Protecting Cryptographic Libraries against Side-Channel and Code-Reuse Attacks

Elena Troubitsyna; Panos Papadimitratos; Rodothea Myrsini Tsoupidi

arxiv: 2412.19310 · v2 · pith:EC7I5CEVnew · submitted 2024-12-26 · 💻 cs.CR

Protecting Cryptographic Libraries against Side-Channel and Code-Reuse Attacks

Rodothea Myrsini Tsoupidi , Elena Troubitsyna , Panos Papadimitratos This is my paper

Pith reviewed 2026-05-23 07:14 UTC · model grok-4.3

classification 💻 cs.CR

keywords cryptographic librariesside-channel attackscode-reuse attacksmemory-corruption attackssecurity measuresvulnerability analysisdevelopment process

0 comments

The pith

Cryptographic libraries remain vulnerable to side-channel and code-reuse attacks despite implemented protections.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines popular cryptographic libraries to assess the security measures they use against side-channel and memory-corruption attacks. It identifies specific vulnerabilities arising from how these measures are implemented. The authors then recommend changes to the library development process to address the gaps. A reader would care because widespread use of these libraries means that unaddressed weaknesses can enable real attacks on cryptographic systems.

Core claim

By reviewing the security measures present in cryptographic libraries, the paper identifies vulnerabilities to side-channel and memory-corruption attacks and proposes improvements to the development process that would reduce those vulnerabilities.

What carries the argument

Systematic review of implemented security measures across popular cryptographic libraries to locate gaps against side-channel and code-reuse attacks

If this is right

Pinpointed vulnerabilities can guide targeted fixes in specific libraries.
Adopting the suggested development-process changes would lower the success rate of side-channel and memory-corruption attacks.
Improved libraries would raise the bar for attackers targeting cryptographic implementations.
The review process itself could be repeated on new library versions to track progress.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same review approach could be applied to non-cryptographic libraries that handle sensitive data.
Developers might create a checklist derived from the identified gaps to standardize secure coding practices.
Future work could measure the actual reduction in attack surface after the proposed changes are applied.

Load-bearing premise

That a review of security measures alone can identify representative vulnerabilities and that the suggested development changes will reduce attack surfaces without empirical testing.

What would settle it

An experiment showing that libraries following the recommended development changes still suffer successful side-channel or code-reuse attacks at rates comparable to current versions.

read the original abstract

Cryptographic libraries, an essential part of cybersecurity, are shown to be susceptible to different types of attacks, including side-channel and memory-corruption attacks. In this article, we examine popular cryptographic libraries in terms of the security measures they implement, pinpoint security vulnerabilities, and suggest security improvements in their development process.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a descriptive survey of known risks in crypto libraries with process suggestions, but no new measurements, concrete findings, or validation.

read the letter

The paper reviews security measures in popular cryptographic libraries, notes their exposure to side-channel and code-reuse attacks, and offers suggestions for improving the development process. That is the full scope from what is presented. It does not introduce new attacks, new defenses, or any empirical results. What it does is restate that these libraries matter for security and that looking at their current protections can reveal gaps. That observation is accurate but already well-covered in the existing literature on side-channel attacks and memory safety. The paper earns credit for focusing on widely used code rather than toy examples. The soft spots are more substantial. No specific vulnerabilities are named or demonstrated, no libraries are called out with evidence, and the suggested process changes receive no test or comparison against current practice. The central assumption—that a review alone is enough to pinpoint representative issues and justify changes—remains unsupported. Without details on the examination method, the libraries chosen, or any outcome data, the suggestions stay at the level of general advice. This work is aimed at readers who want a short overview of the problem space rather than new technical content. It is not the kind of paper that would benefit from a serious referee process, as it adds no falsifiable claim or reproducible result. I would not bring it to a reading group or cite it.

Referee Report

3 major / 2 minor

Summary. The manuscript claims that cryptographic libraries are susceptible to side-channel and memory-corruption (code-reuse) attacks; by reviewing the security measures implemented in popular libraries, representative vulnerabilities can be identified and actionable improvements to the development process can be proposed.

Significance. A systematic, evidence-based review that isolates concrete vulnerabilities and demonstrates that process-level changes reduce attack surface would be useful for library maintainers. The current manuscript supplies no new measurements, controlled experiments, or falsifiable predictions, so its significance remains that of an informal survey whose central claim rests on an untested assumption that review alone suffices to pinpoint representative issues.

major comments (3)

[Abstract, §1] Abstract and §1: the claim that 'examining ... allows pinpointing vulnerabilities' is presented without any concrete vulnerability instances, selection criteria for the libraries, or systematic analysis method. This is load-bearing for the central claim yet unsupported by data or examples.
[Missing methods section] No methods or evaluation section: the manuscript contains no description of library selection, threat model, or how security measures were assessed, so the reader cannot determine whether the identified vulnerabilities are representative or merely anecdotal.
[Discussion / Conclusion] Suggested development-process improvements are stated at a high level with no empirical test or before/after comparison showing reduced attack surface, leaving the weakest assumption (that process changes will meaningfully help) unexamined.

minor comments (2)

[Throughout] Notation for attack categories (side-channel vs. memory-corruption) is used inconsistently between abstract and body; standardize terminology.
[Related work] Missing references to prior surveys on cryptographic library security (e.g., recent works on constant-time implementations or ASLR bypasses) that would situate the contribution.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback. We agree that the manuscript would benefit from greater methodological transparency and more explicit examples early on. As a survey paper, our goal is to synthesize existing evidence from library implementations and known incidents rather than generate new measurements; we will revise to make this framing and supporting details clearer.

read point-by-point responses

Referee: [Abstract, §1] Abstract and §1: the claim that 'examining ... allows pinpointing vulnerabilities' is presented without any concrete vulnerability instances, selection criteria for the libraries, or systematic analysis method. This is load-bearing for the central claim yet unsupported by data or examples.

Authors: We accept this criticism. While concrete vulnerability examples appear in later sections of the manuscript, the abstract and introduction do not foreground them sufficiently. We will revise both to include specific instances (e.g., timing side-channels in certain constant-time implementations and memory-corruption vectors enabling ROP in libraries lacking modern mitigations), state selection criteria (libraries chosen by download volume, GitHub activity, and adoption in major projects), and outline the review method (systematic examination of public source, documentation, and CVE databases). revision: yes
Referee: [Missing methods section] No methods or evaluation section: the manuscript contains no description of library selection, threat model, or how security measures were assessed, so the reader cannot determine whether the identified vulnerabilities are representative or merely anecdotal.

Authors: We agree a dedicated methods section is needed. We will add one that specifies: library selection criteria (top open-source cryptographic libraries by usage and maintenance activity), threat model (side-channel attacks including timing and cache-based; code-reuse attacks including ROP/JOP under memory corruption), and assessment process (review of implemented countermeasures such as constant-time coding, memory safety features, and fuzzing practices, cross-checked against published advisories). This will allow readers to judge representativeness. revision: yes
Referee: [Discussion / Conclusion] Suggested development-process improvements are stated at a high level with no empirical test or before/after comparison showing reduced attack surface, leaving the weakest assumption (that process changes will meaningfully help) unexamined.

Authors: The suggestions are derived directly from gaps observed across the reviewed libraries and are grounded in references to prior incidents and secure-development literature. We acknowledge the manuscript contains no new controlled before/after experiments, which would fall outside the scope of a survey. We will expand the discussion to map each recommendation to specific vulnerabilities identified and cite external evidence of process improvements reducing attack surface in comparable domains. We do not claim to have performed new empirical validation. revision: partial

Circularity Check

0 steps flagged

No significant circularity

full rationale

The manuscript is a descriptive review of security measures in cryptographic libraries. It contains no equations, fitted parameters, predictions, or derivation chains that could reduce to inputs by construction. The central claim rests on examination of existing implementations rather than any self-referential modeling step. No self-citation load-bearing premises or ansatz smuggling are present.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical derivations, fitted parameters, or new entities are introduced; the paper is a security analysis and process recommendation based on existing libraries.

pith-pipeline@v0.9.0 · 5573 in / 985 out tokens · 31784 ms · 2026-05-23T07:14:46.927357+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

15 extracted references · 15 canonical work pages

[1]

Cachebleed: a timing attack on openssl constant- time rsa,

Y . Y arom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on openssl constant- time rsa, ” Journal of Cryptographic Engineering , vol. 7, pp. 99–112, 2017

work page 2017
[2]

Methodologies for Quantifying (Re- )randomization Security and Timing under JIT- ROP,

S. Ahmed, Y . Xiao, K. Z. Snow, G. T an, F . Monrose, and D. D. Y ao, “Methodologies for Quantifying (Re- )randomization Security and Timing under JIT- ROP, ” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’20, Oct. 2020, pp. 1803–1820

work page 2020
[3]

Y ou really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries,

J. Blessing, M. A. Specter, and D. J. Weitzner, “Y ou really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries, ” arXiv preprint arXiv:2107.04940 , 2021

work page arXiv 2021
[4]

"They’re not that hard to mitigate

J. Jancar, M. Fourné, D. D. A. Braga, M. Sabt, P . Schwabe, G. Barthe, P .-A. Fouque, and Y . Acar, “"They’re not that hard to mitigate": What crypto- Month 2021 Publication Title 9 THEME/FEATURE/DEP ARTMENT graphic library developers think about timing at- tacks, ” in 2022 IEEE Symposium on Security and Privacy (SP) , 2022, pp. 632–649

work page 2021
[5]

Thwarting code-reuse and side-channel attacks in embedded systems,

R. M. Tsoupidi, E. T roubitsyna, and P . Papadim- itratos, “Thwarting code-reuse and side-channel attacks in embedded systems, ” Computers & Se- curity, vol. 133, p. 103405, 2023

work page 2023
[6]

The correctness-security gap in compiler optimization,

V . D’Silva, M. Payer, and D. Song, “The correctness-security gap in compiler optimization, ” in 2015 IEEE Security and Privacy Workshops , 2015, pp. 73–87

work page 2015
[7]

The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86),

H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86), ” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07, 2007, pp. 552–561

work page 2007
[8]

Verifying {Constant-Time} implementations,

J. B. Almeida, M. Barbosa, G. Barthe, F . Dupres- soir, and M. Emmi, “Verifying {Constant-Time} implementations, ” in 25th USENIX Security Sym- posium (USENIX Security 16) , 2016, pp. 53–70

work page 2016
[9]

Binsec/rel: Efﬁcient relational symbolic execution for constant- time at binary-level,

L.-A. Daniel, S. Bardin, and T . Rezk, “Binsec/rel: Efﬁcient relational symbolic execution for constant- time at binary-level, ” in 2020 IEEE Symposium on Security and Privacy (SP) . IEEE, 2020, pp. 1021– 1038

work page 2020
[10]

SSPFA: effective stack smashing protection for android os,

H. Marco-Gisbert and I. Ripoll-Ripoll, “SSPFA: effective stack smashing protection for android os, ” International Journal of Information Security , vol. 18, no. 4, pp. 519–532, 2019

work page 2019
[11]

Control-ﬂow integrity: Precision, security , and performance,

N. Burow, S. A. Carr, J. Nash, P . Larsen, M. Franz, S. Brunthaler, and M. Payer, “Control-ﬂow integrity: Precision, security , and performance, ” ACM Com- puting Surveys (CSUR) , vol. 50, no. 1, pp. 1–33, 2017

work page 2017
[12]

Reconciling optimization with secure compilation,

S. T . Vu, A. Cohen, A. De Grandmaison, C. Guillon, and K. Heydemann, “Reconciling optimization with secure compilation, ” Proceedings of the ACM on Programming Languages, vol. 5, no. OOPSLA, pp. 1–30, 2021

work page 2021
[13]

Proﬁle-guided Automated Software Diversity ,

A. Homescu, S. Neisius, P . Larsen, S. Brunthaler, and M. Franz, “Proﬁle-guided Automated Software Diversity , ” inProceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) , ser. CGO ’13. IEEE Com- puter Society , 2013, pp. 1–11

work page 2013
[14]

Side-channel elimination via partial control-ﬂow linearization,

L. Soares, M. Canesche, and F . M. Q. Pereira, “Side-channel elimination via partial control-ﬂow linearization, ”ACM T ransactions on Programming Languages and Systems , 2023

work page 2023
[15]

Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity ,

S. Crane, A. Homescu, S. Brunthaler, P . Larsen, and M. Franz, “Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , ” in Proceedings 2015 Network and Distributed Sys- tem Security Symposium , 2015. Rodothea Myrsini Tsoupidi is a independent Re- searcher in Stockholm, Sweden. Her research interests include compiler optimization, softw...

work page 2015

[1] [1]

Cachebleed: a timing attack on openssl constant- time rsa,

Y . Y arom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on openssl constant- time rsa, ” Journal of Cryptographic Engineering , vol. 7, pp. 99–112, 2017

work page 2017

[2] [2]

Methodologies for Quantifying (Re- )randomization Security and Timing under JIT- ROP,

S. Ahmed, Y . Xiao, K. Z. Snow, G. T an, F . Monrose, and D. D. Y ao, “Methodologies for Quantifying (Re- )randomization Security and Timing under JIT- ROP, ” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’20, Oct. 2020, pp. 1803–1820

work page 2020

[3] [3]

Y ou really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries,

J. Blessing, M. A. Specter, and D. J. Weitzner, “Y ou really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries, ” arXiv preprint arXiv:2107.04940 , 2021

work page arXiv 2021

[4] [4]

"They’re not that hard to mitigate

J. Jancar, M. Fourné, D. D. A. Braga, M. Sabt, P . Schwabe, G. Barthe, P .-A. Fouque, and Y . Acar, “"They’re not that hard to mitigate": What crypto- Month 2021 Publication Title 9 THEME/FEATURE/DEP ARTMENT graphic library developers think about timing at- tacks, ” in 2022 IEEE Symposium on Security and Privacy (SP) , 2022, pp. 632–649

work page 2021

[5] [5]

Thwarting code-reuse and side-channel attacks in embedded systems,

R. M. Tsoupidi, E. T roubitsyna, and P . Papadim- itratos, “Thwarting code-reuse and side-channel attacks in embedded systems, ” Computers & Se- curity, vol. 133, p. 103405, 2023

work page 2023

[6] [6]

The correctness-security gap in compiler optimization,

V . D’Silva, M. Payer, and D. Song, “The correctness-security gap in compiler optimization, ” in 2015 IEEE Security and Privacy Workshops , 2015, pp. 73–87

work page 2015

[7] [7]

The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86),

H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86), ” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07, 2007, pp. 552–561

work page 2007

[8] [8]

Verifying {Constant-Time} implementations,

J. B. Almeida, M. Barbosa, G. Barthe, F . Dupres- soir, and M. Emmi, “Verifying {Constant-Time} implementations, ” in 25th USENIX Security Sym- posium (USENIX Security 16) , 2016, pp. 53–70

work page 2016

[9] [9]

Binsec/rel: Efﬁcient relational symbolic execution for constant- time at binary-level,

L.-A. Daniel, S. Bardin, and T . Rezk, “Binsec/rel: Efﬁcient relational symbolic execution for constant- time at binary-level, ” in 2020 IEEE Symposium on Security and Privacy (SP) . IEEE, 2020, pp. 1021– 1038

work page 2020

[10] [10]

SSPFA: effective stack smashing protection for android os,

H. Marco-Gisbert and I. Ripoll-Ripoll, “SSPFA: effective stack smashing protection for android os, ” International Journal of Information Security , vol. 18, no. 4, pp. 519–532, 2019

work page 2019

[11] [11]

Control-ﬂow integrity: Precision, security , and performance,

N. Burow, S. A. Carr, J. Nash, P . Larsen, M. Franz, S. Brunthaler, and M. Payer, “Control-ﬂow integrity: Precision, security , and performance, ” ACM Com- puting Surveys (CSUR) , vol. 50, no. 1, pp. 1–33, 2017

work page 2017

[12] [12]

Reconciling optimization with secure compilation,

S. T . Vu, A. Cohen, A. De Grandmaison, C. Guillon, and K. Heydemann, “Reconciling optimization with secure compilation, ” Proceedings of the ACM on Programming Languages, vol. 5, no. OOPSLA, pp. 1–30, 2021

work page 2021

[13] [13]

Proﬁle-guided Automated Software Diversity ,

A. Homescu, S. Neisius, P . Larsen, S. Brunthaler, and M. Franz, “Proﬁle-guided Automated Software Diversity , ” inProceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) , ser. CGO ’13. IEEE Com- puter Society , 2013, pp. 1–11

work page 2013

[14] [14]

Side-channel elimination via partial control-ﬂow linearization,

L. Soares, M. Canesche, and F . M. Q. Pereira, “Side-channel elimination via partial control-ﬂow linearization, ”ACM T ransactions on Programming Languages and Systems , 2023

work page 2023

[15] [15]

Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity ,

S. Crane, A. Homescu, S. Brunthaler, P . Larsen, and M. Franz, “Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , ” in Proceedings 2015 Network and Distributed Sys- tem Security Symposium , 2015. Rodothea Myrsini Tsoupidi is a independent Re- searcher in Stockholm, Sweden. Her research interests include compiler optimization, softw...

work page 2015