Computer Science and Engineering
University of California, San Diego
The CTFP tool defends against floating-point timing attacks by ensuring all floating operations take a constant time. Our tool inserts comparison and bitmasking operations to prevent leaky channels. The transformations are verified using an SMT solver to proof they are correct and secure. https://github.com/marcandrysco/CTFP
We demonstrated Errol: a faster, always correct algorithm for printing floating-point numbers. The works builds on top of the previous algorithm, Grisu. The Errol algorithm obtains a performance increase of approximate 2x and correctly converts 100% of floating-point numbers. The source code provided on GitHub under the MIT license: https://github.com/marcandrysco/Errol
We demonstrated an data-dependent timing attack legacy versions of Firefox and the differential privacy database Fuzz. Ongoing work looks to use timing information in order to fingerprint CPUs from the browser.
M. Andrysco, A. Noetzli, F. Brown, R. Jhala, D. Stefan "Towards Verified, Constant-time Floating Point Operations." ACM Computer and Communications Security (CCS), Oct 2018
M. Andrysco, R. Jhala, S. Lerner "Printing Floating-Point Numbers: An Always Correct Method." Principles of Programming Languages (POPL), Jan 2016
M. Andrysco, D. Kohlbrenner, K. Mowery, R. Jhala, S. Lerner, and H. Shacham "On Subnormal Floating Point and Abnormal Timing." IEEE Security and Privacy (Oakland), May 2015