Incremental Adaptive Attack Synthesis
This addresses the challenge of side-channel vulnerabilities for software security practitioners, though it appears incremental in building on existing methods like symbolic execution and model counting.
The paper tackles the problem of detecting and analyzing side-channel information leaks in software systems by developing automated techniques to synthesize adaptive attacks that recover secret values, achieving results that minimize the number of attack steps needed to reduce uncertainty about secrets.
Information leakage is a significant problem in modern software systems. Information leaks due to side channels are especially hard to detect and analyze. In this paper, we present techniques for automated synthesis of adaptive side-channel attacks that recover secret values. Our attack synthesis techniques iteratively generate inputs which, when fed to code that accesses the secret, reveal partial information about the secret based on the side-channel observations, reducing the remaining uncertainty about the secret in each attack step. Our approach is incremental, reusing results from prior iterations in each attack step to improve the efficiency of attack synthesis. We use symbolic execution to extract path constraints, automata-based model counting to estimate probabilities of execution paths, and meta-heuristics to maximize information gain based on entropy in order to minimize the number of synthesized attack steps.