CAREER: SaTC: Privacy-Aware Just-in-Time Compilation

Modern software systems are entrusted with and expected to protect sensitive user data, making it critical that we have robust and rigorously tested techniques to ensure their security. This goal is complicated by the intricate process of compilation which transforms source code into directly executable machine code and includes optimizations crucial to the performance of software systems. Because of these transformations, a solely source-code level security analysis is not enough to ensure that the executable machine-code satisfies the same security guarantees. In particular, side-channel vulnerabilities allowing an adversary to leverage non-functional observable information such as a program’s execution time can arise during the compilation process even when the corresponding source code is deemed side-channel free. The project’s novelties are the development of a just-in-time compilation framework capable of balancing security and privacy concerns alongside performance optimization. The project’s broader significance and importance are facilitating developers’ ability to focus on writing functionally correct code without concerning themselves with the possible security risks posed by compiler optimizations and improving both security and performance for end users. The project addresses the challenge of developing a security-aware just-in-time compilation framework. The key components of this framework include: 1) a taint-analysis-backed approach to marking compiler optimizations that have the potential to introduce side-channel vulnerabilities, 2) an information-theoretic metric to quantify the strength of such vulnerabilities using profiling data already collected by the just-in-time compiler, 3) a heuristic framework to answer two core questions: “should we apply this optimization?” and “should we revert this optimization?” based on tradeoffs between performance gain and security risk, and 4) augmenting this framework with machine-learning powered strategies for leveraging historic data to better predict the security impact of optimizations. The project’s impact is a just-in-time compilation framework that can manage the complex tradeoffs between security and performance in a way that does not overburden the developer and delivers privacy assurances alongside strong performance to end users. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.