[Cryptography] Compiler optimization side channel

[John Levine]

It appears that Jerry Leichter <leichter at lrw.com> said:
>Imagine you're coming to me as a compiler developer and asking for support for such stuff.  OK, do you have a
>precise semantics for what you're asking for?  "Leaves no extra copies behind":  That requires that the underlying
>machine have a way to guarantee that.  Do the machines of interest specify such a thing?  How about the operating
>system?  Imagine that just as I'm about to zero out some memory, the page I would write to, along with the CPU,
>gets taken away from me.  When I get the CPU again, a fresh copy of that page gets swapped in.  Meanwhile, the old
>page frame, as it happens, hasn't been written to.  Have I violated your spec?
>
>Is there a way to test that the code I generate actually implements your spec?  When you say the loop is "constant
>time," presumably that's in the face of variations in the inputs.  What variations? ...

I think it's possible to make things better even if you can't make it perfect. If you look
at the paper that Richard cited, they found that in what looked like straightforward
expressions compilers would come up with tricky branches that would indeed usually
run faster.  So a compiler flag saying compile this chunk of code with no branches
and fail if you can't would make things, if not perfect, at least better.

Similarly, while we can't guarantee what's in the caches and prefetch and so forth,
a flag saying to zero the stack frame and registers before you return would fix
a lot of simple attacks.

R's,
John

PS: And yeah, that numebr theory guy in comp.compilers was a piece of wurk. He was
clueless but never rude so I kept approving his stuff.