Quantifying and Preventing Side Channels with Substructural Type Systems

Static techniques for deriving upper bounds on the resource consumption of programs have been extensively studied. However, there are applications that require more fine-grained information such as the difference between upper and lower bounds or the guaranty that the resource usage of a program does not differ for certain inputs. This article presents two novel substructural type systems for deriving lower bounds and for proving that a program has constant resource consumption for a class of inputs. The type systems are based on the potential method of amortized analysis to achieve compositionality, precision, and automatic inference using off-the-shelf linear optimization. While classic amortized analysis treats potential as an affine resource, the novel type systems treat potential as a relevant and linear resource, respectively. The soundness of the type systems with respect to an operational cost semantics is verified using the proof assistant Agda. The novel constant-resource and lower bound analyses are applied to quantify and prevent security vulnerabilities that leak secret information through resource consumption, such as side channels. First, implementations of the lower bound and constant-resource type systems in Resource Aware ML are used to automatically verify constant-time implementations of list comparison, encryption and decryption routines, database queries, and other resource-sensitive functionality. Second, the type systems are used to implement a method for automatically turning programs into constant-resource programs using LP solving. The method is static, does not require tracking resources at runtime, and works on most programs for which Resource Aware ML can derive an upper bound. Third, a resource-aware noninterference property is introduced. It relaxes the constant-resource requirement on programs, and requires only that resource usage does not leak information about secret inputs. This property is statically verified by combining the linear type system for constant resource consumption with an information flow type system.