Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src



   Date: Thu, 30 Aug 2012 18:44:31 +0000 (UTC)
   From: christos%astron.com@localhost (Christos Zoulas)

   In article <20120830170609.14DD160534%jupiter.mumble.net@localhost>,
   Taylor R Campbell  <campbell+netbsd-source-changes-d%mumble.net@localhost> 
wrote:
   >   Date: Thu, 30 Aug 2012 11:44:41 -0400
   >   From: christos%zoulas.com@localhost (Christos Zoulas)
   >
   >   int
   >   consttime_memcmp(const void *s1, const void *s2, size_t n)
   >   {
   >           int rv = 0, sv = 0;
   >           const unsigned char *p1 = s1, *p2 = s2;
   >
   >           do
   >                   if (rv == 0)
   >                           rv = *p1++ - *p2++;
   >
   >Data-dependent branches are totally unacceptable for a routine whose
   >sole purpose is to avoid timing side channels.

   How can you tell the difference if both branches execute code that does
   exactly the same work?

Branches themselves tend to take highly variable amounts of time, both
because of prediction and because the instruction pointer then becomes
a data-dependent memory address that can cause cache timings to leak
secrets.

For crypto code to resist timing attacks, data-dependent branches and
data-dependent memory references must be avoided.

One could probably rearrange the code to use constant-time operations
such as bitwise operations and shifts instead of branches, but that
would be complicated, and would it be worth the trouble?  That's why I
asked whether there exist any applications that both need to resist
timing attacks and rely on memcmp semantics.  I have never encountered
any.


Home | Main Index | Thread Index | Old Index