Date: Thu, 9 Jun 2016 23:19:38 +0300 From: Billy Brumley <bbrumley@...il.com> To: Roman Drahtmueller <draht@...altsekun.de> Cc: oss-security@...ts.openwall.com Subject: Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations > The paper very resourceful, and thank you for sharing your thoughts > even beyond it! My pleasure :) > Control over CPU utilization (and thereby cache eviction) can be achieved > by a remote attacker: Web applications are influenced remotely by > definition, and they are far from slim or localized these days. > Keepalives allow to keep the system in a sling with predictable resource > utilization including cache fills, as there is not only just data stuffed > through some buffers. > > The question remains if the deterioration of the SNR (*) leaves enough > resolution to be useful. This would no longer constitute a cache-based > attack with the terrifyingly clear signal, but the sharp edges in the > latency that you have demonstrated may contribute to filtering the effect > from the noise. > While the cause - non-constant-time implementation - remains. What you are saying is all valid on paper. But when you move to the uarch level, the techniques we are using are very specific --- rdtsc and clflush instructions, paired with targeted malicious performance degradation techniques. When you take away these tools, it really complicates things for an attacker. > Are the orders of magnitude in range? This is more of an interesting research question that would take maybe six months to definitively answer. BBB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ