RISC-V Summit 2022

One recently ratified RISC-V security-related extension is Zkt, the "Data Independent Execution Latency Subset." It extends the hardware-software ISA contract by defining a subset of instructions whose latency is asserted to be independent of input data. Hence these instructions can be trusted to process sensitive data without timing leakage. In the talk, I'll describe a method for verifying the constant-time behavior of RISC-V code. To accomplish the tracing of information flows, we have created a full-system RISC-V emulator that implements Dynamic Taint Analysis (DTA). Testing compiled binary executables rather than source code (or other abstract representation) is essential, as compilers are known to modify security-critical code. The simulated system has instrumentation functions for tainting sensitive variables. In the simulator, a shadow state is attached to registers and memory locations; symbolic execution and simple inference and propagation rules allow the simulator to determine which output variables are affected and where constant-time / Zkt violations can occur. We show that production-scale cryptography codebases can be analyzed for timing leakage.