當觀察者可以透過旁通道觀察程式在執行中的差異（例如時間、快取和記憶體消耗等）並使用它們來推測機密資料（例如程式的輸入和輸出）時，就會發生資訊洩漏。儘管加密技術使用加密和解密來保護機密資料，但在加、解密執行期間的資訊洩漏可能還是有被推測出機密資料的風險。在這個實驗中，我們在 Python 直譯器中插入可以側錄程式執行相關資訊的程式碼，來實作了一個新的 Python 直譯器，並將側錄執行結果轉換為 JSON 格式，而在這個側錄檔中記錄了程式的執行資訊，包含函式呼叫順序、執行時間、輸入值、回傳值等資訊，我們收集並比較不同輸入集合的執行情況是否存在資訊洩漏，並用來推測出規則從加密資料中恢復機密資料。
我們發現只觀察函式呼叫次數和執行時間的情況下，AES、RSA 和 SHA-1 並沒有發現資訊洩漏，但是可以透過觀察函式的回傳值（int 型別）來推測出輸入長度，而 bytes 型別的回傳值可以得到輸入內容，因此，使用這些 Python 公開的應用程式不僅要保護執行前的輸入和執行後的輸出，也要保護執行過程中內部函式呼叫的回傳值。

Information leakage occurs when an observer can observe differences between executions in the side channel, e.g., time and memory consumption, and uses them to speculate secrets, such as inputs and outputs of the program. Although cryptography techniques protect data using encryption and decryption, information leakage during program execution can be a detrimental side effect.
In this work, we review the leakage of the encryption and decryption of Python programs that are publicly available.
We automatically collect detailed statuses of Python call executions and set the difference in call sets as information leakage to infer rules for restoring secrets (inputs in encryption or outputs in decryption).
Specifically, we first implement a new Python interpreter to insert instrumentation in the synthesized bytecode to dump detailed call execution statuses systematically as our side-channel observation. The profile includes nested call sequences with each call's time consumption and return values.
We collect and compare executions against different inputs to identify potential leakage on call counts, call execution time, and call return values with the aim of recovering (partial) secrets information from the encrypted data.
We report no useful leakage on call count and call execution time against the Python implementation of AES, RSA, and SHA-1. However, we can infer the input length by observing the return value (integer) of a {\it bord} function called in the encryption of AES-CBC and SHA-1, and we can obtain the input contents by observing the return value of the {\it unpad} function called in decryption of RSA, and SHA-1. Therefore, an application using these Python implementations must protect not only the input and output of the procedure but also the return values of inner calls during the procedure.

Abstract ii
Contents iv
List of Figures vi
List of Tables vii
1 Introduction 1
2 RelatedWork 5
2.1 Encryption and Decryption 5
2.2 Side-Channel Attack 6
2.3 Static Analysis and Dynamic Analysis 8
3 Methodology 10
3.1 Profile 11
3.2 Information Leakage 15
3.3 Rule Synthesis 17
4 Experiments 20
4.1 Python Encryption of AES-CBC 20
4.1.1 Leakage on Input Length 20
4.1.2 Leakage on Input Content 24
4.2 Python Decryption of AES-CBC 26
4.2.1 Leakage on Input Length 26
4.2.2 Leakage on Input Content 28
4.3 Python Encryption of RSA 30
4.3.1 Leakage on Input Length 32
4.3.2 Leakage on Input Content 33
4.4 Python Decryption of RSA 35
4.4.1 Leakage on Input Length 36
4.4.2 Leakage on Input Content 37
4.5 Python Execution of SHA-1 38
4.5.1 Leakage on Input Length 38
4.5.2 Leakage on Input Content 41
4.6 AES-CBC, RSA, and SHA-1 Encryption/Decryption Results 43
5 Conclusions 45
References 48

[1] N.Apthorpe,D.Reisman,S.Sundaresan,A.Narayanan,andN.Feamster.Spyingon the smart home: Privacy attacks and defenses on encrypted iot traffic. arXiv preprint arXiv:1708.05044, 2017.
[2] A. Aydin, L. Bang, and T. Bultan. Automata-based model counting for string con- straints. In International Conference on Computer Aided Verification, pages 255– 272. Springer, 2015.
[3] M. Backes, M. Dürmuth, S. Gerling, M. Pinkal, C. Sporleder, et al. Acoustic {Side- Channel} attacks on printers. In 19th USENIX Security Symposium (USENIX Secu- rity 10), 2010.
[4] L.Bang,N.Rosner,andT.Bultan.Onlinesynthesisofadaptiveside-channelattacks based on noisy observations. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pages 307–322. IEEE, 2018.
[5] G. Barthe, T. Rezk, and M. Warnier. Preventing timing leaks through transactional branching instructions. Electronic Notes in Theoretical Computer Science, 153(2): 33–55, 2006.
[6] L.Batina,N.Mentens,andI.Verbauwhede.Side-channelissuesfordesigningsecure hardware implementations. In 11th IEEE International On-Line Testing Symposium, pages 118–121, 2005. doi: 10.1109/IOLTS.2005.64.
[7] A. Bortz and D. Boneh. Exposing private information by timing web applications. In Proceedings of the 16th international conference on World Wide Web, pages 621– 628, 2007.
[8] J. Cathalo, F. Koeune, and J.-J. Quisquater. A new type of timing attack: Applica- tion to gps. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 291–303. Springer, 2003.
[9] S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In 2010 IEEE Symposium on Security and Privacy, pages 191–206. IEEE, 2010.
[10] S. Chen, F. Liu, Z. Mi, Y. Zhang, R. B. Lee, H. Chen, and X. Wang. Leveraging hardware transactional memory for cache side-channel defenses. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pages 601–608, 2018.
[11] T. Chothia, Y. Kawamoto, and C. Novakovic. A tool for estimating information leakage. In International Conference on Computer Aided Verification, pages 690– 695. Springer, 2013.
[12] T. Chothia, Y. Kawamoto, and C. Novakovic. Leakwatch: Estimating information leakage from java programs. In European Symposium on Research in Computer Security, pages 219–236. Springer, 2014.
[13] J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan. Side-channel vulner- ability factor: A metric for measuring information leakage. In 2012 39th Annual International Symposium on Computer Architecture (ISCA), pages 106–117, 2012. doi: 10.1109/ISCA.2012.6237010.
[14] G. Doychev, B. Köpf, L. Mauborgne, and J. Reineke. Cacheaudit: A tool for the static analysis of cache side channels. ACM Transactions on information and system security (TISSEC), 18(1):1–32, 2015.
[15] H. Eldib, C. Wang, and P. Schaumont. Smt-based verification of software counter- measures against side-channel attacks. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 62–77. Springer, 2014.
[16] K. Gandolfi, C. Mourtel, and F. Olivier. Electromagnetic analysis: Concrete results. In International workshop on cryptographic hardware and embedded systems, pages 251–261. Springer, 2001.
[17] D. Gullasch, E. Bangerter, and S. Krenn. Cache games–bringing access-based cache attacks on aes to practice. In 2011 IEEE Symposium on Security and Privacy, pages 490–505. IEEE, 2011.
[18] S. Guo, M. Wu, and C. Wang. Adversarial symbolic execution for detecting concurrency-related cache timing leaks. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 377–388, 2018.
[19] W. Hnath and J. Pettengill. Differential power analysis side-channel attacks in cryp- tography. Major Qualifying Project, Worcester Polytechnic Institute, 2010.
[20] P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Annual international cryptology conference, pages 388–397. Springer, 1999.
[21] P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, et al. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1–19. IEEE, 2019.
[22] P. C. Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Annual International Cryptology Conference, pages 104–113. Springer, 1996.
[23] D. Kohlbrenner and H. Shacham. Trusted browsers for uncertain times. In 25th USENIX Security Symposium (USENIX Security 16), pages 463–480, Austin, TX, Aug. 2016. USENIX Association. ISBN 978-1-931971-32-4.
[24] B. Köpf and D. Basin. An information-theoretic model for adaptive side-channel attacks. In Proceedings of the 14th ACM conference on Computer and communica- tions security, pages 286–296, 2007.
[25] A. Levina, D. Sleptsova, and O. Zaitsev. Side-channel attacks and machine learning approach. In 2016 18th Conference of Open Innovations Association and Seminar on Information Security and Protection of Information Technology (FRUCT-ISPIT), pages 181–186, 2016. doi: 10.1109/FRUCT-ISPIT.2016.7561525.
[26] M. E. Mazaheri, F. Taheri, and S. B. Sarmadi. Lurking eyes: A method to detect side-channel attacks on javascript and webassembly. In 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC), pages 1–6. IEEE, 2020.
[27] W. Melicher, B. Ur, S. M. Segreti, S. Komanduri, L. Bauer, N. Christin, and L. F. Cranor. Fast, lean, and accurate: Modeling password guessability using neural net- works. In 25th USENIX Security Symposium (USENIX Security 16), pages 175–191, 2016.
[28] T. S. Messerges, E. A. Dabbish, and R. H. Sloan. Investigations of power analysis attacks on smartcards. Smartcard, 99:151–161, 1999.
[29] A. Mosenia and N. K. Jha. A comprehensive study of security of internet-of-things. IEEE Transactions on Emerging Topics in Computing, 5(4):586–602, 2017. doi: 10.1109/TETC.2016.2606384.
[30] S. Nilizadeh, Y. Noller, and C. S. Pasareanu. Diffuzz: Differential fuzzing for side- channel analysis. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 176–187, 2019. doi: 10.1109/ICSE.2019.00034.
[31] Y. Noller, C. S. Păsăreanu, M. Böhme, Y. Sun, H. L. Nguyen, and L. Grunske. Hy- diff: Hybrid differential software analysis. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pages 1273–1285, 2020.
[32] A. A. Pammu, K.-S. Chong, W.-G. Ho, and B.-H. Gwee. Interceptive side channel attack on aes-128 wireless communications for iot applications. In 2016 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS), pages 650–653. IEEE, 2016.
[33] C.S.Pasareanu,Q.-S.Phan,andP.Malacaria.Multi-runside-channelanalysisusing symbolic execution and max-smt. In 2016 IEEE 29th Computer Security Founda- tions Symposium (CSF), pages 387–400. IEEE, 2016.
[34] H. Patel and R. O. Baldwin. Random forest profiling attack on advanced encryption standard. International Journal of Applied Cryptography, 3(2):181–194, 2014.
[35] P. Ravi, S. S. Roy, A. Chattopadhyay, and S. Bhasin. Generic side-channel attacks on cca-secure lattice-based pke and kems. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2020(3):307–335, 2020.
[36] P. Ravi, A. Chattopadhyay, and A. Baksi. Side-channel and fault-injection attacks over lattice-based post-quantum schemes (kyber, dilithium): Survey and new results. Cryptology ePrint Archive, 2022.
[37] D. X. Song, D. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on {SSH}. In 10th USENIX Security Symposium (USENIX Security 01), 2001.
[38] C. S. Thirumalai and P. Viswanathan. Modelling a side channel resistant chan-pkc cryptomata for medical data security. Multimedia Tools and Applications, 78(18): 25977–25997, 2019.
[39] A. Wei, Y. Deng, C. Yang, and L. Zhang. Free lunch for testing: Fuzzing deep- learning libraries from open source. arXiv preprint arXiv:2201.06589, 2022.
[40] M. Wu, S. Guo, P. Schaumont, and C. Wang. Eliminating timing side-channel leaks using program repair. In Proceedings of the 27th ACM SIGSOFT International Sym- posium on Software Testing and Analysis, pages 15–26, 2018.
[41] F. Y. Yuhou Lin, Shuwen Hsiao. On profiling runtime function call invocation of python script. 2019.
[42] K. Zhang, Z. Li, R. Wang, X. Wang, and S. Chen. Sidebuster: automated detection and quantification of side-channel leaks in web application development. In Pro- ceedings of the 17th ACM conference on Computer and communications security, pages 595–606, 2010.