[openssl-dev] Why is `volatile` used in MOD_EXP_CTIME_COPY_FROM_PREBUF?

Andy Polyakov appro at openssl.org
Wed Jun 8 08:50:30 UTC 2016 

>>> See
>>> https://github.com/openssl/openssl/commit/d6482a82bc2228327aa4ba98aeeecd9979542a31#diff-3aca3afd18ad75a8f6a09a9860bc6ef5R631
>>>
>>> + volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
>>>
>>> Why is `volatile` used here? Is it to work around the effective type
>>> (strict aliasing) violations or for some other reason?
>>
>> Isn't it obvious? Volatile is there to discourage compiler from
>> reordering loads from the the table. I mean concern is that if reordered
>> in specific manner loads might give away the information we are trying
>> to conceal.
> 
> Sorry, maybe these things are obvious to many people but they're not
> so obvious to me. I saw that after I posted this email, you added a
> comment that says something similar to what you wrote above. But, just
> to be absolutely clear: the concern is that the compiler might notice,
> "hey, this code is scanning this input array in a weird way. I can
> redo the math (in a way that will result in non-constant-time-access
> to the buffers containing secrets) so that this is much faster." So,
> maybe, it is not so much the order of the accesses that matter, but
> rather that the compiler might choose to do different math that
> arrives at the same results, but with different timing?

Well, it's all about timing *variation* depending on attacker's
activity. But it's not really about making timing independent on
attacker's activity, but making it independent on secret material. I
mean it *may* depend on attacker's activity, but this whichever
dependency may not depend on secret material. And it may not depend on
it during operation either. I mean it's not enough to make overall time
independent, but even each intermediate step. 'volatile' formally
obliges compiler to actually perform all the references (none can be
omitted, that would be catastrophic scenario) and even preserve their
order (concern is that compiler would regroup in manner that would allow
attacker to trace the execution which in turn might give away information).

More information about the openssl-dev mailing list