Cipherfix: Mitigating Ciphertext Side-Channel Attacks in Software

TL;DR

This paper introduces Cipherfix, a software solution that mitigates ciphertext side-channel attacks in TEEs by masking secret data during memory writes, effectively protecting constant-time implementations without hardware modifications.

Contribution

Cipherfix provides a novel, software-based approach combining taint tracking and binary instrumentation to prevent ciphertext side-channel leaks in existing TEEs.

Findings

Protects constant-time implementations against ciphertext side-channels

Works without recompilation or hardware changes

Achieves reasonable performance overhead

Abstract

Trusted execution environments (TEEs) provide an environment for running workloads in the cloud without having to trust cloud service providers, by offering additional hardware-assisted security guarantees. However, main memory encryption as a key mechanism to protect against system-level attackers trying to read the TEE's content and physical, off-chip attackers, is insufficient. The recent Cipherleaks attacks infer secret data from TEE-protected implementations by analyzing ciphertext patterns exhibited due to deterministic memory encryption. The underlying vulnerability, dubbed the ciphertext side-channel, is neither protected by state-of-the-art countermeasures like constant-time code nor by hardware fixes. Thus, in this paper, we present a software-based, drop-in solution that can harden existing binaries such that they can be safely executed under TEEs vulnerable to ciphertext side-channels, without requiring recompilation. We combine taint tracking with both static and dynamic binary instrumentation to find sensitive memory locations, and mitigate the leakage by masking secret data before it gets written to memory. This way, although the memory encryption remains deterministic, we destroy any secret-dependent patterns in encrypted memory. We show that our proof-of-concept implementation protects various constant-time implementations against ciphertext side-channels with reasonable overhead.