[Cryptography] Compiler optimization side channel

[Patrick Chkoreff]

On 8/27/24 3:39 PM, Jerry Leichter wrote:

>> Maybe we could first state the property of this supposed "dream abstract machine"...
> And now we're back to my original point.
> 
> Imagine you're coming to me as a compiler developer and asking for support for such stuff.  OK, do you have a precise semantics for what you're asking for?  "Leaves no extra copies behind":  That requires that the underlying machine have a way to guarantee that.  Do the machines of interest specify such a thing?  How about the operating system?  Imagine that just as I'm about to zero out some memory, the page I would write to, along with the CPU, gets taken away from me.  When I get the CPU again, a fresh copy of that page gets swapped in.  Meanwhile, the old page frame, as it happens, hasn't been written to.  Have I violated your spec? ...


Every time I hear discussion of wiping memory, constant time execution, 
and side channels, it makes me wonder:  How much hostile software are 
you actually running on your machine along with your crypto 
applications?  Do you really have processes running on the same hardware 
that are actively timing your operations and spying on cache lines and 
swapped pages?

Now maybe some of these concerns are about side channels that leak out 
of the machine, such as network interfaces, power supplies, or even EM 
radiation.  But it doesn't seem that secrets lying around in memory or 
cache would matter there.  Perhaps constant time execution might matter 
in theory, but isn't that a very subtle effect from outside the machine?

So it sounds like the primary threat being addressed is the presence of 
"snoop-ware" running on the same machine as the sensitive crypto 
operations.  Is that correct?  I mean, for example, are we talking about 
maybe a compromised version of GIMP sniffing your cache lines while 
you're working with a private key?


-- Patrick