Pure Functional Services

On Genode, it seems like you can protect from timing (and several related) side channels robustly by setting up pure functional services. The idea is that a service is configured then frozen. All memory that it has becomes either read only, or copy on write (or cloned into each instance of the service on startup). Then some other application or other pure functional service can call it and get a result. Each instance of the service would be fully isolated from each other, and simply be initialized with some fixed data at a known location in memory, or perhaps fed a stream from which it can only do blocking read, and output a stream to which it can only do blocking writes. Any mutable state the service owns must be separated for each instance of the service and each instance will at most handle one request and have no access to any external state at all, aside from a carefully chosen set permissions, generally the ability to access specific other pure functional services, likely with quotas.

Example use case: a utility to generating signed certificates could be structured as follows:
A pure functional service for performing signing of strings.
A pure functional service for taking in the required fields, and doing all the formatting, and hashing logic, as well as calling the above signing service and putting the result together. Configured to allow one call to signing service per run.
Some front end for deciding what certificates to generate.

In this design, if complex string formatting and processing code is computerized or just generally malicious, it is still unable to do timing side channel attacks against the signing code who holds the private key. It also protects from any attacks that would require signing more than one string to crack since its impossible to store state across generating multiple certificates, and also impossible to do more than one signature per certificate. Of course an attacker may also be able to generate lots of requests for certificates by also attacking the system at a higher level: that has to be addressed through other means.

Example 2: format converter:
If you want a file format conversion service, perhaps for complex third party format and thus untrusted code, there is no reason to expose side channels to it, like system load, or allow it to leak data between documents via persistent state. A pure functional service protects against this. It may still generate malicious output, but it can't leak data between documents.

Copyright © 2011-2013 Craig Macomber