{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T14:28:25Z","timestamp":1754144905261,"version":"3.41.2"},"reference-count":71,"publisher":"Association for Computing Machinery (ACM)","issue":"PLDI","license":[{"start":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T00:00:00Z","timestamp":1749772800000},"content-version":"vor","delay-in-days":3,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2120642, 2120696, 2154964, 2155235, 2327336"],"award-info":[{"award-number":["2120642, 2120696, 2154964, 2155235, 2327336"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2025,6,10]]},"abstract":"<jats:p>Cryptographic library developers take care to ensure their library does not leak secrets even when there are (inevitably) exploitable vulnerabilities in the applications the library is linked against. To do so, they choose some class of application vulnerabilities to defend against and hardcode protections against those vulnerabilities in the library code. A single set of choices is a poor fit for all contexts: a chosen protection could impose unnecessary overheads in contexts where those attacks are impossible, and an ignored protection could render the library insecure in contexts where the attack is feasible.<\/jats:p>\n          <jats:p>We introduce RoboCop, a new methodology and toolchain for building secure and efficient applications from cryptographic libraries, via four contributions. First, we present an operational semantics that describes the behavior of a (cryptographic) library executing in the context of a potentially vulnerable application so that we can precisely specify what different attackers can observe. Second, we use our semantics to define a novel security property, Robust Constant Time (RCT), that defines when a cryptographic library is secure in the context of a vulnerable application. Crucially, our definition is parameterized by an attacker model, allowing us to factor out the classes of attackers that a library may wish to secure against. This refactoring yields our third contribution: a compiler that can synthesize bespoke cryptographic libraries with security tailored to the specific application context against which the library will be linked, guaranteeing that the library is RCT in that context. Finally, we present an empirical evaluation that shows the RoboCop compiler can automatically generate code to efficiently protect a wide range (over 500) of cryptographic library primitives against three classes of attacks: read gadgets (due to application memory safety vulnerabilities), speculative read gadgets (due to application speculative execution vulnerabilities), and concurrent observations (due to application threads), with performance overhead generally under 2% for protections from read gadgets and under 4% for protections from speculative read gadgets, thus freeing library developers from making one-size-fits-all choices between security and performance.<\/jats:p>","DOI":"10.1145\/3729310","type":"journal-article","created":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T16:02:27Z","timestamp":1749830547000},"page":"1491-1515","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Robust Constant-Time Cryptography"],"prefix":"10.1145","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-5519-245X","authenticated-orcid":false,"given":"Matthew","family":"Kolosick","sequence":"first","affiliation":[{"name":"University of California at San Diego, San Diego, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0846-8639","authenticated-orcid":false,"given":"Basavesh Ammanaghatta","family":"Shivakumar","sequence":"additional","affiliation":[{"name":"MPI-SP, MPI-SP, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7306-5689","authenticated-orcid":false,"given":"Sunjay","family":"Cauligi","sequence":"additional","affiliation":[{"name":"MPI-SP, MPI-SP, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3411-9678","authenticated-orcid":false,"given":"Marco","family":"Patrignani","sequence":"additional","affiliation":[{"name":"University of Trento, Trento, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4795-0236","authenticated-orcid":false,"given":"Marco","family":"Vassena","sequence":"additional","affiliation":[{"name":"Utrecht University, Utrecht, Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1802-9421","authenticated-orcid":false,"given":"Ranjit","family":"Jhala","sequence":"additional","affiliation":[{"name":"University of California at San Diego, San Diego, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7041-7464","authenticated-orcid":false,"given":"Deian","family":"Stefan","sequence":"additional","affiliation":[{"name":"University of California at San Diego, San Diego, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,6,13]]},"reference":[{"key":"e_1_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/324133.324266"},{"key":"e_1_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2019.00025"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-57808-4_22"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134078"},{"key":"e_1_2_2_5_1","unstructured":"OpenSSL Project Authors. 2023. OpenSSL. https:\/\/www.openssl.org\/"},{"key":"e_1_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00008"},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3371075"},{"key":"e_1_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00046"},{"key":"e_1_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2018.00031"},{"volume-title":"Cache-timing attacks on AES","author":"Bernstein Daniel J.","key":"e_1_2_2_10_1","unstructured":"Daniel J. Bernstein. 2005. Cache-timing attacks on AES. The University of Illinois at Chicago. https:\/\/api.semanticscholar.org\/CorpusID:2217245"},{"key":"e_1_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-68351-3_8"},{"key":"e_1_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3054924"},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00076"},{"key":"e_1_2_2_14_1","volume-title":"Michael Schwarz, Moritz Lipp, Benjamin von","author":"Canella Claudio","year":"2019","unstructured":"Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. USENIX Association, 249\u2013266. isbn:978-1-939133-06-9 https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/canella"},{"key":"e_1_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3385412.3385970"},{"key":"e_1_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833707"},{"key":"e_1_2_2_17_1","doi-asserted-by":"publisher","unstructured":"Sunjay Cauligi Gary Soeller Brian Johannesmeyer Fraser Brown Riad S. Wahby John Renner Benjamin Gregoire Gilles Barthe Ranjit Jhala and Deian Stefan. 2019. FaCT: A DSL for timing-sensitive computation. In Programming Language Design and Implementation (PLDI). ACM SIGPLAN. https:\/\/doi.org\/10.1145\/3314221.3314605 10.1145\/3314221.3314605","DOI":"10.1145\/3314221.3314605"},{"key":"e_1_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2019.00027"},{"key":"e_1_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-54997-8_21"},{"key":"e_1_2_2_20_1","unstructured":"Intel Corporation. 2018. Complex Shadow-Stack Updates Intel \u00ae Control-flow Enforcement Technology Specification. https:\/\/software.intel.com\/sites\/default\/files\/managed\/4d\/2a\/control-flow-enforcement-technology-preview.pdf"},{"key":"e_1_2_2_21_1","unstructured":"Intel Corporation. 2018. CVE-2017-5715. Available from NIST NVD CVE-ID CVE-2017-5715. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5715"},{"key":"e_1_2_2_22_1","unstructured":"Intel Corporation. 2018. CVE-2017-5753. Available from NIST NVD CVE-ID CVE-2017-5753. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5753"},{"key":"e_1_2_2_23_1","unstructured":"Intel Corporation. 2018. CVE-2018-3639. Available from NIST NVD CVE-ID CVE-2018-3639. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-3639"},{"key":"e_1_2_2_24_1","unstructured":"Intel Corporation. 2023. Intel \u00ae 64 and IA-32 Architectures Software Developer\u2019s Manual. https:\/\/www.intel.com\/content\/www\/us\/en\/content-details\/774476\/intel-64-and-ia-32-architectures-software-developer-s-manual-volume-1-basic-architecture.html"},{"key":"e_1_2_2_25_1","unstructured":"Frank Denis. 2023. libsodium. https:\/\/doc.libsodium.org\/"},{"key":"e_1_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00047"},{"key":"e_1_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560555"},{"key":"e_1_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1275497.1275500"},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.5555\/959088.959090"},{"key":"e_1_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417246"},{"key":"e_1_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00036"},{"key":"e_1_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00011"},{"key":"e_1_2_2_33_1","doi-asserted-by":"crossref","unstructured":"Merve G\u00fclmez Thomas Nyman Christoph Baumann and Jan Tobias M\u00fchlberg. 2023. Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust. arXiv preprint arXiv:2306.08127.","DOI":"10.1109\/SecDev56634.2023.00020"},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417289"},{"key":"e_1_2_2_35_1","volume-title":"2019 USENIX Annual Technical Conference, USENIX ATC 2019","author":"Hedayati Mohammad","year":"2019","unstructured":"Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L Scott, Kai Shen, and Mike Marty. 2019. Hodor: Intra-process isolation for high-throughput data plane libraries. In 2019 USENIX Annual Technical Conference, USENIX ATC 2019, Renton, WA, USA, July 10-12, 2019. USENIX Association."},{"key":"e_1_2_2_36_1","unstructured":"Jann Horn. 2018. Speculative execution variant 4: speculative store bypass. https:\/\/project-zero.issues.chromium.org\/issues\/42450580"},{"key":"e_1_2_2_37_1","doi-asserted-by":"publisher","unstructured":"Xuancheng Jin Xuangan Xiao Songlin Jia Wang Gao Hang Zhang Dawu Gu Siqi Ma Zhiyun Qian and Juanru Li. 2021. Annotating Tracking and Protecting Cryptographic Secrets with CryptoMPK. IEEE Computer Society 473\u2013488. isbn:978-1-66541-316-9 https:\/\/doi.org\/10.1109\/SP46214.2022.9833650 ISSN: 2375-1207 10.1109\/SP46214.2022.9833650","DOI":"10.1109\/SP46214.2022.9833650"},{"key":"e_1_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3158154"},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3492321.3519582"},{"key":"e_1_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_2_2_41_1","unstructured":"Esmaeil Mohammadian Koruyeh Khaled N. Khasawneh Chengyu Song and Nael Abu-Ghazaleh. 2018. Spectre Returns! Speculation Attacks using the Return Stack Buffer. USENIX Association. https:\/\/www.usenix.org\/conference\/woot18\/presentation\/koruyeh"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2004.1281665"},{"key":"e_1_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10817-009-9155-4"},{"key":"e_1_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243761"},{"key":"e_1_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00048"},{"key":"e_1_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/11734727_14"},{"key":"e_1_2_2_47_1","volume-title":"Serberus: Protecting Cryptographic Code from Spectres at Compile-Time. ArXiv, abs\/2309.05174","author":"Mosier Nicholas","year":"2023","unstructured":"Nicholas Mosier, Hamed Nemati, John C. Mitchell, and Caroline Trippel. 2023. Serberus: Protecting Cryptographic Code from Spectres at Compile-Time. ArXiv, abs\/2309.05174 (2023), https:\/\/api.semanticscholar.org\/CorpusID:261682113"},{"key":"e_1_2_2_48_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Narayan Shravan","year":"2021","unstructured":"Shravan Narayan, Craig Disselkoen, Daniel Moghimi, Sunjay Cauligi, Evan Johnson, Zhao Gang, Anjo Vahldiek-Oberwagner, Ravi Sahita, Hovav Shacham, Dean Tullsen, and Deian Stefan. 2021. Swivel: Hardening WebAssembly against Spectre. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 1433\u20131450. isbn:978-1-939133-24-3 https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/narayan"},{"key":"e_1_2_2_49_1","unstructured":"Santiago Arranz Olmos Gilles Barthe Ruben Gonzalez Benjamin Gr\u00e9goire Vincent Laporte Jean-Christophe Lechenet Tiago Oliveira and Peter Schwabe. 2023. High-assurance zeroization. Cryptology ePrint Archive Paper 2023\/1713. https:\/\/eprint.iacr.org\/2023\/1713"},{"key":"e_1_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3280984"},{"key":"e_1_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF57540.2023.00045"},{"key":"e_1_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484534"},{"key":"e_1_2_2_53_1","unstructured":"Colin Percival. 2014. Zeroing buffers is insufficient. https:\/\/www.daemonology.net\/blog\/2014-09-06-zeroing-buffers-is-insufficient.html"},{"key":"e_1_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833774"},{"key":"e_1_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3110261"},{"key":"e_1_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485903"},{"key":"e_1_2_2_57_1","unstructured":"RustCrypto. 2023. Zeroize. https:\/\/docs.rs\/zeroize\/1.7.0\/zeroize\/"},{"key":"e_1_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3371100"},{"key":"e_1_2_2_59_1","volume-title":"Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In 31st USENIX Security Symposium, USENIX Security","author":"Schrammel David","year":"2022","unstructured":"David Schrammel, Samuel Weiser, Richard Sadek, and Stefan Mangard. 2022. Jenny: Securing Syscalls for PKU-based Memory Isolation Systems. In 31st USENIX Security Symposium, USENIX Security 2022, Kevin R. B. Butler and Kurt Thomas (Eds.). USENIX Association, 936\u2013952. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/schrammel"},{"key":"e_1_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179355"},{"key":"e_1_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133913"},{"key":"e_1_2_2_62_1","unstructured":"The LLVM Foundation. 2021. Control Flow Integrity Clang 12 documentation. https:\/\/clang.llvm.org\/docs\/ControlFlowIntegrity.html"},{"key":"e_1_2_2_63_1","unstructured":"Reini Urban. 2019. libsodium_memzero with memory barrier \u00b7 Issue #802 \u00b7 jedisct1\/libsodium. https:\/\/github.com\/jedisct1\/libsodium\/issues\/802"},{"key":"e_1_2_2_64_1","volume-title":"28th USENIX Security Symposium, USENIX Security","author":"Vahldiek-Oberwagner Anjo","year":"2019","unstructured":"Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK). In 28th USENIX Security Symposium, USENIX Security 2019, Nadia Heninger and Patrick Traynor (Eds.). USENIX Association, 1221\u20131238. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/vahldiek-oberwagner"},{"key":"e_1_2_2_65_1","volume-title":"SUPERCOP: System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives. https:\/\/bench.cr.yp.to\/supercop.html","author":"VAMPIRE.","year":"2021","unstructured":"VAMPIRE. 2021. SUPERCOP: System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives. https:\/\/bench.cr.yp.to\/supercop.html"},{"key":"e_1_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3434330"},{"key":"e_1_2_2_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3492321.3519560"},{"key":"e_1_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3290390"},{"key":"e_1_2_2_69_1","volume-title":"RETBLEED: Arbitrary Speculative Code Execution with Return Instructions","author":"Wikner Johannes","year":"2022","unstructured":"Johannes Wikner and Kaveh Razavi. 2022. RETBLEED: Arbitrary Speculative Code Execution with Return Instructions. USENIX Association, 3825\u20133842. isbn:978-1-939133-31-1 https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/wikner"},{"key":"e_1_2_2_70_1","volume-title":"Sorin Lerner, and Kirill Levchenko.","author":"Yang Zhaomo","year":"2017","unstructured":"Zhaomo Yang, Brian Johannesmeyer, Anders Trier Olesen, Sorin Lerner, and Kirill Levchenko. 2017. Dead Store Elimination (Still) Considered Harmful. USENIX Association, 1025\u20131040. isbn:978-1-931971-40-9 https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/yang"},{"key":"e_1_2_2_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179415"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729310","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729310","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T06:08:50Z","timestamp":1752646130000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729310"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,10]]},"references-count":71,"journal-issue":{"issue":"PLDI","published-print":{"date-parts":[[2025,6,10]]}},"alternative-id":["10.1145\/3729310"],"URL":"https:\/\/doi.org\/10.1145\/3729310","relation":{},"ISSN":["2475-1421"],"issn-type":[{"type":"electronic","value":"2475-1421"}],"subject":[],"published":{"date-parts":[[2025,6,10]]},"assertion":[{"value":"2024-11-14","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}