Re: [VOTE] Timing attack safe string comparison function

From:	Tjerk Meesters	Date:	Tue, 04 Feb 2014 06:20:37 +0000
Subject:	Re: [VOTE] Timing attack safe string comparison function
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Tue, Feb 4, 2014 at 1:10 AM, Nikita Popov <[email protected]> wrote:

> On Sun, Feb 2, 2014 at 11:50 PM, Rouven Weßling <[email protected]
> >wrote:
>
> > Hi internals,
> >
> > as I've received no further feedback I've opened the voting on "Timing
> > attack safe string comparison function":
> >
> > - https://wiki.php.net/rfc/timing_attack
> >
> > Voting ends on 2014/02/09 11:00PM UTC
> >
> > Best regards
> > Rouven
> >
>
> Did your code already get reviewed by someone with understanding of the
> issue? From a quick glance, two potential issues:
>  * You are using MAX, i.e. an if-then-else branch. I'm pretty sure that the
> if and else branches will have different instruction counts in that case.
> Simple alternative would be something fixed like mod_len = known_len+1 or
> known_len&1.
>

I can't speak for other compilers, but gcc compiles the ternary to this:

        cmpl    $0, -8(%rbp)
        cmovg   -8(%rbp), %eax

So it comes down to whether cmovg takes a variable amount of time; that
said, the move operation is only required if the known length is zero, i.e.
you're comparing user input against an empty string which is quite unlikely..


>  * You leak information on mod_len / known_len, because you will have
> different cache access patterns for comparing always the same 10 memory
> positions and 10000 different ones, at least I'd assume so.
>

There's one particular scenario that comes to mind: if the string data
spans at least two memory pages; assuming memory allocation is optimized to
fit allocated memory inside one page whenever possible, we're talking about
string lengths bigger than the page itself, i.e. 4kB / 8kB.

Given that the known string is relatively small, the leaked information may
reveal that the given string is bigger than the known string.

The above is my own logical deduction, I'm not an expert in this area :)

I don't know how you can prevent the latter issue, and if it is possible at
> all. Personally I'd just drop the length magic and explicitly document it
> to be safe for equal-length strings only. In any case you should have this
> reviewed by someone with more than just a cursory understanding of the
> matter.
>

Given the name hash_compare() it makes a good case to add a bail-out
branch based on string length, in which case you don't have to remember
which argument should come first ... still, it may be nice to have a
generic comparison function :)


> Nikita
>



-- 
--
Tjerk


   

Thread (54 messages)

• Rouven WeßlingSun, 02 Feb 2014 22:50:21 +0000
  • Yasuo OhgakiMon, 03 Feb 2014 01:48:35 +0000
  • Joe WatkinsMon, 03 Feb 2014 07:07:09 +0000Re: [VOTE] Timing attack safe string comparison function
  • Andrea FauldsMon, 03 Feb 2014 12:23:53 +0000
    • Sara GolemonMon, 03 Feb 2014 16:21:25 +0000
  • Sara GolemonMon, 03 Feb 2014 16:18:49 +0000
    • Yasuo OhgakiWed, 05 Feb 2014 02:39:06 +0000
  • Nikita PopovMon, 03 Feb 2014 17:10:05 +0000
    • Pádraic BradyMon, 03 Feb 2014 19:58:21 +0000
    • Yasuo OhgakiMon, 03 Feb 2014 20:57:13 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:04:35 +0000
    • Stas MalyshevMon, 03 Feb 2014 22:09:32 +0000
      • Yasuo OhgakiTue, 04 Feb 2014 04:06:30 +0000
        • Yasuo OhgakiTue, 04 Feb 2014 04:30:06 +0000
        • Yasuo OhgakiWed, 05 Feb 2014 02:58:42 +0000
          • Rouven WeßlingWed, 05 Feb 2014 23:36:44 +0000
            • Yasuo OhgakiThu, 06 Feb 2014 01:28:38 +0000
              • Yasuo OhgakiThu, 06 Feb 2014 03:56:11 +0000
                • Yasuo OhgakiThu, 06 Feb 2014 04:20:55 +0000
                  • Yasuo OhgakiThu, 06 Feb 2014 04:31:17 +0000
                    • Yasuo OhgakiThu, 06 Feb 2014 05:17:18 +0000
                • Christopher JonesThu, 06 Feb 2014 04:23:23 +0000
                  • Pierre JoyeThu, 06 Feb 2014 05:24:53 +0000
                    • Stas MalyshevThu, 06 Feb 2014 07:01:36 +0000
                      • Pierre JoyeThu, 06 Feb 2014 07:09:06 +0000
    • Tjerk MeestersTue, 04 Feb 2014 06:20:37 +0000
  • Yasuo OhgakiThu, 06 Feb 2014 23:05:05 +0000
    • Yasuo OhgakiFri, 07 Feb 2014 01:39:31 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 00:24:25 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 01:15:25 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:37:58 +0000
          • Yasuo OhgakiMon, 10 Feb 2014 01:58:00 +0000
          • Tjerk MeestersMon, 10 Feb 2014 09:29:31 +0000
            • Pádraic BradyMon, 10 Feb 2014 12:39:26 +0000
        • Lester CaineMon, 10 Feb 2014 09:03:07 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 07:01:35 +0000
            • Lester CaineWed, 12 Feb 2014 07:24:16 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 08:11:21 +0000
  • Rouven WeßlingSun, 23 Feb 2014 15:11:21 +0000
    • Rouven WeßlingSun, 23 Feb 2014 18:31:38 +0000
      • Yasuo OhgakiSun, 23 Feb 2014 20:59:09 +0000
        • Rouven WeßlingSun, 23 Feb 2014 21:05:43 +0000
          • Yasuo OhgakiMon, 24 Feb 2014 04:22:00 +0000
            • Lester CaineMon, 24 Feb 2014 08:11:06 +0000
              • Yasuo OhgakiMon, 24 Feb 2014 09:00:24 +0000
  • Yasuo OhgakiTue, 18 Mar 2014 01:04:35 +0000
    • Rouven WeßlingTue, 18 Mar 2014 11:23:25 +0000
      • Adam HarveyTue, 18 Mar 2014 16:13:33 +0000
        • Ferenc KovacsTue, 18 Mar 2014 18:56:47 +0000
          • Yasuo OhgakiWed, 19 Mar 2014 00:27:57 +0000
            • Ferenc KovacsWed, 19 Mar 2014 02:31:38 +0000
• Andrey AndreevWed, 05 Feb 2014 20:18:17 +0000Re: [VOTE] Timing attack safe string comparison function
• Andrey AndreevMon, 24 Feb 2014 08:13:35 +0000Re: [VOTE] Timing attack safe string comparison function
  • Tjerk MeestersMon, 24 Feb 2014 11:25:58 +0000