Cipherfix: Mitigating Ciphertext Side-Channel Attacks in Software

Trusted execution environments are quickly rising in popularity as they enable to run workloads in the cloud without having to trust cloud service providers, by offering additional hardware-assisted security guarantees. One key mechanism for server-grade TEEs is main memory encryption, as it not only prevents system-level attackers from reading the TEE's content, but also provides protection against physical, off-chip attackers. The recent Cipherleaks attacks show that the memory encryption system of AMD SEV-SNP and potentially other TEEs are vulnerable to a new kind of attack, dubbed the ciphertext side-channel. The ciphertext side-channel allows to leak secret data from TEE-protected implementations by analyzing ciphertext patterns exhibited due to deterministic memory encryption. It cannot be mitigated by current best practices like data-oblivious constant-time code. As these ciphertext leakages are inherent to deterministic memory encryption, a hardware fix on existing systems is unlikely. Thus, in this paper, we present a software-based, drop-in solution that can harden existing binaries such that they can be safely executed under TEEs vulnerable to ciphertext side-channels. We combine taint tracking with both static and dynamic binary instrumentation to find sensitive memory locations and prevent the leakage by masking secret data before it gets written to memory. This way, although the memory encryption remains deterministic, we destroy any secret-dependent patterns in encrypted memory. We show that our proof-of-concept implementation can protect constant-time EdDSA and ECDSA implementations against ciphertext side-channels.