Searching for Side Channels and Worst Case Behavior in Java Applications

Speaker/Bio

Will Blair is a PhD student at Boston University where he also received his BA and MS in Computer Science. He is interested in using formal methods to prove correctness and security properties of software. He currently works on a fork of the HotSpot JVM to support dynamic analysis of Java applications as a part of the Space/Time Analysis for Cybersecurity (STAC) project.

Abstract

Many software vulnerabilities originate as simple errors made by software engineers. In some cases the software may be entirely correct, but the implemented algorithm runs substantially longer or consumes more space when given certain inputs that rarely appear in practice. An attacker can exploit this behavior to trigger denial of service attacks using very small inputs. Furthermore, an algorithm's implementation may contain side channels that let an attacker learn secret information by observing program activity on disk or how its execution time varies. In this talk, we will discuss recent approaches for detecting these vulnerabilities in practice, and include our own experiences analyzing Java Applications in the Space/Time Analysis for Cybersecurity project.

References

• Almeida, Jos\xE9 Bacelar, et al. "Verifying Constant-Time Implementations." URL: https://fdupress.net/files/ctverif.pdf (Usenix Security 2016).