Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 9 Jun 2016 23:19:38 +0300
From: Billy Brumley <>
To: Roman Drahtmueller <>
Subject: Re: CVE-2016-2178: OpenSSL DSA follows a non-constant
 time codepath for certain operations

> The paper very resourceful, and thank you for sharing your thoughts
> even beyond it!

My pleasure :)

> Control over CPU utilization (and thereby cache eviction) can be achieved
> by a remote attacker: Web applications are influenced remotely by
> definition, and they are far from slim or localized these days.
> Keepalives allow to keep the system in a sling with predictable resource
> utilization including cache fills, as there is not only just data stuffed
> through some buffers.
> The question remains if the deterioration of the SNR (*) leaves enough
> resolution to be useful. This would no longer constitute a cache-based
> attack with the terrifyingly clear signal, but the sharp edges in the
> latency that you have demonstrated may contribute to filtering the effect
> from the noise.
> While the cause - non-constant-time implementation - remains.

What you are saying is all valid on paper. But when you move to the
uarch level, the techniques we are using are very specific --- rdtsc
and clflush instructions, paired with targeted malicious performance
degradation techniques. When you take away these tools, it really
complicates things for an attacker.

> Are the orders of magnitude in range?

This is more of an interesting research question that would take maybe
six months to definitively answer.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ