Clueless: A Tool Characterising Values Leaking as Addresses : Clueless: A Tool Characterising Values Leaking as Addresses

Abstract: A fundamental programming feature that allows Spectre to effortlessly leak the value of secrets via cache side channels is the transformation of data values into addresses. Consider forexample sorting, hashing, or many other algorithms that create addresses based on datavalues. While we understand the mechanism that leaks data as addresses, there is no clear understanding of how serious the problem is in our workloads: How many values do “leak” asaddresses in a given application? This work aims to shed some light on how exposed we are to the potential vulnerability. Clueless is a tool (based on binary re-writing) that tracks dynamic instruction dependencies and tags data values in memory if it discovers that they are used in address calculations to furtheraccess other data. Clueless can be used in two modes: aggregating mode, where it reports on the amount of data that are used as addresses at each point during execution, and tracking mode where the tool is specifically asked to track certain data in memory (e.g., a password) to see if they are turned into addresses at any point during execution. Tracking mode returns a trace on how the tracked data are turned into addresses, if they do. We demonstrate Clueless in aggregating mode on SPEC 2006 and characterise, for the firsttime, the amount of data values that are turned into addresses in these programs. We further demonstrate Clueless in tracking mode on a micro benchmark and on a case study. The case study is the different implementations of AES in OpenSSL: T-table, Vector Permutation AES (VPAES), and Intel Advanced Encryption Standard New Instructions (AES-NI). The T-table AES implementation can be easily broken with a cache side-channel attack (e.g., Prime+Probe), but VPAES and AES-NI are immune to cache-timing attacks. Clueless readily shows how theencryption key is transformed into addresses in the T-table implementation and the lack of the corresponding transformations in the other two implementat