Re: CVS commit: src

To: christos%astron.com@localhost (Christos Zoulas)
Subject: Re: CVS commit: src
From: Taylor R Campbell <campbell+netbsd-source-changes-d%mumble.net@localhost>
Date: Thu, 30 Aug 2012 18:59:32 +0000

   Date: Thu, 30 Aug 2012 18:44:31 +0000 (UTC)
   From: christos%astron.com@localhost (Christos Zoulas)

   In article <20120830170609.14DD160534%jupiter.mumble.net@localhost>,
   Taylor R Campbell  <campbell+netbsd-source-changes-d%mumble.net@localhost> 
wrote:
   >   Date: Thu, 30 Aug 2012 11:44:41 -0400
   >   From: christos%zoulas.com@localhost (Christos Zoulas)
   >
   >   int
   >   consttime_memcmp(const void *s1, const void *s2, size_t n)
   >   {
   >           int rv = 0, sv = 0;
   >           const unsigned char *p1 = s1, *p2 = s2;
   >
   >           do
   >                   if (rv == 0)
   >                           rv = *p1++ - *p2++;
   >
   >Data-dependent branches are totally unacceptable for a routine whose
   >sole purpose is to avoid timing side channels.

   How can you tell the difference if both branches execute code that does
   exactly the same work?

Branches themselves tend to take highly variable amounts of time, both
because of prediction and because the instruction pointer then becomes
a data-dependent memory address that can cause cache timings to leak
secrets.

For crypto code to resist timing attacks, data-dependent branches and
data-dependent memory references must be avoided.

One could probably rearrange the code to use constant-time operations
such as bitwise operations and shifts instead of branches, but that
would be complicated, and would it be worth the trouble?  That's why I
asked whether there exist any applications that both need to resist
timing attacks and rely on memcmp semantics.  I have never encountered
any.

References:
- Re: CVS commit: src
  - From: Christos Zoulas

Prev by Date: Re: CVS commit: src
Next by Date: Re: CVS commit: src
Previous by Thread: Re: CVS commit: src
Indexes:

Home | Main Index | Thread Index | Old Index