Breaking Bad: How Compilers Break Constant-Time Implementations

OPEN ACCESS

Downloads

Full text (published version) (PDF, 1.34 MB)

Author / Producer

Lain, Daniele

Date

2025

Publication Type

Conference Paper

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (published version) (PDF, 1.34 MB)

Data

Rights / License

Creative Commons Attribution 4.0 International north_east

Abstract

The implementations of most hardened cryptographic libraries use defensive programming techniques for side-channel resistance. These techniques are usually specified as guidelines to developers on specific code patterns to use or avoid. Examples include performing arithmetic operations to choose between two variables instead of executing a secret-dependent branch. However, such techniques are only meaningful if they persist across compilation. In this paper, we investigate how optimizations used by modern compilers break the protections introduced by defensive programming techniques. Specifically, how compilers break high-level constant-time implementations used to mitigate timing side-channel attacks. We run a large-scale experiment to see if such compiler-induced issues manifest in state-of-the-art cryptographic libraries. We develop a tool that can profile virtually any architecture, and we use it to run trace-based dynamic analysis on 44,604 different targets. Particularly, we focus on the most widely deployed cryptographic libraries, which aim to provide side-channel resistance. We are able to evaluate whether their claims hold across various CPU architectures, including x86-64, x86-i386, armv7, aarch64, RISC-V, and MIPS-32. Our large-scale study reveals that several compiler-induced secret-dependent operations occur within some of the most highly regarded hardened cryptographic libraries. To the best of our knowledge, such findings represent the first time these issues have been observed in the wild. One of the key takeaways of this paper is that the state-of-the-art defensive programming techniques employed for side-channel resistance are still inadequate, incomplete, and bound to fail when paired with the optimizations that compilers continuously introduce.

Permanent link

https://doi.org/10.3929/ethz-c-000783304

Publication status

published

External links

https://doi.org/10.1145/3708821.3733909 north_east

Editor

Book title

ASIA CCS '25: Proceedings of the 20th ACM Asia Conference on Computer and Communications Security

Journal / series

Volume

Pages / Article No.

1690 - 1706

Publisher

Association for Computing Machinery

Event

20th ACM Asia Conference on Computer and Communications Security (ASIA CSS 2025)

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Security and privacy -> Systems security; Software and application security

Organisational unit

03755 - Capkun, Srdan / Capkun, Srdan check_circle

Notes

Funding

Related publications and datasets

Is new version of: Breaking bad

More

Show all metadata