SPIDER: Speeding up Side-Channel Vulnerability Detection via Test Suite Reduction

Abstract

Side-channel attacks allow adversaries to infer sensitive information, such as cryptographic keys or private user data, by monitoring unintentional information leaks of running programs. Prior side-channel detection methods can identify numerous potential vulnerabilities in cryptographic implementations with a small amount of execution traces due to the high diffusion of secret inputs in crypto primitives. However, because non-cryptographic programs cover different paths under various sensitive inputs, extending existing tools for identifying information leaks to non-cryptographic applications suffers from either insufficient path coverage or redundant testing. To address these limitations, we propose a new dynamic analysis framework named SPIDER that uses fuzzing, execution profiling, and clustering for a high path coverage and test suite reduction, and then speeds up the dynamic analysis of side-channel vulnerability detection in non-cryptographic programs. We analyze eight non-cryptographic programs and ten cryptographic algorithms under SPIDER in a fully automated way, and our results confirm the effectiveness of test suite reduction and the vulnerability detection accuracy of the whole framework.