oss-sec mailing list archives
Defeating memory comparison timing oracles
From: Solar Designer <solar () openwall com>
Date: Fri, 9 May 2014 08:04:53 +0400
Hi, Florian made this nice Red Hat security blog post a couple of days ago: https://securityblog.redhat.com/2014/05/07/defeating-memory-comparison-timing-oracles/ The idea is to harden glibc's memcmp(3) to be partially timing-safe, maybe only in the -D_FORTIFY_SOURCE=2 mode. While I don't mind having memcmp(3) sometimes hardened, I think we primarily need to have an explicit timing-safe memory comparison function in glibc and elsewhere, and I think it'd be natural to adopt OpenBSD's timingsafe_bcmp() prototype and semantics: http://www.openbsd.org/cgi-bin/man.cgi?query=timingsafe_bcmp People will need this very function e.g. when making LibReSSL portable: http://insanecoding.blogspot.com/2014/04/common-libressl-porting-mistakes.html Some good reading on the problem and possible solutions: http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/ http://rdist.root.org/2010/08/05/optimized-memcmp-leaks-useful-timing-differences/ http://rdist.root.org/2010/11/09/blackhat-2010-video-on-remote-timing-attacks/ https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx Alexander
Current thread:
- Defeating memory comparison timing oracles Solar Designer (May 08)