SCF-MSP430
Run with --minimal
to suppress the details of the analysis and only print the result.
This repository contains a tool called Side-Channel Finder for MSP, a static analysis tool to automatically verify binary files compiled for MSP430 microcontroller to detecting information leakage through novel interrupt-latency attacks (a.k.a. Nemesis), timing side-channels, and undesired information flow.
Pre-requisites
- To run SCF-MSP, Python 3 is required.
- For parsing and analyzing ELF files, a Python library, pyelftools, is required to install. See https://github.com/eliben/pyelftools for more details.
- The graph library NetworkX 1.11.
$ pip3 install -r requirements.txt # generated using pip3 freeze > requirements.txt
Creating input files
SCF-MSP takes an input file in the JSON format. It contains the path to the binary file, the starting function, a list of starting function’s arguments from high-level code and return values.
We assume a function
int func(int secret, int public)
in a binary file "A". The corresponding json file could be like:
{
"file": "A",
"starting_function": "func",
"timing_sensitive": true,
"parameters": [{
"size": 1,
"confidential": true }, { "size": 1, "confidential": false } ], "memory": false, "result": { "size": 1, "confidential": true, "memory": false } }
The security level of parameters can be set by confidential directive. Setting the confidential directive to true makes the parameter confidential.
Preparing binary files
The C programs are being compiled once with the off-the-shelf LLVM backend for the MSP430, resulting in a vulnerable binary programme. You can find them as *.vulnerable
in testcase folder. In addition, a second version of the assembly code is produced ( *.nemdef
in testcase folder), where instructions in secret-dependent branches are balanced out with respect to the individual instructions’ execution times.
Running the benchmark
The binary files and the corresponding json files of some vulnerable and beningn C programs is provided in the testcase
folder. You can run them by executing:
To run one program:
$ ./main.py testcase/diamond.nemdef.json --debug # or pass --info or --warning or --error
To run all (hardened + unhardened) programs:
$ ./run_all.sh
Running the benchmarks from the MicroProfiler paper
The binaries for this test are generated in the Docker container of the MicroProfiler artifact, and are provided in the bin
directory for convenience. To run SCF-MSP on these benchmarks, replace the *.nemdef
binaries in testcase/
with those in one of the zip
archives (we also provide an unzip.sh
script for convenience):
To run the Nemesis-hardened code:
$ ./unzip.sh bin/sancus-nemdef.zip
$ ./run_all_nemdef.sh
To run the Nemesis+DMA-hardened code:
$ ./unzip.sh bin/sancus-dma.zip
$ ./run_all_nemdef.sh
Example output
$ ./main.py testcase/triangle.json
Saved CFG to 'CFG.gv.pdf'..
{
"result": "NEMESIS_VULNERABILITY",
"result_code": 4,
"execution_point": {
"function": "triangle_enter",
"address": "0x826a"
},
"unique_ret": "True"
}
$ ./main.py testcase/triangle.nemdef.json
Saved CFG to 'CFG.gv.pdf'..
{
"result": "INFORMATION_LEAK",
"result_code": 1,
"execution_point": null,
"unique_ret": "True"
}