add ccs23 paper

recoules · recoules · commit 38bf22283536 · 2024-02-05T12:19:22.000+01:00
diff --git a/_data/publications.yml b/_data/publications.yml
@@ -18,6 +18,21 @@
           benchmark: "https://zenodo.org/records/8421879"
 - year: 2023
   publications:
+        - title: "A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries"
+          authors:
+               - name: Antoine Geimer
+               - name: Mathéo Vergnolle
+               - name: Frédéric Recoules
+               - name: Lesly-Ann Daniel
+               - name: Sébastien Bardin
+               - name: Clémentine Maurice
+          venue-acronym: "CCS"
+          venue: "The ACM Conference on Computer and Communications Security"
+          ranking: "A*"
+          pdf: "https://arxiv.org/pdf/2310.08153.pdf"
+          bibtex: "/assets/publications/bibtexs/2023-ccs.bib"
+          talk-slides: "/assets/publications/slides/2023-ccs.pdf"
+          benchmark: "https://github.com/ageimer/sok-detection/"
         - title: "Active Disjunctive Constraint Acquisition"
           authors:
                - name: Grégoire Menguy
diff --git a/assets/publications/bibtexs/2023-ccs.bib b/assets/publications/bibtexs/2023-ccs.bib
@@ -0,0 +1,17 @@
+@inproceedings{10.1145/3576915.3623112,
+author = {Geimer, Antoine and Vergnolle, Math\'{e}o and Recoules, Fr\'{e}d\'{e}ric and Daniel, Lesly-Ann and Bardin, S\'{e}bastien and Maurice, Cl\'{e}mentine},
+title = {A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries},
+year = {2023},
+isbn = {9798400700507},
+publisher = {Association for Computing Machinery},
+address = {New York, NY, USA},
+url = {https://doi.org/10.1145/3576915.3623112},
+doi = {10.1145/3576915.3623112},
+abstract = {To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place.To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.},
+booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security},
+pages = {1690–1704},
+numpages = {15},
+keywords = {automated detection, side-channels, vulnerabilities},
+location = {<conf-loc>, <city>Copenhagen</city>, <country>Denmark</country>, </conf-loc>},
+series = {CCS '23}
+}
diff --git a/assets/publications/slides/2023-ccs.pdf b/assets/publications/slides/2023-ccs.pdf
