FACT: A DSL for timing-sensitive computation

Sunjay Cauligi; Fraser Brown; Benjamin Grégoire; Gary Soeller; Riad S. Wahby; Gilles Barthe; Deian Stefan; Brian Johannesmeyer; John Renner; Ranjit Jhala

doi:10.1145/3314221.3314605

FACT: A DSL for timing-sensitive computation

Sunjay Cauligi, Fraser Brown, Benjamin Grégoire, Gary Soeller, Riad S. Wahby, Gilles Barthe, Deian Stefan, Brian Johannesmeyer, John Renner, Ranjit Jhala

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used high-profile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we present FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. We develop the language and type system, formalize the constant-time transformation, and present an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT's design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior.

Original language	English
Title of host publication	PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation
Editors	Kathryn S. McKinley, Kathleen Fisher
Publisher	Association for Computing Machinery
Pages	174-189
Number of pages	16
ISBN (Electronic)	9781450367127
DOIs	https://doi.org/10.1145/3314221.3314605
Publication status	Published - 8 Jun 2019
Externally published	Yes
Event	40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019 - Phoenix, United States Duration: 22 Jun 2019 → 26 Jun 2019

Publication series

Name	Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)

Conference

Conference	40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019
Country/Territory	United States
City	Phoenix
Period	22/06/19 → 26/06/19

Funding

We thank the anonymous PLDI and PLDI AEC reviewers and our shepherd Limin Jia for their suggestions and insightful comments. We thank the participants of the Dagstuhl Seminar on Secure Compilation for early feedback on this work, especially Tamara Rezk. We thank Ariana Mirian for handling the IRB for our user study, Shravan Narayan for his help in understanding the subtleties of LLVM, and Joseph Jaeger and Jess Sorrell for helping us understand elliptic curve implementations. We also thank the CSE 130 TAs for their help in testing our user study, and the CSE 130 students for participating in the user study. This work was supported in part by gifts from Fujitsu and Cisco, by the National Science Foundation under Grant Number CNS-1514435, by ONR Grant N000141512750, and by the CONIX Research Center, one of six centers in JUMP, a Semiconductor Research Corporation (SRC) program sponsored by DARPA.

Funders	Funder number
National Science Foundation	1514435, CNS-1514435, N000141512750

Keywords

Cryptography
Domain-specific language
Program transformation

Access to Document

10.1145/3314221.3314605

Persistent URL (handle)

Persistent link

Cite this

Cauligi, S., Brown, F., Grégoire, B., Soeller, G., Wahby, R. S., Barthe, G., Stefan, D., Johannesmeyer, B., Renner, J., & Jhala, R. (2019). FACT: A DSL for timing-sensitive computation. In K. S. McKinley, & K. Fisher (Eds.), PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 174-189). (Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)). Association for Computing Machinery. https://doi.org/10.1145/3314221.3314605

Cauligi, Sunjay ; Brown, Fraser ; Grégoire, Benjamin et al. / FACT : A DSL for timing-sensitive computation. PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. editor / Kathryn S. McKinley ; Kathleen Fisher. Association for Computing Machinery, 2019. pp. 174-189 (Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)).

@inproceedings{d33b0bf3ce8d4a97a98fa285ac0acecf,

title = "FACT: A DSL for timing-sensitive computation",

abstract = "Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used high-profile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we present FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. We develop the language and type system, formalize the constant-time transformation, and present an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT's design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior.",

keywords = "Cryptography, Domain-specific language, Program transformation",

author = "Sunjay Cauligi and Fraser Brown and Benjamin Gr{\'e}goire and Gary Soeller and Wahby, {Riad S.} and Gilles Barthe and Deian Stefan and Brian Johannesmeyer and John Renner and Ranjit Jhala",

year = "2019",

month = jun,

day = "8",

doi = "10.1145/3314221.3314605",

language = "English",

series = "Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)",

publisher = "Association for Computing Machinery",

pages = "174--189",

editor = "McKinley, {Kathryn S.} and Kathleen Fisher",

booktitle = "PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation",

note = "40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019 ; Conference date: 22-06-2019 Through 26-06-2019",

}

Cauligi, S, Brown, F, Grégoire, B, Soeller, G, Wahby, RS, Barthe, G, Stefan, D, Johannesmeyer, B, Renner, J & Jhala, R 2019, FACT: A DSL for timing-sensitive computation. in KS McKinley & K Fisher (eds), PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Association for Computing Machinery, pp. 174-189, 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, United States, 22/06/19. https://doi.org/10.1145/3314221.3314605

FACT: A DSL for timing-sensitive computation. / Cauligi, Sunjay; Brown, Fraser; Grégoire, Benjamin et al.
PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. ed. / Kathryn S. McKinley; Kathleen Fisher. Association for Computing Machinery, 2019. p. 174-189 (Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - FACT

T2 - 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019

AU - Cauligi, Sunjay

AU - Brown, Fraser

AU - Grégoire, Benjamin

AU - Soeller, Gary

AU - Wahby, Riad S.

AU - Barthe, Gilles

AU - Stefan, Deian

AU - Johannesmeyer, Brian

AU - Renner, John

AU - Jhala, Ranjit

PY - 2019/6/8

Y1 - 2019/6/8

N2 - Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used high-profile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we present FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. We develop the language and type system, formalize the constant-time transformation, and present an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT's design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior.

AB - Real-world cryptographic code is often written in a subset of C intended to execute in constant-time, thereby avoiding timing side channel vulnerabilities. This C subset eschews structured programming as we know it: if-statements, looping constructs, and procedural abstractions can leak timing information when handling sensitive data. The resulting obfuscation has led to subtle bugs, even in widely-used high-profile libraries like OpenSSL. To address the challenge of writing constant-time cryptographic code, we present FaCT, a crypto DSL that provides high-level but safe language constructs. The FaCT compiler uses a secrecy type system to automatically transform potentially timing-sensitive high-level code into low-level, constant-time LLVM bitcode. We develop the language and type system, formalize the constant-time transformation, and present an empirical evaluation that uses FaCT to implement core crypto routines from several open-source projects including OpenSSL, libsodium, and curve25519-donna. Our evaluation shows that FaCT's design makes it possible to write readable, high-level cryptographic code, with efficient, constant-time behavior.

KW - Cryptography

KW - Domain-specific language

KW - Program transformation

UR - http://www.scopus.com/inward/record.url?scp=85067688093&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85067688093&partnerID=8YFLogxK

U2 - 10.1145/3314221.3314605

DO - 10.1145/3314221.3314605

M3 - Conference contribution

AN - SCOPUS:85067688093

T3 - Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)

SP - 174

EP - 189

BT - PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

A2 - McKinley, Kathryn S.

A2 - Fisher, Kathleen

PB - Association for Computing Machinery

Y2 - 22 June 2019 through 26 June 2019

ER -

Cauligi S, Brown F, Grégoire B, Soeller G, Wahby RS, Barthe G et al. FACT: A DSL for timing-sensitive computation. In McKinley KS, Fisher K, editors, PLDI 2019 - Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. Association for Computing Machinery. 2019. p. 174-189. (Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)). doi: 10.1145/3314221.3314605

FACT: A DSL for timing-sensitive computation

Abstract

Publication series

Conference

Funding

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this