What You Get is What You C: Controlling Side Effects in Mainstream C Compilers

Laurent Simon; David Chisnall; Ross Anderson

doi:10.1109/EuroSP.2018.00009

What You Get is What You C: Controlling Side Effects in Mainstream C Compilers

Laurent Simon, David Chisnall, Ross Anderson

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Security engineers have been fighting with C compilers for years. A careful programmer would test for null pointer dereferencing or division by zero; but the compiler would fail to understand, and optimize the test away. Modern compilers now have dedicated options to mitigate this. But when a programmer tries to control side effects of code, such as to make a cryptographic algorithm execute in constant time, the problem remains. Programmers devise complex tricks to obscure their intentions, but compiler writers find ever smarter ways to optimize code. A compiler upgrade can suddenly and without warning open a timing channel in previously secure code. This arms race is pointless and has to stop. We argue that we must stop fighting the compiler, and instead make it our ally. As a starting point, we analyze the ways in which compiler optimization breaks implicit properties of crypto code; and add guarantees for two of these properties in Clang/LLVM. Our work explores what is actually involved in controlling side effects on modern CPUs with a standard toolchain. Similar techniques can and should be applied to other security properties; achieving intentions by compiler commands or annotations makes them explicit, so we can reason about them. It is already understood that explicitness is essential for cryptographic protocol security and for compiler performance; it is essential for language security too. We therefore argue that this should be only the first step in a sustained engineering effort.

Original language	English
Title of host publication	2018 IEEE European Symposium on Security and Privacy (EuroS P)
Publisher	Institute of Electrical and Electronics Engineers
Pages	1-15
Number of pages	15
ISBN (Electronic)	978-1-5386-4228-3, 978-1-5386-4227-6
ISBN (Print)	978-1-5386-4229-0
DOIs	https://doi.org/10.1109/EuroSP.2018.00009
Publication status	Published - 9 Jul 2018
Event	3rd IEEE European Symposium on Security and Privacy - London, United Kingdom Duration: 24 Apr 2018 → 26 Apr 2018 Conference number: 3 https://www.ieee-security.org/TC/EuroSP2018/index.php

Conference

Conference	3rd IEEE European Symposium on Security and Privacy
Abbreviated title	Euro S and P 2018
Country/Territory	United Kingdom
City	London
Period	24/04/18 → 26/04/18
Internet address	https://www.ieee-security.org/TC/EuroSP2018/index.php

Keywords / Materials (for Non-textual outputs)

compilers
LLVM
Clang
compiler optimizations
side channels
cryptography
side effects
C
C abstract machine
constant-time
zeroing
erasing
stack

Access to Document

10.1109/EuroSP.2018.00009Licence: All Rights Reserved

https://ieeexplore.ieee.org/document/8406587Licence: All Rights Reserved

Cite this

@inproceedings{a1d8b510c5a94c79a3a6656d73a6e5ac,

title = "What You Get is What You C: Controlling Side Effects in Mainstream C Compilers",

abstract = "Security engineers have been fighting with C compilers for years. A careful programmer would test for null pointer dereferencing or division by zero; but the compiler would fail to understand, and optimize the test away. Modern compilers now have dedicated options to mitigate this. But when a programmer tries to control side effects of code, such as to make a cryptographic algorithm execute in constant time, the problem remains. Programmers devise complex tricks to obscure their intentions, but compiler writers find ever smarter ways to optimize code. A compiler upgrade can suddenly and without warning open a timing channel in previously secure code. This arms race is pointless and has to stop. We argue that we must stop fighting the compiler, and instead make it our ally. As a starting point, we analyze the ways in which compiler optimization breaks implicit properties of crypto code; and add guarantees for two of these properties in Clang/LLVM. Our work explores what is actually involved in controlling side effects on modern CPUs with a standard toolchain. Similar techniques can and should be applied to other security properties; achieving intentions by compiler commands or annotations makes them explicit, so we can reason about them. It is already understood that explicitness is essential for cryptographic protocol security and for compiler performance; it is essential for language security too. We therefore argue that this should be only the first step in a sustained engineering effort.",

keywords = "compilers, LLVM, Clang, compiler optimizations, side channels, cryptography, side effects, C, C abstract machine, constant-time, zeroing, erasing, stack",

author = "Laurent Simon and David Chisnall and Ross Anderson",

year = "2018",

month = jul,

day = "9",

doi = "10.1109/EuroSP.2018.00009",

language = "English",

isbn = "978-1-5386-4229-0",

pages = "1--15",

booktitle = "2018 IEEE European Symposium on Security and Privacy (EuroS P)",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

note = "3rd IEEE European Symposium on Security and Privacy, Euro S and P 2018 ; Conference date: 24-04-2018 Through 26-04-2018",

url = "https://www.ieee-security.org/TC/EuroSP2018/index.php",

}

Simon, L, Chisnall, D & Anderson, R 2018, What You Get is What You C: Controlling Side Effects in Mainstream C Compilers. in 2018 IEEE European Symposium on Security and Privacy (EuroS P). Institute of Electrical and Electronics Engineers, pp. 1-15, 3rd IEEE European Symposium on Security and Privacy, London, United Kingdom, 24/04/18. https://doi.org/10.1109/EuroSP.2018.00009

TY - GEN

T1 - What You Get is What You C: Controlling Side Effects in Mainstream C Compilers

AU - Simon, Laurent

AU - Chisnall, David

AU - Anderson, Ross

N1 - Conference code: 3

PY - 2018/7/9

Y1 - 2018/7/9

N2 - Security engineers have been fighting with C compilers for years. A careful programmer would test for null pointer dereferencing or division by zero; but the compiler would fail to understand, and optimize the test away. Modern compilers now have dedicated options to mitigate this. But when a programmer tries to control side effects of code, such as to make a cryptographic algorithm execute in constant time, the problem remains. Programmers devise complex tricks to obscure their intentions, but compiler writers find ever smarter ways to optimize code. A compiler upgrade can suddenly and without warning open a timing channel in previously secure code. This arms race is pointless and has to stop. We argue that we must stop fighting the compiler, and instead make it our ally. As a starting point, we analyze the ways in which compiler optimization breaks implicit properties of crypto code; and add guarantees for two of these properties in Clang/LLVM. Our work explores what is actually involved in controlling side effects on modern CPUs with a standard toolchain. Similar techniques can and should be applied to other security properties; achieving intentions by compiler commands or annotations makes them explicit, so we can reason about them. It is already understood that explicitness is essential for cryptographic protocol security and for compiler performance; it is essential for language security too. We therefore argue that this should be only the first step in a sustained engineering effort.

AB - Security engineers have been fighting with C compilers for years. A careful programmer would test for null pointer dereferencing or division by zero; but the compiler would fail to understand, and optimize the test away. Modern compilers now have dedicated options to mitigate this. But when a programmer tries to control side effects of code, such as to make a cryptographic algorithm execute in constant time, the problem remains. Programmers devise complex tricks to obscure their intentions, but compiler writers find ever smarter ways to optimize code. A compiler upgrade can suddenly and without warning open a timing channel in previously secure code. This arms race is pointless and has to stop. We argue that we must stop fighting the compiler, and instead make it our ally. As a starting point, we analyze the ways in which compiler optimization breaks implicit properties of crypto code; and add guarantees for two of these properties in Clang/LLVM. Our work explores what is actually involved in controlling side effects on modern CPUs with a standard toolchain. Similar techniques can and should be applied to other security properties; achieving intentions by compiler commands or annotations makes them explicit, so we can reason about them. It is already understood that explicitness is essential for cryptographic protocol security and for compiler performance; it is essential for language security too. We therefore argue that this should be only the first step in a sustained engineering effort.

KW - compilers

KW - LLVM

KW - Clang

KW - compiler optimizations

KW - side channels

KW - cryptography

KW - side effects

KW - C

KW - C abstract machine

KW - constant-time

KW - zeroing

KW - erasing

KW - stack

U2 - 10.1109/EuroSP.2018.00009

DO - 10.1109/EuroSP.2018.00009

M3 - Conference contribution

SN - 978-1-5386-4229-0

SP - 1

EP - 15

BT - 2018 IEEE European Symposium on Security and Privacy (EuroS P)

PB - Institute of Electrical and Electronics Engineers

T2 - 3rd IEEE European Symposium on Security and Privacy

Y2 - 24 April 2018 through 26 April 2018

ER -

What You Get is What You C: Controlling Side Effects in Mainstream C Compilers

Abstract

Conference

Keywords / Materials (for Non-textual outputs)

Access to Document

Fingerprint

Cite this