NeuralD: Detecting Indistinguishability Violations of Oblivious RAM With Neural Distinguishers

Abstract

Adversaries can deduce confidential information processed by a program by analyzing its memory access patterns. Oblivious RAM (ORAM) converts a sequence of program memory accesses to an oblivious form, hence preventing adversarial inference. In recent years, a flourishing growth of sophisticated and effective ORAM protocols has occurred. Nonetheless, due to the complexity of these protocols, some of them contain defects in their implementations or even in their design, jeopardizing their obliviousness when processing certain memory access sequences. In this paper, we present <monospace>NeuralD</monospace>, a practical tool for testing ORAM protocols and detecting violations of their stated obliviousness. We train a neural distinguisher to form a <i>probabilistic testing oracle</i> capable of determining with a bounded high probability if a pair of ORAM inputs violates the obliviousness guarantee. <monospace>NeuralD</monospace> incorporates a set of techniques and optimizations to provide a highly effective and practical testing pipeline. Additionally, it features a delta debugging-like method to minimize error-triggering inputs (i.e., counterexamples) &#x2014; developers can use these counterexamples to debug their ORAM protocols and identify root problems. <monospace>NeuralD</monospace> is evaluated using well-known ORAM protocols and real-world ORAM applications (e.g., secure key-value storage). Within a few minutes, <monospace>NeuralD</monospace> can detect subtle violations of stated obliviousness.