[openssl-dev] CVE-2016-2178 - Constant time flag not preserved in DSA signing
Leif Thuresson
leif.thuresson at foxt.com
Mon Sep 26 15:45:31 UTC 2016
I'm trying to understand the severity of this issue.
The demo exploit described here http://eprint.iacr.org/2016/594 relies
on the fact the target program
and the attacker share the same memory image of the OpenSSL shared library.
If my program is statically linked to OpenSSL will that make it more
resistant to this type of attack?
Or will page de-duplication techniques like Linux KSM make it just as
vulnerable as a dynamically linked program?
/leif
More information about the openssl-dev
mailing list