@inproceedings{ad882dab28134b569bcaf6e763086a65,
title = "DeJITLeak: eliminating JIT-induced timing side-channel leaks",
abstract = "Timing side-channels can be exploited to infer secret information when the execution time of a program is correlated with secrets. Recent work has shown that Just-In-Time (JIT) compilation can introduce new timing side-channels in programs even if they are time-balanced at the source code level. In this paper, we propose a novel approach to eliminate JIT-induced leaks. We first formalise timing side-channel security under JIT compilation via the notion of time-balancing, laying the foundation for reasoning about programs with JIT compilation. We then propose to eliminate JIT-induced leaks via a fine-grained JIT compilation. To this end, we provide an automated approach to generate compilation policies and a novel type system to guarantee its soundness. We develop a tool DeJITLeak for real-world Java and implement the fine-grained JIT compilation in HotSpot JVM. Experimental results show that DeJITLeak can effectively and efficiently eliminate JIT-induced leaks on three widely adopted benchmarks in the setting of side-channel detection.",
author = "Qi Qin and Jiyang, {Julian Andres} and Fu Song and Taolue Chen and Xinyu Xing",
note = "Publisher Copyright: {\textcopyright} 2022 Owner/Author.; 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 ; Conference date: 14-11-2022 Through 18-11-2022",
year = "2022",
month = nov,
day = "7",
doi = "10.1145/3540250.3549150",
language = "English (US)",
series = "ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering",
publisher = "Association for Computing Machinery, Inc",
pages = "872--884",
editor = "Abhik Roychoudhury and Cristian Cadar and Miryung Kim",
booktitle = "ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering",
}