Cassandra: Efficient Enforcement of Sequential Execution for Cryptographic Programs (Extended Version)

TL;DR

Cassandra is a hardware/software mechanism that enforces sequential execution in cryptographic programs to prevent side channel attacks, achieving high efficiency by disabling branch prediction and using trace compression.

Contribution

It introduces a novel approach to enforce sequential control flow in cryptographic code, combining branch predictor disabling with trace compression for security and performance.

Findings

Achieves an average 1.85% speedup over unsafe baseline processors.

Effectively enforces sequential execution to mitigate side channel attacks.

Uses trace compression to reduce overhead of control flow enforcement.

Abstract

Constant-time programming is a widely deployed approach to harden cryptographic programs against side channel attacks. However, modern processors often violate the underlying assumptions of standard constant-time policies by transiently executing unintended paths of the program. Despite many solutions proposed, addressing control flow misspeculations in an efficient way without losing performance is an open problem. In this work, we propose Cassandra, a novel hardware/software mechanism to enforce sequential execution for constant-time cryptographic code in a highly efficient manner. Cassandra explores the radical design point of disabling the branch predictor and recording-and-replaying sequential control flow of the program. Two key insights that enable our design are that (1) the sequential control flow of a constant-time program is mostly static over different runs, and (2) cryptographic programs are loop-intensive and their control flow patterns repeat in a highly compressible way. These insights allow us to perform an upfront branch analysis that significantly compresses control flow traces. We add a small component to a typical processor design, the Branch Trace Unit, to store compressed traces and determine fetch redirections according to the sequential model of the program. Despite providing a strong security guarantee, Cassandra counterintuitively provides an average 1.85% speedup compared to an unsafe baseline processor, mainly due to enforcing near-perfect fetch redirections.