1. all
  2. 2020

Bultan Group "Side Ways"

Computer scientists discover a software vulnerability that is akin to an information “leak” — and propose a way to isolate it
illustration of a hacker on a network

Every day, we trust computer systems with our sensitive data. The more we do so, the more devastating are the results of increasingly common cyber attacks that result in the theft of confidential information. While many software-development practices are aimed at protecting the confidentiality of private data, according to a team of UCSB computer scientists, numerous software systems still contain serious security vulnerabilities, allowing information to be “leaked” through what are referred to as side channels.

Side channels are a class of information leaks that can allow a hacker to capture secret information by observing the non-functional side effects of software systems, such as their execution time, their memory usage, their power consumption, and the size and timing of their network packets.

Side-channel leaks are the subject of two recent papers by UCSB researchers, one to be presented at the 41st IEEE Symposium on Security and Privacy (S&P), held in San Francisco from May 18-20, and the other to be delivered at the 42nd International Conference on Software Engineering (ICSE), scheduled in Seoul, South Korea, from October 5-11. S&P and ICSE are the top publication venues in computer security and software engineering research, respectively.

In the papers, co-authors Tegan Brennan and Seemanta Saha, PhD students in VLab, directed by UC Santa Barbara professor and computer science chair, Tevfik Bultan, who is also their PhD advisor, and former VLab postdoctoral researcher Nicolas Rosner (now at Amazon) report a new type of side channel that leaks information in modern software systems.

The new class of side-channel vulnerabilities are called JIT-induced side channels. The key insight behind their discovery is that just-in-time (JIT) compilation — crucial to the performance of modern programming languages, such as Java and Javascript — can introduce timing side channels into a program as it performs its function, which is to convert source code, or bytecode, into machine code while the program is running and optimizing the machine code for the most-common-use cases.

What Brennan, Bultan, and Rosner show in their paper, titled “JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation,” to be presented at S&P 2020, is that a hacker can leverage this optimization process to learn sensitive information.

COE/CLS Convergence magazine (Spring 2020) - "Side Ways" (full article pg. 34)

Related Links
Bultan's CS Profile
Bultan's Verification Lab
Saha's CS Profile
Rosner's CS Profile