[openssl-users] request for TLBleed information / non-constant-time vulnerabilities

Jakob Bohm jb-openssl at wisemo.com
Fri Jul 27 17:52:29 UTC 2018


On 27/07/2018 16:20, Michael R. Hines via openssl-users wrote:
>
> On 07/27/2018 09:12 AM, Michael Wojcik wrote:
>>
>>> We're trying to decide if we can avoid disabling hyperthreading, as our
>>> measurements show that the performance losses (even with integer
>>> workloads) are significant.
>>>
>>> Might anyone be able to comment on this particular type of attack in
>>> OpenSSL?
>> Certainly I'd need to do a lot more research before I'd feel 
>> comfortable speculating about possible mitigations within OpenSSL. 
>> I'll be interested to see if anyone else does.
>>
>> -- 
>> Michael Wojcik
>> Distinguished Engineer, Micro Focus
>
> Any and all guidance would be appreciated!
>
> Again, thank you so much for the response. We're having a very 
> difficult time finding a response (of any kind)
> from the crypto community or from the linux distributions as well.
It looks from your descriptions (I haven't read the paper, and may
be wrong for other reasons too) like the most effective mitigation
(not always available) is to use code that doesn't do data-dependent
(incl. key-dependent) memory addressing.

However converting normal algorithms to a form that always accesses
the same memory bytes in the same order is a non-trivial job, and is
further complicated by the very real risk that any code optimizer
between you source code and the actual memory access hardware may
undo your carefully crafted mitigations.  (Such optimizers could
be in your compiler, in a JIT-based bytecode interpreter or even
in the kind of modern CPU that this attack targets).

And once you have done all that work to protect the cryptographic
library, the CPU vulnerability still allows the attacker to observer
the non-cryptographic application code that actually creates or uses
the plain text (after all, you don't need the plaintext if you are
not going to use it, or at least create it).

For example, the attacker may measure the memory access patterns of
the spell checker used when inputting the plain text, or the line
break and character width calculations in code that outputs the
plain text to an otherwise secure display.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list