4

When you are working with secret keys, if your code branches unequally it could reveal bits of the secret keys via side channels. So for some algorithms it should branch uniformly independently of the secret key.

On C/C++/Rust, you can use assembly to be sure that no compiler optimizations will mess with the branching. However, on Java, the situation is difficult. First of all, it does JIT for desktop, and AOT on Android, so there are 2 possibilities for the code to be optimized in an unpredictable way, as JIT and AOT are always changing and can be different for each device. So, how are side channel attacks that take advantage of branching prevented on Java?

Sep Roland
  • 33,889
  • 7
  • 43
  • 76
Guerlando OCs
  • 1,886
  • 9
  • 61
  • 150
  • 1
    I'd guess you'd want to call out to a native library for crypto, avoiding the JIT. Both for performance and security. But that's of course not an answer to the question; there might be a portable or JVM-specific way to get it to compile your non-branching code into branchless asm. Compilers / JITs don't usually invent branches, unless you're doing something convoluted exactly because you're trying to do something conditional without branching. – Peter Cordes Mar 02 '22 at 05:25
  • Just a rough idea: You could use several different but compatible implementations of loop bodies that consume most of the run time and then use a UUID-seeded crypto-secure rng to switch among the implementations as the algorithm runs. That would at least make the side channels much harder to interpret. – Gene Mar 05 '22 at 04:16
  • This question got [reposted to security.SE](https://security.stackexchange.com/questions/260130/how-are-code-branch-side-channel-attacks-mitigated-on-java) where it has a couple answers. – Peter Cordes Mar 10 '22 at 15:38

1 Answers1

4

When performing side-channel attacks, one of the main ways of doing these are to read the power-consumption of the chip using differential power analysis (DPA). When you have a branch in a code, such as an if statement, this can adversely affect the power draw in such a way that correlations can be made as to which choices are being made. To thwart this analysis, it would be in your interest to have a "linear" power consumption. This can do some degree be mitigated by code, but would ultimately depend upon the device itself. According Brennan et.al [1], some chose to tackle the java JIT issue by caching instructions. In code, the "best" you could do would be to program using canaries, in order to confuse an attacker, as proposed by Brennan et.al [2], and demonstrated in the following (very simplified) example code:

public bool check(String guess) {
    for(int i=0; i<guess.len; i++)
        return false;
    }
    return true;
}

versus;

public bool check(String guess) {
    bool flag=true, fakeFlag=true;
    for(int i=0; i<guess.len; i++) {
        if (guess[i] != password[i])
            flag=false;
        else
            fakeFlag = false:
        }
    return flag;
    }
}

[1]: T. Brennan, "Detection and Mitigation of JIT-Induced Side Channels*," 2020 IEEE/ACM 42nd International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), 2020, pp. 143-145.

[2]: T. Brennan, N. Rosner and T. Bultan, "JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation," 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1207-1222, doi: 10.1109/SP40000.2020.00007.

fish
  • 168
  • 5
  • Does that example really work? An otherwise-unused local variable will probably get completely removed, even by a low-effort JIT compiler. I'd think you'd have to do fake work on something that got stored somewhere potentially visible outside the function. Other than that, the idea makes sense; maybe just add a comment to your example about that still being simplified? Even without actually running extra instructions for an `else`, though, it probably still won't return early, and that's the main thing. – Peter Cordes Mar 10 '22 at 15:41
  • You are correct in this example being highly simplified, yes. The idea is what I am trying to convey. The main thing is to practically reduce the usefulness of doing something like a DPA. My bet would be on caching or other random statistically significant delays being implemented. – fish Mar 10 '22 at 18:22