diff --git a/_data/publications.yml b/_data/publications.yml index 44f192a..0504568 100644 --- a/_data/publications.yml +++ b/_data/publications.yml @@ -18,6 +18,21 @@ benchmark: "https://zenodo.org/records/8421879" - year: 2023 publications: + - title: "A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries" + authors: + - name: Antoine Geimer + - name: Mathéo Vergnolle + - name: Frédéric Recoules + - name: Lesly-Ann Daniel + - name: Sébastien Bardin + - name: Clémentine Maurice + venue-acronym: "CCS" + venue: "The ACM Conference on Computer and Communications Security" + ranking: "A*" + pdf: "https://arxiv.org/pdf/2310.08153.pdf" + bibtex: "/assets/publications/bibtexs/2023-ccs.bib" + talk-slides: "/assets/publications/slides/2023-ccs.pdf" + benchmark: "https://github.com/ageimer/sok-detection/" - title: "Active Disjunctive Constraint Acquisition" authors: - name: Grégoire Menguy diff --git a/assets/publications/bibtexs/2023-ccs.bib b/assets/publications/bibtexs/2023-ccs.bib new file mode 100644 index 0000000..68da6d8 --- /dev/null +++ b/assets/publications/bibtexs/2023-ccs.bib @@ -0,0 +1,17 @@ +@inproceedings{10.1145/3576915.3623112, +author = {Geimer, Antoine and Vergnolle, Math\'{e}o and Recoules, Fr\'{e}d\'{e}ric and Daniel, Lesly-Ann and Bardin, S\'{e}bastien and Maurice, Cl\'{e}mentine}, +title = {A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries}, +year = {2023}, +isbn = {9798400700507}, +publisher = {Association for Computing Machinery}, +address = {New York, NY, USA}, +url = {https://doi.org/10.1145/3576915.3623112}, +doi = {10.1145/3576915.3623112}, +abstract = {To protect cryptographic implementations from side-channel vulnerabilities, developers must adopt constant-time programming practices. As these can be error-prone, many side-channel detection tools have been proposed. Despite this, such vulnerabilities are still manually found in cryptographic libraries. While a recent paper by Jancar et al. shows that developers rarely perform side-channel detection, it is unclear if existing detection tools could have found these vulnerabilities in the first place.To answer this question we surveyed the literature to build a classification of 34 side-channel detection frameworks. The classification we offer compares multiple criteria, including the methods used, the scalability of the analysis or the threat model considered. We then built a unified common benchmark of representative cryptographic operations on a selection of 5 promising detection tools. This benchmark allows us to better compare the capabilities of each tool, and the scalability of their analysis. Additionally, we offer a classification of recently published side-channel vulnerabilities. We then test each of the selected tools on benchmarks reproducing a subset of these vulnerabilities as well as the context in which they appear. We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation. Based on our findings, we develop a set of recommendations for the research community and cryptographic library developers, with the goal to improve the effectiveness of side-channel detection tools.}, +booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security}, +pages = {1690–1704}, +numpages = {15}, +keywords = {automated detection, side-channels, vulnerabilities}, +location = {, Copenhagen, Denmark, }, +series = {CCS '23} +} \ No newline at end of file diff --git a/assets/publications/slides/2023-ccs.pdf b/assets/publications/slides/2023-ccs.pdf new file mode 100644 index 0000000..3b30ec7 Binary files /dev/null and b/assets/publications/slides/2023-ccs.pdf differ