Defeating memory comparison timing oracles

[Solar Designer <solar () openwall com>]

Hi,

Florian made this nice Red Hat security blog post a couple of days ago:

https://securityblog.redhat.com/2014/05/07/defeating-memory-comparison-timing-oracles/

The idea is to harden glibc's memcmp(3) to be partially timing-safe,
maybe only in the -D_FORTIFY_SOURCE=2 mode.

While I don't mind having memcmp(3) sometimes hardened, I think we
primarily need to have an explicit timing-safe memory comparison
function in glibc and elsewhere, and I think it'd be natural to adopt
OpenBSD's timingsafe_bcmp() prototype and semantics:

http://www.openbsd.org/cgi-bin/man.cgi?query=timingsafe_bcmp

People will need this very function e.g. when making LibReSSL portable:

http://insanecoding.blogspot.com/2014/04/common-libressl-porting-mistakes.html

Some good reading on the problem and possible solutions:

http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
http://rdist.root.org/2010/08/05/optimized-memcmp-leaks-useful-timing-differences/
http://rdist.root.org/2010/11/09/blackhat-2010-video-on-remote-timing-attacks/

https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx

Alexander