[openssl-users] request for TLBleed information / non-constant-time vulnerabilities

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Jul 27 14:12:46 UTC 2018

> From: Michael R. Hines [mailto:mrhines at digitalocean.com]
> Sent: Friday, July 27, 2018 07:48
> On 07/27/2018 08:35 AM, Michael Wojcik wrote:
> >
> > (I'm only commenting on TLBleed here because I'm not sure what you
> > mean by "non-constant-time attack". TLBleed isn't a timing side channel, so
> > what does constant time have to do with the question?)
> The paper is in fact based on a timing attack. Both Intel (and a nice
> blog from Redhat) confirm this; In fact that's the only way this
> particular vulnerability works. It leaks bits by observing the branch
> path of the code referencing each bit while processing a private key
> based on the time it takes to hit/miss a lookup in the TLB.

Oh, yes, of course you're correct. Sorry - that's what I get for responding early in the morning.

> If the
> cryptographic implementation is constant-time, then the bits are not
> discoverable and the attack is then unavailable.

Hmm. I suppose this is true, but it's not the usual sense of "constant time" when referring to cryptographic implementations - that is, it's not constant-time explicit operations (arithmetic, etc) but constant-time memory access, which requires the implementation to predict which pages it will touch, and to know something about the TLB algorithm used by the particular CPU it's running on.

I think that goes back to the TLBleed authors' mention of partitioning the target process virtual address space. For a library, that would be difficult, since it receives the key at an arbitrary address from the application.

> We're trying to decide if we can avoid disabling hyperthreading, as our
> measurements show that the performance losses (even with integer
> workloads) are significant.
> Might anyone be able to comment on this particular type of attack in
> OpenSSL?

Certainly I'd need to do a lot more research before I'd feel comfortable speculating about possible mitigations within OpenSSL. I'll be interested to see if anyone else does.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list