Most traditional approaches to computer security assume that information from the system can only be sent through intended output channels, such as network connection, monitor, portable disk drive, etc. Side-channel and covert-channel attacks circumvent these protections by extracting information that is leaked or deliberately sent from the system through unintended signals, such as electromagnetic emanations, power consumption, timing of computational activity, etc. Methods for reducing such information leakage are usually tied to specific hardware and/or specific algorithms, and are very labor intensive. This allows specific fragments of code, such as cryptographic functions, to be relatively safe, but is not feasible for analysis and protection in large codes, such as entire operating systems or web browsers, that also tend to process sensitive information. This project is investigating the relationship between software activity and the resulting side-channel leakage, with the goal of automating software analyses that can discover which data might be leaked and in which parts of the code. These analyses can reveal both covert-channel (intentional) and side-channel (unintentional) leakage vulnerabilities in software, helping programmers focus their efforts on reducing or eliminating these vulnerabilities. In addition to these research components that will help increase national security, the project also includes specific outreach activities, such as building an interactive demonstrator to help educate the public about cyber-security concepts, and visits to local schools to help improve K-12 education and participation of women and minorities in science and engineering.
|