Flow Tracker
Flow tracker is a tool that detects timing attack vulnerabilities in cryptographic routines implemented in C/C++. If the program contains a vulnerability, then Flow Tracker finds one or more (static) traces of instructions that uncover it. A vulnerable trace describes a sequence of data and control dependences from a secret information - e.g., a crypto key, the seed for a random number generator, etc - to a predicate of a branch or to a memory index. This is a problem because the branch normally influences the execution time of the program, and memory indexation may change the execution time of a program due to cache misses. So, if an adversary can measure this time for a given input which he controls, he or she may discover some information about the secret that we want to protect. For a version of FlowTracker implemented in Java, check
InspectorJ
.
C/C++ Source Code
XML Source Code
/*If pw == in returns 1, else returns 0 */ int compVar (char *pw, char *in) { int i; for (i=0; i<7; i++) { if (pw[i]!=in[i]) { return 0; } } return 1; } int main(void) { int comp=1; char pw[]="secret"; char in[7]; int result; scanf ("%s", in); result = compVar(pw, in); printf ("%d", result); }
Type the code in the box above or select a C/C++ file to upload.
?
Choose the output:
Standard output.
Pass statistics.
Table of contents.
<functions> <sources> <function> <name>compVar</name> <parameter>1</parameter> </function> </sources> </functions>
Type the code in the box above or select a XML file to upload.
?
Choose the output:
Standard output.
Pass statistics.
Table of contents.
FlowTracker's Tutorial
In the news!
Download and Install
Video Tutorial
FlowTracker vs Ferrante
Contact us
Paper
