Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 9 May 2014 08:04:53 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Defeating memory comparison timing oracles

Hi,

Florian made this nice Red Hat security blog post a couple of days ago:

https://securityblog.redhat.com/2014/05/07/defeating-memory-comparison-timing-oracles/

The idea is to harden glibc's memcmp(3) to be partially timing-safe,
maybe only in the -D_FORTIFY_SOURCE=2 mode.

While I don't mind having memcmp(3) sometimes hardened, I think we
primarily need to have an explicit timing-safe memory comparison
function in glibc and elsewhere, and I think it'd be natural to adopt
OpenBSD's timingsafe_bcmp() prototype and semantics:

http://www.openbsd.org/cgi-bin/man.cgi?query=timingsafe_bcmp

People will need this very function e.g. when making LibReSSL portable:

http://insanecoding.blogspot.com/2014/04/common-libressl-porting-mistakes.html

Some good reading on the problem and possible solutions:

http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
http://rdist.root.org/2010/08/05/optimized-memcmp-leaks-useful-timing-differences/
http://rdist.root.org/2010/11/09/blackhat-2010-video-on-remote-timing-attacks/

https://www.isecpartners.com/blog/2011/february/double-hmac-verification.aspx

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ