-based side Channel analyzer), for analyzing Java programs.