Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

TL;DR

Constantine is a compiler-based system that automatically transforms programs to be resistant against microarchitectural side channels by linearizing secret-dependent control and data flows, achieving strong security guarantees with manageable overheads.

Contribution

It introduces a novel linearization approach for automatic side-channel resistance that ensures security and compatibility, overcoming state explosion with innovative optimizations.

Findings

Achieves as low as 16% overhead on benchmarks

Successfully handles complex real-world cryptographic library components

Provides strong security guarantees by construction

Abstract

In the era of microarchitectural side channels, vendors scramble to deploy mitigations for transient execution attacks, but leave traditional side-channel attacks against sensitive software (e.g., crypto programs) to be fixed by developers by means of constant-time programming (i.e., absence of secret-dependent code/data patterns). Unfortunately, writing constant-time code by hand is hard, as evidenced by the many flaws discovered in production side channel-resistant code. Prior efforts to automatically transform programs into constant-time equivalents offer limited security or compatibility guarantees, hindering their applicability to real-world software. In this paper, we present Constantine, a compiler-based system to automatically harden programs against microarchitectural side channels. Constantine pursues a radical design point where secret-dependent control and data flows are completely linearized (i.e., all involved code/data accesses are always executed). This strategy provides strong security and compatibility guarantees by construction, but its natural implementation leads to state explosion in real-world programs. To address this challenge, Constantine relies on carefully designed optimizations such as just-in-time loop linearization and aggressive function cloning for fully context-sensitive points-to analysis, which not only address state explosion, but also lead to an efficient and compatible solution. Constantine yields overheads as low as 16% on standard benchmarks and can handle a fully-fledged component from the production wolfSSL library.