Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret registers can be leaked under certain circumstances #1529

Open
HopeDevote opened this issue Nov 11, 2024 · 3 comments
Open

Secret registers can be leaked under certain circumstances #1529

HopeDevote opened this issue Nov 11, 2024 · 3 comments

Comments

@HopeDevote
Copy link

HopeDevote commented Nov 11, 2024
edited
Loading

Malicious modification of the IR does not cause changes in the program results, leading to the leakage of secret register (s9) values

High-level source code is:

a = sint(1)
b = sint(2)
c = sint(3)

a.update(c)
b.update(a > sfix(8))

checksum = a + b + c
print_ln('checksum: %s', checksum.reveal())

The source IR is as follows:

...
subs s9, s4, s7 # 8
LTZ (s8, s9, 32) # 9
....

Full source IR:
source IR.txt

The maliciously modified IR is as follows:

....
subml s14, s4, c2 # 10
LTZ (s8, s9, 32) # 11
...

Full modified IR:
modified IR.txt

When running VMs based on these two IRs, the results are consistent.
However, we can see from the modified IR that s9 is not initialized. Based on previous experience, we know that VM generally assigns uninitialized registers to 0. When the program result does not change, we can infer that the value of register s9 in the source IR is not less than 0, which means that the value of s9 in the source IR is leaked.

Is this a bug?

Thanks!
@mkskeller
Copy link
Member

What do you mean by running VMs? Which protocol? LTZ is not valid instruction for all proper protocols. More generally, changing the instructions would imply a corrupted party in MPC security, so one would expect only protocols with malicious security to protect against that.

@HopeDevote
Copy link
Author

What do you mean by running VMs? Which protocol? LTZ is not valid instruction for all proper protocols. More generally, changing the instructions would imply a corrupted party in MPC security, so one would expect only protocols with malicious security to protect against that.

Thanks for your reply!
I run this: emulate.x

I understand that each party needs to generate consistent IR after compiling the source code. Does that mean that if the compilation process is normal, undefined registers will not appear?

@mkskeller
Copy link
Member

mkskeller commented Nov 13, 2024
edited
Loading

Thanks for your reply! I run this: emulate.x

I don't think that using emulate.x says much about the security posture because there is no protocol being executed.

I understand that each party needs to generate consistent IR after compiling the source code. Does that mean that if the compilation process is normal, undefined registers will not appear?

Yes. The compiler emits a warning if there are undefined registers, and with the argument --stop it aborts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkskeller @HopeDevote