3

Is it possible to use Frama-C to verify whether or not the execution flow or memory accesses depend on a particular variable?

Background: There were once options -experimental-path-deps and -experimental-mem-deps, but these were removed in the Silicon release.

In order to prevent side-channel attacks, I would like to ensure that the execution flow of the program does not depend upon secret data, rendering it vulnerable to timing attacks.

For memory accesses, we can perform dataflow analysis on each index, but this is somewhat error-prone, and must be performed manually for every array access. There is no obvious workaround in the case of -experimental-path-deps.

Does equivalent functionality exist elsewhere in Frama-C, or is the best option to simply revert to an older version?

Lll
  • 31
  • 1

1 Answers1

1

The -experiment-{path,mem}-deps were for the most part a duplication of the existing dependency analysis, which furthermore were never ported to be fully call-sensitive (option -calldeps). If you are willing to write a bit of OCaml code, modifying the existing call-aware dependency analysis is easy. And this will be more precise than reverting to a pre-Silicon version. If you are interested, I can expand this answer to point you to the function(s) to modify.

byako
  • 3,372
  • 2
  • 21
  • 36
  • I'm not particularly experienced with OCaml, but if it isn't too much trouble to direct me to the location in the code then I would certainly be interested in giving it a try when I've some time. – Lll Jan 23 '18 at 16:08
  • It is actually more involved than what I thought. I will have a deeper look this week-end. – byako Jan 26 '18 at 16:00