Quantitative Mitigation of Timing Side Channels

Information leaks through timing side channels remain a challenging problem [13, 16, 24, 29, 35, 37, 47]. A program leaks secret information through timing side channels if an attacker can deduce secret values (or their properties) by observing response times. We consider the problem of mitigating timing side channels. Unlike elimination techniques [7, 31, 46] that aim to completely remove timing leaks without considering the performance penalty, the goal of mitigation techniques  [10, 26, 48] is to weaken the leaks, while keeping the penalty low.

We define the Shannon mitigation problem that decides whether there is a mitigation policy to achieve a lower bound on a given security entropy-based measure while respecting an upper bound on the performance overhead. Consider an example where the program-under-analysis has a secret variable with seven possible values, and has three different timing behaviors, each forming a cluster of secret values. It takes 1 second if the secret value is 1, it takes 5 seconds if the secret is between 2 and 5, and it takes 10 seconds if the secret value is 6 or 7. The entropy-based measure quantifies the remaining uncertainty about the secret after timing observations. Min-guess entropy [11, 25, 41] for this program is 1, because if the observed execution time is 1, the attacker guesses the secret in one try. A mitigation policy involves merging some timing clusters by introducing delays. A good solution might be to introduce a 9 second delay if the secret is 1, which merges two timing clusters. But, this might be disallowed by the budget on the performance overhead. Therefore, another solution must be found, such as introducing a 4 seconds delay when the secret is one.

We develop two variants of the Shannon mitigation problem: deterministic and stochastic. The mitigation policy of the deterministic variant requires us to move all secret values associated to an observation to another observation, while the policy of the stochastic variant allows us to move only a portion of secret values in an observation to another one. We show that the deterministic variant of the Shannon mitigation problem is intractable and propose a dynamic programming algorithm to approximate the optimal solution for the problem by searching through a restricted set of solutions. We develop an algorithm that reduces the problem in the stochastic variant to a well-known optimization problem that depends on the entropy-based measure. For instance, with min-guess entropy, the optimization problem is mixed integer-linear programming.

We consider a threat model where an attacker knows the public inputs (known-message attacks [26]), and furthermore, where the public input changes much more often than the secret inputs (for instance, secrets such as bank account numbers do not change often). As a result, for each secret, the attacker observes a timing function of the public inputs. We call this model functional observations of timing side channels.

We develop our tool Schmit that has three components: side channel discovery [45], search for the mitigation policy, and the policy enforcement. The side channel discovery builds the functional observations [45] and measures the entropy of secret set after the observations. The mitigation policy component includes the implementation of the dynamic programming and optimization algorithms. The enforcement component is a monitoring system that uses the program internals and functional observations to enforce the policy at runtime.

To summarize, we make the following contributions:

First, we describe the threat model considered in this paper. Second, we describe our approach on a running example. Third, we compare the results of Schmit with the existing mitigation techniques [10, 26, 48] and show that Schmit achieves the highest entropy (i.e., best mitigation) for all three entropy objectives.

Side channel discovery. One can use existing tools to find the initial functional observations  [44, 45]. In Example 2.1, functional observations are \(\mathcal {F}\) = \(\langle y, 2y\), \(\ldots , 10y \rangle \) where y is a variable whose value is the number of set bits in the public input. The corresponding secret classes after this observation is \(\mathcal {S}_{\mathcal {F}} = \langle 1_1, 1_2, 1_3, \dots , 1_{10} \rangle \) where \(1_n\) shows a set of secret values that have n set bits. The sizes of classes are \(B = \left\{ 10,45,120,210,252,210,120,45,10,1 \right\} \). We use \(L_1\)-norm as metric to calculate the distance between the functional observations \(\mathcal {F}\). This distance (penalty) matrix specifies extra performance overhead to move from one functional observation to another. With the assumption of uniform distributions over the secret input, Shannon entropy, guessing entropy, and the min-guessing entropy are 7.3, 90.1, and 1.0, respectively. These entropies are defined in Sect. 3 and measure the remaining entropy of the secret set after the observations. We aim to maximize the entropy measures, while keeping the performance overhead below a threshold, say 60% for this example.

Mitigation with Schmit. We use our tool Schmit to mitigate timing leaks of Example 2.1. The mitigation policy for the Shannon entropy objective is shown in Fig. 2(a). The policy results in two classes of observations. The policy requires to move functional observations \(\langle y, 2y, \ldots , 5y \rangle \) to \(\langle 6y \rangle \) and all other observations \(\langle 7y, 8y, 9y \rangle \) to \(\langle 10y \rangle \). To enforce this policy, we use a monitoring system at runtime. The monitoring system uses a decision tree model of the initial functional observations. The decision tree model characterizes each functional observation with associated program internals such as method calls or basic block invocations [43, 44]. The decision tree model for the Example 2.1 is shown in Fig. 2(b). The monitoring system records program internals and matches it with the decision tree model to detect the current functional observation. Then, it adds delays, if necessary, to the execution time in order to enforce the mitigation policy. With this method, the mitigated functional observation is \(\mathcal {G}\) = \(\langle 6y, 10y \rangle \) and the secret class is \(\mathcal {S}_{\mathcal {G}} = \langle \{1_1,1_2,1_3,1_4,1_5,1_6\},\{1_7,1_8,1_9,1_{10}\} \rangle \) as shown in Fig. 2 (c). The performance overhead of this mitigation is 43.1%. The Shannon, guessing, and min-guess entropies have improved to 9.7, 459.6, and 193.5, respectively.

Comparison with state of the art. We compare our mitigation results to black-box mitigation scheme [10] and bucketing [26]. Black-box double scheme technique. We use the double scheme technique [10] to mitigate the leaks of Example 2.1. This mitigation uses a prediction model to release events at scheduled times. Let us consider the prediction for releasing the event i at N-th epoch with S(N, i) = \(\max (inp_i, S(N,i{-}1)) {+} p(N)\), where \(inp_i\) is the time arrival of the i-th request, \(S(N,i-1)\) is the prediction for the request \(i{-}1\), and \(p(N) = 2^{N-1}\) models the basis for the prediction scheme at N-th epoch. We assume that the request are the same type and the sequence of public input requests for each secret are received in the begining of epoch \(N=1\). Figure 3(a) shows the functional observations after applying the predictive mitigation. With this mitigation, the classes of observations are \(\mathcal {S}_{\mathcal {G}} = \langle 1_1,\{1_2,1_3\},\{1_4, 1_5,1_6,1_7\},\{1_8, 1_9,1_{10}\} \rangle \). The number of classes of observations is reduced from 10 to 4. The performance overhead is 39.9%. The Shannon, guessing, and min-guess entropies have increased to 9.00, 321.5, and 5.5, respectively. Bucketing. We consider the mitigation approach with buckets [26]. For Example 2.1, if the attacker does not know the public input (unknown-message attacks [26]), the observations are \(\{1.1, 2.1, 3.3,\cdots , 9.9,10.9,\cdots ,109.5\}\) as shown in Fig. 3(b). We apply the bucketing algorithm in [26] for this observations, and it finds two buckets \(\{37.5, 109.5\}\) shown with the red lines in Fig. 3(b). The bucketing mitigation requires to move the observations to the closet bucket. Without functional observations, there are 2 classes of observations. However, with functional observations, there are more than 2 observations. Figure 3(c) shows how the pattern of observations are leaking through functional side channels. There are 7 classes of observations: \(\mathcal {S}_{\mathcal {G}} = \langle \{1_1,1_2,1_3\},\{1_4\},\{1_5\},\{1_6\},\{1_7\},\{1_8\},\{1_9\},\{1_{10}\} \rangle \). The Shannon, guessing, and min-guess entropies are 7.63, 102.3, and 1.0, respectively. Overall, Schmit achieves the higher entropy measures for all three objectives under the performance overhead of 60%.

For a finite set Q, we use |Q| for its cardinality. A discrete probability distribution, or just distribution, over a set Q is a function \(d: Q {\rightarrow } [0, 1]\) such that \(\sum _{q \in Q} d(q) = 1\). Let \(\mathcal {D}(Q)\) denote the set of all discrete distributions over Q. We say a distribution \({d\in \mathcal {D}(Q)}\) is a point distribution if \(d(q) {=} 1\) for a \(q \in Q\). Similarly, a distribution \({d\in \mathcal {D}(Q)}\) is uniform if \(d(q) {=} 1/|Q|\) for all \(q \in Q\).

We assume that the adversary knows the program and wishes to learn the value of the secret input. To do so, for some fixed secret value \(s \in \mathcal {S}\), the adversary can invoke the program to estimate (to an arbitrary precision) the execution time of the program. If the set of public inputs is empty, i.e. \(m = 0\), the adversary can only make scalar observations of the execution time corresponding to a secret value. In the more general setting, however, the adversary can arrange his observations in a functional form by estimating an approximation of the timing function \(\delta (s) : \mathbb R^m \rightarrow \mathbb R_{\ge 0}\) of the program.

A functional observation of the program \(\mathcal {P}\) for a secret input \(s \in \mathcal {S}\) is the function \(\delta (s): \mathbb R^m \rightarrow \mathbb R_{\ge 0}\) defined as \(\mathbf {y}\in \mathbb R^m \mapsto \delta (s, \mathbf {y})\). Let \(\mathcal {F}\subseteq [\mathbb R^m \rightarrow \mathbb R_{\ge 0}]\) be the finite set of all functional observations of the program \(\mathcal {P}\). We define an order \(\prec \) over the functional observations \(\mathcal {F}\): for \(f, g \in \mathcal {F}\) we say that \(f \prec g\) if \(f(y) \le g(y)\) for all \(y \in \mathbb R^m\).

The set \(\mathcal {F}\) characterizes an equivalence relation \(\equiv _{\mathcal {F}}\), namely secrets with equivalent functional observations, over the set \(\mathcal {S}\), defined as following: \(s \equiv _{\mathcal {F}} s'\) if there is an \(f \in \mathcal {F}\) such that \(\delta (s) = \delta (s') = f\). Let \(\mathcal {S}_\mathcal {F}= \langle S_1, S_2, \ldots , S_k \rangle \) be the quotient space of \(\mathcal {S}\) characterized by the observations \(\mathcal {F}= \langle f_1, f_2, \ldots , f_k \rangle \). We write \(\mathcal {S}_{f}\) for the secret set \(S \in \mathcal {S}_\mathcal {F}\) corresponding to the observations \(f \in \mathcal {F}\). Let \(\mathcal {B}= \langle B_1, B_2, \ldots , B_k \rangle \) be the size of observational equivalence class in \(\mathcal {S}_\mathcal {F}\), i.e. \(B_i = |\mathcal {S}_{f_i}|\) for \(f_i \in \mathcal {F}\) and let \(B = |\mathcal {S}| = \sum _{i=1}^k B_i\).

Shannon entropy, guessing entropy, and min-guess entropy are three prevalent information metrics to quantify information leaks in programs. Köpf and Basin [25] characterize expressions for various information-theoretic measures on information leaks when there is a uniform distribution on \(\mathcal {S}\) given below.

Our goal is to mitigate the information leakage due to the timing side channels by adding synthetic delays to the program. An aggressive, but commonly-used, mitigation strategy aims to eliminate the side channels by adding delays such that every secret value yields a common functional observation. However, this strategy may often be impractical as it may result in unacceptable performance degradations of the response time. Assuming a well-known penalty function associated with the performance degradation, we study the problem of maximizing entropy while respecting a bound on the performance degradation. We dub the decision version of this problem Shannon mitigation.

Adding synthetic delays to execution-time of the program, so as to mask the side-channel, can give rise to new functional observations that correspond to upper-envelopes of various combinations of original observations. Let \(\mathcal {F}= \langle f_1, f_2, \ldots , f_k \rangle \) be the set of functional observations. For \(I \subseteq {1, 2, \ldots , k}\), let \(f_I = \mathbf {y}\in \mathbb R^m \mapsto \sup _{i\in I} f_i(\mathbf {y})\) be the functional observation corresponding to upper-envelope of the functional observations in the set I. Let \(\mathcal {G}(\mathcal {F}) = \left\{ f_I \,:\, I \not = \emptyset \subseteq \left\{ 1, 2, \ldots , k \right\} \right\} \) be the set of all possible functional observations resulting from the upper-envelope calculations. To change the observation of a secret value with functional observation \(f_i\) to a new observation \(f_I\) (we assume that \(i \in I\)), we need to add delay function \(f^i_I: \mathbf {y}\in \mathbb R^m \mapsto f_I(y) - f_i(y)\).

Mitigation Policies. Let \(\mathcal {G}\subseteq \mathcal {G}(\mathcal {F})\) be a set of admissible post-mitigation observations. A mitigation policy is a function \(\mu : \mathcal {F}\rightarrow \mathcal {D}(\mathcal {G})\) that for each secret \(s \in \mathcal {S}_{f}\) suggests the probability distribution \(\mu (f)\) over the functional observations. We say that a mitigation policy is deterministic if for all \(f \in \mathcal {F}\) we have that \(\mu (f)\) is a point distribution. Abusing notations, we represent a deterministic mitigation policy as a function \(\mu : \mathcal {F}\rightarrow \mathcal {G}\). The semantics of a mitigation policy recommends to a program analyst a probability \(\mu (f)(g)\) to elevate a secret input \(s \in \mathcal {S}_f\) from the observational class f to the class \(g \in \mathcal {G}\) by adding \(\max \left\{ 0, g(p) - f(p) \right\} \) units delay to the corresponding execution-time \(\delta (s, p)\) for all \(p \in Y\). We assume that the mitigation policies respect the order, i.e. for every mitigation policy \(\mu \) and for all \(f \in \mathcal {F}\) and \(g \in \mathcal {G}\), we have that \(\mu (f)(g) > 0\) implies that \(f \prec g\). Let \(M_{(\mathcal {F}\rightarrow \mathcal {G})}\) be the set of mitigation policies from the set of observational clusters \(\mathcal {F}\) into the clusters \(\mathcal {G}\).

For the functional observations \(\mathcal {F}= \langle f_1, \ldots , f_k \rangle \) and a mitigation policy \(\mu \in M_{(\mathcal {F}\rightarrow \mathcal {G})}\), the resulting observation set \(\mathcal {F}[\mu ] \subseteq \mathcal {G}\) is defined as:Since the mitigation policy is stochastic, we use average sizes of resulting observations to represent fitness of a mitigation policy. For \(\mathcal {F}[\mu ] = \langle g_1, g_2, \ldots , g_\ell \rangle \), we define their expected class sizes \(\mathcal {B}_\mu = \langle C_1, C_2, \ldots , C_\ell \rangle \) as \(C_i = \sum _{j=1}^{i} \mu (f_j)(f_i)\cdot B_j\) (observe that \(\sum _{i=1}^{\ell } C_i = B\)). Assuming a uniform distribution on \(\mathcal {S}\), various entropies for the expected class size after applying a policy \(\mu \in M_{(\mathcal {F}\rightarrow \mathcal {G})}\) can be characterized by the following expressions:

We note that the above definitions do not represent the expected entropies, but rather entropies corresponding to the expected cluster sizes. However, the three quantities provide bounds on the expected entropies after applying \(\mu \). Since Shannon and Min-Guess entropies are concave functions, from Jensen’s inequality, we get that \(\textsf {SE}(\mathcal {S}|\mathcal {F}, \mu )\) and \(\textsf {mGE}(\mathcal {S}|\mathcal {F}, \mu )\) are upper bounds on expected Shannon and Min-Guess entropies. Similarly, \(\textsf {GE}(\mathcal {S}|\mathcal {F}, \mu )\), being a convex function, give a lower bound on expected guessing entropy.

We are interested in maximizing the entropy while respecting constraints on the overall performance of the system. We formalize the notion of performance by introducing performance penalties: there is a function \(\pi : \mathcal {F}\times \mathcal {G}\rightarrow \mathbb R_{\ge 0}\) such that elevating from the observation \(f \in \mathcal {F}\) to the functional observation \(g \in \mathcal {G}\) adds an extra \(\pi (f, g)\) performance overheads to the program. The expected performance penalty associated with a policy \(\mu \), \(\pi (\mu )\), is defined as the probabilistically weighted sum of the penalties, i.e. \(\sum _{f \in \mathcal {F}, g \in \mathcal {G}: f \prec g} |\mathcal {S}_{f}| \cdot \mu (f)(g) \cdot \pi (f, g)\). Now, we introduce our key decision problem.

B. Implementation of Side Channel Discovery. We use the technique presented in [45] for the side channel discovery. The technique applies the functional data analysis  [38] to create B-spline basis and fit functions to the vector of timing observations for each secret value. Then, the technique applies the functional data clustering [21] to obtain K classes of observations. We use the number of secret values in a cluster as the class size metric and the \(L_1\) distance norm between the clusters as the penalty function.

C. Implementation of Mitigation Policy Algorithms. For the stochastic optimization, we encode the Shannon entropy and guessing entropy with linear constraints in Scipy [22]. Since the objective functions are non-linear (for the Shannon entropy) and quadratic (for the guessing entropy), Scipy uses sequential least square programming (SLSQP) [34] to maximize the objectives. For the stochastic optimization with the min-guess entropy, we encode the problem in Gurobi [19] as a mixed-integer programming (MIP) problem [32]. Gurobi solves the problem efficiently with branch-and-bound algorithms [1]. We use Java to implement the dynamic programming.

D. Implementation of Enforcement. The enforcement of mitigation policy is implemented in two steps. First, we use the initial timing functions and characterize them with program internal properties such as basic block calls. To do so, we use the decision tree learning approach presented in [45]. The decision tree model characterizes each functional observations with properties of program internals. Second, given the policy of mitigation, we enforce the mitigation policy with a monitoring system implemented on top of the Javassist [15] library. The monitoring system uses the decision tree model and matches the properties enabled during an execution with the tree model (detection of the current cluster). Then, it adds extra delays, based on the mitigation policy, to the current execution-time and enforces the mitigation policy. Note that the dynamic monitoring can result in a few micro-second delays. For the programs with timing differences in the order of micro-seconds, we transform source code using the decision tree model. The transformation requires manual efforts to modify and compile the new program. But, it adds negligible delays.

E. Micro-benchmark Results. Our goal is to compare different mitigation methods in terms of their security and performance. We examine the computation time of our tool Schmit in calculating the mitigation policies. See appendix for the relationships between performance bounds and entropy measures.

Applications: Mod_Exp applications [30] are instances of square-and-multiply modular exponentiation (\(R = y^k~mod~n\)) used for secret key operations in RSA [39]. Branch_and_Loop series consist of 6 applications where each application has conditions over secret values and runs a linear loop over the public values. The running time of the applications depend on the slope of the linear loops determined by the secret input.

Computation time comparisons: Fig. 5 shows the computation time for Branch_and _Loop applications (the applications are ordered in x-axis based on the discovered number of observational classes). For the min-guess entropy, we observe that both stochastic and dynamic programming approaches are efficient and fast as shown in Fig. 5(a). For the Shannon and guessing entropies, the dynamic programming is scalable, while the stochastic mitigation is computationally expensive beyond 60 classes of observations as shown in Fig. 5(b,c).

Mitigation Algorithm Comparisons: Table 1 shows micro-benchmark results that compare the four mitigation algorithms with the two program series. Double scheme mitigation technique [10] does not provide guarantees on the performance overhead, and we can see that it is increased by more than 75 times for mod_exp_6. Double scheme method reduces the number of classes of observations. However, we observe that this mitigation has difficulty improving the min-guess entropy. Second, Bucketing algorithm [26] can guarantee the performance overhead, but it is not an effective method to improve the security of functional observations, see the examples mod_exp_6 and Branch_and_Loop_6. Third, in the algorithms, Schmit guarantees the performance to be below a certain bound, while it results in the highest entropy values. In most cases, the stochastic optimization technique achieves the highest min-entropy value. Here, we show the results with min-guess entropy measure. Also, we have strong evidences to show that Schmit achieves higher Shannon and guessing entropies. For example, in B_L_5, the initial Shannon entropy has improved from 2.72 to 6.62, 4.1, 7.56, and 7.28 for the double scheme, the bucketing, the stochastic, and the deterministic algorithms, respectively.

Research Question. Does Schmit scale well and improve the security of applications (entropy measures) within the given performance bounds?

In the inset table, we show the basic characteristics of these benchmarks.

GabFeed is a chat server with 573 methods [4]. There is a side channel in the authentication part of the application where the application takes users’ public keys and its own private key, and generating a common key [14]. The vulnerability leaks the number of set bits in the secret key. Initial functional observations are shown in Fig. 6a. There are 34 clusters and min-guess entropy is 1. We aim to maximize the min-guess entropy under the performance overhead of 50%.

Jetty. We mitigate the side channels in util.security package of Eclipse Jetty web server. The package has Credential class which had a timing side channel. This vulnerability was analyzed in [14] and fixed initially in [6]. Then, the developers noticed that the implementation in [6] can still leak information and fixed this issue with a new implementation in [5]. However, this new implementation is still leaking information [45]. We apply Schmit to mitigate this timing side channels. Initial functional observations is shown in Fig. 6d. There are 20 classes of observations and the initial min-guess entropy is 4.5. We aim to maximize the min-guess entropy under the performance overhead of 50%.

Java Verbal Expressions is a library with 61 methods that construct regular expressions [2]. There is a timing side channel in the library similar to password comparison vulnerability [3] if the library has secret inputs. In this case, starting from the initial character of a candidate expression, if the character matches with the regular expression, it slightly takes more time to respond the request than otherwise. This vulnerability can leak all the regular expressions. We consider regular expressions to have a maximum size of 9. There are 9 classes of observations and the initial min-guess entropy is 50.5. We aim to maximize the min-guess entropy under the performance overhead of 50%.

Password Checker. We consider the password matching example from loginBad program [9]. The password stored in the server is secret, and the user’s guess is a public input. We consider 20 secret (lengths at most 6) and 2,620 public inputs. There are 6 different clusters, and the initial min-guess entropy is 1.

Findings for GabFeed. With the stochastic algorithm, Schmit calculates the mitigation policy that results in 4 clusters. This policy improves the min-guess entropy from 1 to 138.5 and adds an overhead of 42.8%. With deterministic algorithm, Schmit returns 3 clusters. The performance overhead is 49.7% and the min-guess entropy improves from 1 to 106. The user chooses the deterministic policy and enforces the mitigation. We apply CART decision tree learning and characterizes the classes of observations with GabFeed method calls as shown in Fig. 6b. The monitoring system uses the decision tree model and automatically detects the current class of observation. Then, it adds extra delays based on the mitigation policy to enforce it. The results of the mitigation is shown in Fig. 6c. Answer for our research question. Scalability: It takes about 1 second to calculate the stochastic and the deterministic policies. Security: Stochastic and deterministic variants improve the min-guess entropy more than 100 times under the given performance overhead of 50%, respectively.

Findings for Jetty. The stochastic algorithm and the deterministic algorithm find the same policy that results in 1 cluster with 39.6% performance overhead. The min-guess entropy improves from 4.5 to 400.5. For the enforcement, Schmit first uses the initial clusterings and specifies their characteristics with program internals that result in the decision tree model shown in Fig. 6e. Since the response time is in the order of micro-seconds, we transform the source code using the decision tree model by adding extra counter variables. The results of the mitigation is shown in Fig. 6f. Scalability: It takes less than 1 second to calculate the policies for both algorithms. Security: Stochastic and deterministic variants improve the min-guess entropy 89 times under the given performance overhead.

Quantitative theory of information have been widely used to measure how much information is being leaked with side-channel observations [11, 20, 25, 41]. Mitigation techniques increase the remaining entropy of secret sets leaked through the side channels, while considering the performance  [10, 23, 26, 40, 48, 49].

Köpf and Dürmuth [26] use a bucketing algorithm to partition programs’ observations into intervals. With the unknown-message threat model, Köpf and Dürmuth [26] propose a dynamic programming algorithm to find the optimal number of possible observations under a performance penalty. The works [10, 48] introduce different black-box schemes to mitigate leaks. In particular, Askarov et al. [10] show the quantizing time techniques, which permit events to release at scheduled constant slots, have the worst case leakage if the slot is not filled with events. Instead, they introduce the double scheme method that has a schedule of predictions like the quantizing approach, but if the event source fails to deliver events at the predicted time, the failure results in generating a new schedule in which the interval between predictions is doubled. We compare our mitigation technique with both algorithms throughout this paper.

Elimination of timing side channels is a common technique to guarantee the confidentiality of software [7, 17, 27, 30, 31, 46]. The work [46] aims to eliminate side channels using static analysis enhanced with various techniques to keep the performance overheads low without guaranteeing the amounts of overhead. In contrast, we use dynamic analysis and allow a small amount of information to leak, but we guarantee an upper-bound on the performance overhead.

Machine learning techniques have been used for explaining timing differences between traces  [42‐44]. Tizpaz-Niari et al. [44] consider performance issues in softwares. They also cluster execution times of programs and then explain what program properties distinguish the different functional clusters. We adopt their techniques for our security problem.