Optimisation Considered Harmful
James A. Donald
jamesd at echeque.com
Fri Jun 24 12:14:24 EDT 2005
--
On 23 Jun 2005 at 0:50, Ben Laurie wrote:
> A brief altercation this evening with CERT over the
> recent hyperthread caching issues has brought
> something that's been simmering at the back of my
> brain to the forefront.
>
> The recent hyperthread/cache key recovery trick,
> followed by DJB's related (IMO) symmetric key
> recovery, and preceded by the RSA timing attacks
> (Boneh et al?) are all examples of attacks on the same
> thing: optimisation.
>
> The problem is that if different paths through your
> code expose different availability of optimisation,
> then there's a timing attack available. I predict, for
> example, that someone will find a way to attack
> something using pipeline breaks on Pentium
> processors[1].
>
> How do we fix this? Well, its easy to say: we make
> everything equally crap - we make sure that all
> operations are as slow as the slowest possible variant
> can be. However, on a modern processor, this is _very_
> hard to do.
Suppose you have something that is inadvertently an
oracle - it encrypts stuff from many different users
preparatory to sending it out over the internet, and
makes no effort to strongly authenticate a user.
Have it encrypt stuff into a buffer, and on a timer
event, send out the buffer.
Your code is now of course multithreaded - very easy to
get multithreading bugs that never show up during
testing, but non deterministically show up in actual
use.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
fWkmIPqr+sQN9GW27vahB3Bc9ulLdzbGrPKEjXFL
4nPDlKsQgDKH6LEnS3M7ECcBByW0lH5o7CUzo2UYB
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list