Preventing Timing Side-Channels via Security-Aware Just-In-Time Compilation
This addresses a security vulnerability in JIT-compiled constant-time programs, which are critical for preventing timing attacks in systems like cryptography, though it is incremental as it builds on existing constant-time principles.
The paper tackles the problem of timing side-channels introduced by Just-In-Time (JIT) compilation in constant-time programs, proposing a novel approach that includes an operational semantics, formal definition, and a tool called DeJITLeak for Java, which effectively eliminates these leaks as shown in experiments on three datasets.
Recent work has shown that Just-In-Time (JIT) compilation can introduce timing side-channels to constant-time programs, which would otherwise be a principled and effective means to counter timing attacks. In this paper, we propose a novel approach to eliminate JIT-induced leaks from these programs. Specifically, we present an operational semantics and a formal definition of constant-time programs under JIT compilation, laying the foundation for reasoning about programs with JIT compilation. We then propose to eliminate JIT-induced leaks via a fine-grained JIT compilation for which we provide an automated approach to generate policies and a novel type system to show its soundness. We develop a tool DeJITLeak for Java based on our approach and implement the fine-grained JIT compilation in HotSpot. Experimental results show that DeJITLeak can effectively and efficiently eliminate JIT-induced leaks on three datasets used in side-channel detection