DifFuzzAR: automatic repair of timing side-channel vulnerabilities via refactoring

We present background and related work in Sect. 2. After presenting an overview of the system in Sect. 3, we describe the main components of DifFuzzAR. In Sect. 4 we present how vulnerable methods are identified and in Sect. 5 we describe how vulnerabilities are fixed. The evaluation of the tool is presented in Sect. 6. We discuss threats to validity in Sect. 7 and we conclude the paper in Sect. 8, where we also present current limitations and discuss future work.

A timing side-channel vulnerability happens when a secret¹ can be learned based on the time a computation takes to complete. To put it differently, an application is vulnerable to timing side-channel attacks when the time it takes to complete a computation depends on a given secret, e.g., a password. These attacks are practical and apply to general software systems. For example, in their influential work, Brumley and Boneh were able to extract private keys from an OpenSSL-based web server running on a machine in the local network (Brumley and Boneh 2005). As mentioned in the previous section, timing side-channel vulnerabilities were found in Google’s Keyczar Library (Lawson 2020) and Xbox 360 (IVC Wiki 2020). A timing side-channel vulnerability can appear in multiple ways, as detailed below.

Automated detection of timing side-channel vulnerabilities has received substantial attention in recent years. Antonopoulos et al. (2017) developed a new way to prove the absence of timing side-channels, by using decomposition instead of self-composition. Their approach divides the program’s execution traces into smaller and less complex partitions. Then each partition has their resilience to timing side-channels attacks checked through a time complexity analysis. The authors’ idea is that the resilience of each component proves the resilience of the whole program. To ensure that any pair of program traces with the same public input has a component containing both traces, the construction of the partition is done by splitting the program traces at secret-independent branches. The authors’ approach follows the demand-driven partitioning strategy that uses a regex-like notion that they call trails, which identifies sets of execution traces, particularly those influenced by tainted (or secret) data. The authors prove a non-relational property about a trace, instead of proving a relational property about every pair of execution traces. Their method is implemented in a tool called Blazer.

Chen et al. (2017) presented the notion of \(\upepsilon \)-bounded non-interference, a variation of Goguen and Meseguer’s non-interference principle (Goguen and Meseguer 1982). The execution time of an application can be affected by sources external to the application. As such, a minimum difference in execution time should be expected and must be accepted. This minimum change is what the authors denote as \(\upepsilon \). To simplify, \(\upepsilon \)-bounded non-interference means that regardless of the secret, the execution time of an application will not vary by more than \(\upepsilon \). To verify the \(\upepsilon \)-bounded non-interference property, the authors present a new program logic called Quantitative Cartesian Hoare Logic (QCHL), which is at the core of their technique. With QCHL the authors can “[...] prove triples of the form \(\langle \phi \rangle \) S \(\langle \psi \rangle \),where S is a program fragment and \(\phi \), \(\psi \) are first-order formulas that relate the program’s resource usage (e.g., execution time) between an arbitrary pair of program runs”. The authors implemented their technique in a tool called Themis and showed that their tool can find previously unknown vulnerabilities in widely used Java programs.

These two works improve the field of detection of side-channel vulnerabilities. However, both use static analysis.

Nilizadeh et al. (2019) present a new approach based on dynamic analysis and introduce a new tool called DifFuzz that uses differential fuzzing.²DifFuzz instruments a program to record its coverage and resource consumption along the paths that are executed. As such, the inputs must maximize the code coverage. For that, they use the fuzz testing tool American Fuzzy Lop (AFL) (Zalewski 2017), which uses genetic algorithms and mutates the inputs using byte-level coverage. Given that AFL only supports programs written in C, C++, or Objective C, and DifFuzz is written in Java, the authors used Kelinci (Kersten et al. 2017) to connect the two tools, since Kelinci provides AFL-style instrumentation for Java programs. To use DifFuzz, one has to create a Fuzzing Driver (or Driver File), that parses the input provided by AFL and executes two copies of the code, measuring the cost difference between the two. That cost difference will be used to guide the AFL in the generation of more input values so that the difference can be increased. This process is repeated for a predetermined time or until the user cancels the execution of the tool. DifFuzz was evaluated with a dataset of widely-used Java applications and it found previously unknown vulnerabilities (later confirmed by the developers). It was also applied to complex examples from the DARPA STAC (2020) program. DifFuzz was able to find the same vulnerabilities as other tools and also found vulnerabilities on corrected versions of the benchmarks of Themis and Blazer.

The authors of DifFuzz proposed improvements such as adding statistical guarantees to the tool and adding automated repair methods to eliminate the vulnerabilities discovered by DifFuzz. Our work contributes to the latter.

Automated program repair consists in fixing software bugs with little to no human intervention. Usually, workflows for automated program repair start with fault localization, which aims at locating faults in the code; patch generation, which aims to generate valid patches; and patch validation, which checks the validity of the generated patches in the previous step. Validity of patches is often determined by checking whether the patched program passes a given test suite. As described in Goues et al. (2019), automated program repair techniques can be classified as heuristic-based (Forrest et al. 2009; Kim et al. 2013; Liu et al. 2019; Cornu et al. 2015), constraint-based (Nguyen et al. 2013; Xuan et al. 2016; Mechtaev and Roychoudhury 2016), and learning-based (Gupta et al. 2017; Chen et al. 2019; Lutellier et al. 2020; Ye et al. 2021; Chen et al. 2021; Yasunaga and Liang 2021; Allamanis et al. 2021; Yasunaga and Liang 2020).

Two influential works in the area are GenProg (Le Goues et al. 2011) and Nopol (Xuan et al. 2016). GenProg receives as input the faulty source code and a set of test cases. The set of test cases must contain a set of passing positive test cases and at least one failing negative test case. The negative test case encodes the fault to be repaired and the set of positive test cases encodes the functionalities that can not be lost while repairing the bug. GenProg uses genetic programming to search for a variant of the program that retains all required functionality but does not have the fault in question.

Xuan et al. (2016) presented Nopol, an approach to automatically repair buggy conditional statements. This approach takes as input a program and a set of test cases and outputs a patch for the input program with a conditional expression. The set of test cases passed as input is similar to the one expected by GenProg. However, unlike GenProg, which follows a generic approach for automatic software repair, Nopol was built to focus on buggy if conditions and missing precondition bugs. Buggy if conditions occur when a bug is the condition of an ‘if’ statement. Missing precondition bugs happen when there should be a condition before a statement, such as detecting a null pointer or an invalid index to access an array. Nopol uses Ochiai, a spectrum-based ranking metric that is used to rank statements in a descending order based on their suspiciousness score. The suspiciousness score indicates the likelihood that a statement contains a fault.

For a comprehensive survey on automated program repair, we recommend Monperrus’s survey (Monperrus 2015). Moreover, since this is a fast-moving research topic with new approaches being regularly proposed, we also recommend Monperrus’s living review on automated program repair (Monperrus 2018).

Wu et al. (2018) proposed a method based on program analysis and transformation to eliminate timing side-channel vulnerabilities. Their solution produces a transformed program functionally equivalent to the original program but without instruction and cache timing side-channels. They ensure that the number of CPU cycles taken to execute any path is independent of the secret data, and the cache behaviour of memory accesses is independent of the secret data in terms of hits and misses. Their method is implemented in LLVM and uses static analysis to identify the set of variables whose values depend on the secret inputs. To decide if those variables lead to timing side-channel vulnerabilities, they check if the variables affect unbalanced conditional jumps, for instruction timing side-channel, or accesses to memory blocks across multiple cache lines, for cache-related timing side-channel vulnerabilities. After this analysis, to mitigate the leaks, code transformation is performed to equalize the execution time. The method is implemented in a tool called SC-Eliminator.

The correction of early-exit timing side-channel vulnerabilities consists in the elimination of all ‘return’ statements except the last one. However, the result of the execution of the method should be the same after the modification. For that reason, every ‘return’ statement of the method will be replaced with an assignment of the value being returned to a variable. That variable will either be the variable returned in the final return (if it returns a variable) or a new one created with the return type of the method.

Algorithm 3 shows an overview of the correction process for early-exit timing side-channel vulnerabilities. The tool starts by obtaining the element returned in the final return of the method. If this element is not a variable, the tool creates a new variable of the same type as the return type of the method, and initializes it with the element obtained, referred from now on as the return variable. Then, the tool analyses every instruction of the method in search for a return statement, which will be replaced by an assignment to the return variable with the value being returned. If that return statement happens after a ‘while’ block, then the instruction is added before the ‘while’ block. If it is the last return statement, then the value being returned is altered to be the return variable. If the return statement is inside an ‘if’ statement, then the condition of the ‘if’ statement is saved to be used to protect the variables used in the condition. If the instruction under analysis uses any variable saved to be protected, then that statement will be inside the ‘then’ block of a new ‘if’ statement, where the condition is the combination of the negation of every condition that variable was part of.

In the end, a new version of the class that contains the vulnerable method is created. This version is a copy of the original version, except that it contains an extra method called VulnerableMethodName$Modification. If the users want to use the corrected version, they must replace the original method with the corrected method.

This correction can create or exacerbate a control-flow based timing side-channel vulnerability. For instance, if an early-exit happens inside a loop, where the stopping condition depends on a secret, then the effect of the existing control-flow based timing side-channel vulnerability becomes more prominent, i.e., the difference in execution time depending on the secret is greater since it will have more instructions to execute.

Listing 4 shows another example of code which contains an early-exit timing side-channel vulnerability. The solution for early-exit timing side-channel vulnerabilities is to remove the early exit from the code. Listing 5 shows the corrected code (as proposed by DifFuzzAR). The solution in this case consists in removing the early-exit, which was in line 17 in the original code, and changing the logic of the program to have a single exit point.

The correction of control-flow based timing side-channel vulnerabilities involves (1) the modification of the stopping condition of loops that depend on a secret to depend on a public argument or (2) the replication of the block of instructions of the ‘then’ block to the ‘else’ block, and vice-versa, of an ‘if’ statement where the condition depends on the secret.

Algorithm 4 shows an overview of the correction process for this type of vulnerabilities. The pseudo-code is divided into two parts to improve presentation. In this process, the tool starts by creating a list of the secrets and a list of the public arguments. The list of public arguments is final, while the list of secrets is updated during the analysis of the method. Every time a variable is assigned with a value dependent on a secret, that variable is added to the list of secrets. The tool also creates a map to connect the newly created variables with the old variables being replaced. The tool then starts to analyse each instruction, taking actions according to the type of instruction and where the instruction happens.

If the instruction found is an assignment that needs to be modified, then a new variable is created and it is added to the map of replacements with the existing variable. The instruction is also changed so that the variable being assigned to is the newly created one. If the instruction found is a ‘for’ statement and the stopping condition uses a secret, the tool will attempt to change the condition to use a public argument instead of the secret. This public argument must be of the same type as the secret in the stopping condition. When the tool finds a ‘for’ statement it will retrieve the body of the ‘for’ and will analyse each instruction of that block. If the instruction found is an ‘if’ statement then the tool will retrieve the ‘then’ and ‘else’ blocks. If the condition uses a secret, then the tool will try to modify the instructions of the ‘then’ block and then of the ‘else’ block, producing two new blocks with the modified versions of the instructions. Then, the modified version of the ‘then’ block is added to the ‘else’ block and the modified version of the ‘else’ block is added to the ‘then’ block. Otherwise, the tool will analyse each instruction of both blocks without adding new instructions to either block. If the instruction is a method invocation, the tool will retrieve the target of that invocation. If the target is a secret, then the tool will create a new variable to replace the target. If the instruction is a local variable, the tool will retrieve the assigned value. If that value uses a secret, then the variable assigned to will be considered a secret. If the value being assigned does not use any variable that is used in the condition of the ‘if’ statement this instruction belongs to, then a new variable to replace the variable assigned to is created. If the instruction is a loop statement, then the tool will retrieve its body and will analyse each instruction of the body. If the instruction is an operator assignment, then the tool will create a new variable to replace the one being assigned to. If the instruction is a ‘try’ block, then the tool will retrieve its body and will analyse its instructions. If the instruction is a unary operator, the tool will retrieve the variable used. If that variable was already replaced, then the tool will obtain the variable created as a replacement and will replace the variable in the unary operator with the variable created for replacement. If the instruction is a ‘while’ statement, the tool will replace the variables used in the stopping condition, either by variables already created as replacements or with newly created variables. Then the tool retrieves the body of the loop and will analyse its instructions.

In the end, a new method is created with the control-flow based timing side-channel vulnerability corrected. An example is the code in Listing 6. Here, the method has a control-flow based timing side-channel vulnerability, since its execution time depends on the value of a secret, in this case the parameter taint. The ‘then’ and ‘else’ block of the ‘if’ statement has different instructions with different execution times. As such, to correct this vulnerability, the tool modifies the instructions of both blocks and adds the modified version of the ‘then’ block to the ‘else’ block and the modified version of the ‘else’ block to the ‘then’ block. The difference in the instructions is that the assignment is not made to the same variables, so as not to alter the value of the original variables. As a result, the tool produces the code in Listing 7.

Sometimes a method has both an early-exit and a control-flow based timing side-channel vulnerability. If the method has more than one return statement, the tool tries to repair an early-exit timing side-channel vulnerability producing a modified version of the method. Then, the tool tries to correct the control-flow based timing side-channel vulnerability in the modified version of the method, producing its final version. This means that each module responsible for correcting a type of timing side-channel vulnerability must return its modified version of the method. Since both repair processes create new variables in the method, and a method can not have two variables with the same name, the naming of a variable is global to the tool and it keeps a record of the names used.

This evaluation was performed in a remote server with a 32-processor Intel Xeon Silver 4110 at 2.10GHz with 64GB of RAM running Debian Linux 10. DifFuzz was configured to run for 2.5 h. The results of the evaluation can be seen in Table 1.

In this section, we provide the motivation for the user study, its goals, and the methods used. We end the section with the results obtained.

There is still plenty of work that can be done to improve DifFuzzAR. An important direction is to add the ability to repair more examples of timing side-channel vulnerabilities (including patterns not considered). DifFuzzAR is designed to be used in conjunction with DifFuzz. This means that the user must create a Driver following the rules described in Sect. 4. A future direction that would greatly simplify the use of the tool is to automatically generate a Driver file. Another future improvement for the tool is to transform it from a tool into a plugin to be used in the build process of the application. This would reduce the amount of manual intervention needed by the user. Another advantage of this is that being part of the build process can make it easier for other users to use the tool. Another direction would be to adapt DifFuzzAR so that it could easily be used and distributed as an IDE plugin. For this, it is likely that adjustments to the code transformations (e.g. better variable names) and usability studies should be performed, to ensure that the code transformations are accepted by the programmers. It would also be interesting to apply the tool to public projects and submit any corrections found as pull requests, thus improving existing software and, simultaneously, obtaining code reviews from developers (as done in related refactoring projects by the authors Ribeiro et al. 2021; Pereira et al. 2022).

Further user studies can also be useful for future improvements of DifFuzzAR. The user study presented here allowed us to gather significant data, but this data is subjective due to the size of the sample. As such, we suggest that future work should repeat our study with a larger sample of users. Future work on this topic should also include a usability analysis of DifFuzzAR’s usage with a larger number of users. We also believe that more work should be done to understand users’ motivations when using software to automatically repair vulnerabilities. While there have been previous works done about refactoring there is still a gap in the literature when it comes to tools os the same nature as DifFuzzAR.