lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20090822172252.GA4894@khazad-dum.debian.net>
Date:	Sat, 22 Aug 2009 14:22:52 -0300
From:	Henrique de Moraes Holschuh <hmh@....eng.br>
To:	Pavel Machek <pavel@....cz>
Cc:	Theodore Tso <tytso@....edu>,
	David Wagner <daw-news@...berkeley.edu>,
	linux-kernel@...r.kernel.org
Subject: Re: Security: information leaks in /proc enable keystroke recovery

On Fri, 21 Aug 2009, Pavel Machek wrote:
> /proc/interrupts ? various interfaces powertop uses?
> 
> I did not have chance to read the paper yet, but... does not ssh have
> bad problem in that case?

I am told that SSH tries it best to take constant time for everything
that is even remotely sensitive (or at least, it should)... but it, as
well as openssl, gpg, gnutls and libc for that matter, can't really
protect themselves from sidechannels and information leaks that show up
when one abuses other CPUs (especially if SMT is operational) to gather
behaviour data of the other tasks/processes/threads in the system, or
when one gets to watch the cache misses, CPU pipeline stalls, etc.

I would also expect that *any* timing-related, power-related or
cache-/brach-prediction-/pipeline-stall-/CPU-behaviour- related high-
and medium-precision statistic to be viable side-channels to leak data.

These things are way too subtle to play the "prove it to me then" crap:
it often takes a stroke of geniality on top of extreme skill to find,
let alone exploit them.  Therefore, it is really difficult to say "they
don't exist".

IMO, it is too hard a problem to try to close for real, but we really
should try to have all our crypto be constant-everything as much as we
can (constant CPU effort, constant timing, constant memory pattern
access), and to clamp the precision of measurements sent to userspace to
the strictly needed for them to be useful for system administration,
unless the kernel was compiled to expose high-precision statistics for
development work.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ