You are here : Home > Protecting cryptographic code against new cyberattacks

Protecting cryptographic code against new cyberattacks


​CEA-List, a CEA Tech institute, developed a module to prevent a new—and increasingly common—cyberattack known as a temporal attack. The module was presented at the IEEE Symposium on Security & Privacy 2020, and has been integrated into the BINSEC code analysis suite. During testing on real programs, it proved effective against these attacks. 

Published on 28 October 2020


For years, CEA-List has been using tools that leverage formal methods to verify that there are no bugs in a program. These tools are very effective against conventional cyberattacks. However, they don't work as well on side-channel attacks. These attacks take advantage of the physical phenomena that occur when a program is run, rather than vulnerabilities in the program itself, to extract information. Temporal attacks are designed to decode cryptographic keys by comparing the processing times for different operations on a computer, for example.

A technique called "constant time" coding can be used to fend off temporal attacks. The idea is to make sure that the execution time for a given task—such as the verification of a password—is not dependent upon the input data. Because this type of coding is so tricky, CEA-List researchers developed REL, a tool that can automatically verify that code is "constant time." The tool has been integrated into the BINSEC code analysis suite and came through tests on 338 cryptographic implementations with flying colors.

The advance, which was presented at the IEEE Symposium on Security & Privacy 2020, will pave the way toward new code analysis methods for other kinds of attacks and, more generally, better and more automated security for cryptographic programs.


Top page