Run with --minimal
to suppress the details of the analysis and only print the result.
This repository contains a tool called Side-Channel Finder for MSP, a static analysis tool to automatically verify binary files compiled for MSP430 microcontroller to detecting information leakage through novel interrupt-latency attacks (a.k.a. Nemesis), timing side-channels, and undesired information flow.
- To run SCF-MSP, Python 3 is required.
- For parsing and analyzing ELF files, a Python library, pyelftools, is required to install. See https://github.com/eliben/pyelftools for more details.
- The graph library NetworkX 1.11.
$ pip3 install -r requirements.txt # generated using pip3 freeze > requirements.txt
SCF-MSP takes an input file in the JSON format. It contains the path to the binary file, the starting function, a list of starting function’s arguments from high-level code and return values.
We assume a function
int func(int secret, int public)
in a binary file "A". The corresponding json file could be like:
{
"file": "A",
"starting_function": "func",
"timing_sensitive": true,
"parameters": [{
"size": 1,
"confidential": true }, { "size": 1, "confidential": false } ], "memory": false, "result": { "size": 1, "confidential": true, "memory": false } }
The security level of parameters can be set by confidential directive. Setting the confidential directive to true makes the parameter confidential.
The C programs are being compiled once with the off-the-shelf LLVM backend for the MSP430, resulting in a vulnerable binary programme. You can find them as *.vulnerable
in testcase folder. In addition, a second version of the assembly code is produced ( *.nemdef
in testcase folder), where instructions in secret-dependent branches are balanced out with respect to the individual instructions’ execution times.
The binary files and the corresponding json files of some vulnerable and beningn C programs is provided in the testcase
folder. You can run them by executing:
To run one program:
$ ./main.py testcase/diamond.nemdef.json --debug # or pass --info or --warning or --error
To run all (hardened + unhardened) programs:
$ ./run_all.sh
The binaries for this test are generated in the Docker container of the MicroProfiler artifact, and are provided in the bin
directory for convenience. To run SCF-MSP on these benchmarks, replace the *.nemdef
binaries in testcase/
with those in one of the zip
archives (we also provide an unzip.sh
script for convenience):
To run the Nemesis-hardened code:
$ ./unzip.sh bin/sancus-nemdef.zip
$ ./run_all_nemdef.sh
To run the Nemesis+DMA-hardened code:
$ ./unzip.sh bin/sancus-dma.zip
$ ./run_all_nemdef.sh
$ ./main.py testcase/triangle.json
Saved CFG to 'CFG.gv.pdf'..
{
"result": "NEMESIS_VULNERABILITY",
"result_code": 4,
"execution_point": {
"function": "triangle_enter",
"address": "0x826a"
},
"unique_ret": "True"
}
$ ./main.py testcase/triangle.nemdef.json
Saved CFG to 'CFG.gv.pdf'..
{
"result": "INFORMATION_LEAK",
"result_code": 1,
"execution_point": null,
"unique_ret": "True"
}