Place Protections at the Right Place: Targeted Hardening for Cryptographic Code against Spectre v1

TL;DR

This paper introduces LightSLH, a novel framework that employs a fixpoint algorithm for targeted hardening of cryptographic code against Spectre v1, reducing overhead and uncovering previously unknown security issues.

Contribution

The paper presents a new analysis framework with a fixpoint algorithm for precise Spectre vulnerability detection and targeted hardening, improving security with minimal overhead.

Findings

LightSLH achieves the lowest overhead among provable protections, with 0% overhead in half of the cases.

Discovered that compilers can introduce security risks overlooked by existing methods.

Memory access patterns in scatter-gather algorithms can leak secrets despite protections.

Abstract

Spectre v1 attacks pose a substantial threat to security-critical software, particularly cryptographic implementations. Existing software mitigations, however, often introduce excessive overhead by indiscriminately hardening instructions without assessing their vulnerability. We propose an analysis framework that employs a novel fixpoint algorithm to detect Spectre vulnerabilities and apply targeted hardening. The fixpoint algorithm accounts for program behavior changes induced by stepwise hardening, enabling precise, sound and efficient vulnerability detection. This framework also provides flexibility for diverse hardening strategies and attacker models, enabling customized targeted hardening. We instantiate the framework as LightSLH, which hardens program with provable security. We evaluate LightSLH on cryptographic algorithms from OpenSSL, Libsodium, NaCL and PQClean. Across all experimental cases, LightSLH provides the lowest overhead among current provable protection strategies, including 0\% overhead in 50\% cases. Notably, the analysis of LightSLH reveals two previously unknown security issues: (1) The compiler can introduce risks overlooked by LLSCT, a hardening method proven secure at the LLVM IR level. We successfully construct a side channel by exploiting compiler-inserted stack loads, confirming this risk. (2) Memory access patterns generated by the scatter-gather algorithm still depend on secrets, even for observers with cache line granularity. These findings and results highlight the importance of applying accurate protections to specific instructions.