Litcius/Paper detail

DeJITLeak: eliminating JIT-induced timing side-channel leaks

Qi Qin, JulianAndres JiYang, Fu Song, Taolue Chen, Xinyu Xing

2022Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering18 citationsDOIOpen Access PDF

Abstract

Timing side-channels can be exploited to infer secret information when the execution time of a program is correlated with secrets. Recent work has shown that Just-In-Time (JIT) compilation can introduce new timing side-channels in programs even if they are time-balanced at the source code level. In this paper, we propose a novel approach to eliminate JIT-induced leaks. We first formalise timing side-channel security under JIT compilation via the notion of time-balancing, laying the foundation for reasoning about programs with JIT compilation. We then propose to eliminate JIT-induced leaks via a fine-grained JIT compilation. To this end, we provide an automated approach to generate compilation policies and a novel type system to guarantee its soundness. We develop a tool DeJITLeak for real-world Java and implement the fine-grained JIT compilation in HotSpot JVM. Experimental results show that DeJITLeak can effectively and efficiently eliminate JIT-induced leaks on three widely adopted benchmarks in the setting of side-channel detection.

Topics & Concepts

Computer scienceJust-in-time compilationSoundnessSide channel attackJavaChannel (broadcasting)Programming languageCryptographyComputer networkComputer securitySecurity and Verification in ComputingAdvanced Malware Detection TechniquesCryptographic Implementations and Security