Fwd: little request :)

From:	Pierre Joye	Date:	Wed, 05 Feb 2014 10:20:27 +0000
Subject:	Fwd: little request :)
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

hi,

About the timing attack RFC, I have asked for some review and advice
and here is a useful one already, thanks Alex :)

Please keep him as CC as I do not know if he is on this list.

Cheers,

---------- Forwarded message ----------
From: Solar Designer <[email protected]>
Date: Wed, Feb 5, 2014 at 10:46 AM
Subject: Re: little request :)
To: Pierre Joye <[email protected]>


Hi,

On Wed, Feb 05, 2014 at 09:18:25AM +0100, Pierre Joye wrote:
> It would be great if you could review this RFC?
>
> https://wiki.php.net/rfc/timing_attack
>
> I am not totally convinced about the need of this new function, it
> cannot hurt to have it but then the implementation has to be rock
> solid.

I think a function like this is needed, but you're right: it'd need to
be let's say more solid, and it should be specified which properties are
guaranteed and to what extent (tricky!)

As it is, it tries to hide the length of known_str, but it fails to do
so at least because integer division is commonly not constant time.

Does zend_parse_parameters() figure out the string lengths in constant
time?  I hope so.

Is MAX() implemented without branching?  Hardly.

"Do not optimize this for speed." - this is merely a source code
comment, and while it might work on humans, it won't work on C
compilers, which may indeed try to optimize the code in various ways.
Currently, C compilers are not known to optimize this specific construct
in a dangerous way, but there's nothing preventing them from doing so.

For reference, here's what OpenBSD has:

http://www.openbsd.org/cgi-bin/man.cgi?apropos=0&sektion=3&query=timingsafe_bcmp&manpath=OpenBSD+Current&arch=i386&format=html

This is fixed-length, so the issue of hiding a length does not arise,
and OpenBSD comes with and is built by a particular C compiler.  I am
not aware of them trying to introduce a similar function for variable
length strings (OK, this may be in part because of the way strings are
commonly stored in C, where even to determine the string length you'd
have to be non-constant time already).

Hiding a string length is really tricky, and only possible to a more
limited extent than hiding byte value differences.

Alexander


-- 
Pierre

@pierrejoye | http://www.libgd.org


   

Thread (42 messages)

• Pierre JoyeWed, 05 Feb 2014 10:20:27 +0000
  • Yasuo OhgakiWed, 05 Feb 2014 22:57:17 +0000
    • Pádraic BradyThu, 06 Feb 2014 00:42:29 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 03:06:35 +0000
  • Stas MalyshevWed, 05 Feb 2014 23:00:10 +0000
  • Rouven WeßlingThu, 06 Feb 2014 00:06:26 +0000Re: little request :)
    • Tjerk MeestersThu, 06 Feb 2014 03:51:55 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 04:53:29 +0000
    • Lester CaineThu, 06 Feb 2014 05:49:59 +0000
      • Pierre JoyeThu, 06 Feb 2014 05:55:20 +0000
      • Yasuo OhgakiThu, 06 Feb 2014 05:58:47 +0000
        • Lester CaineThu, 06 Feb 2014 23:18:51 +0000
          • Pádraic BradyThu, 06 Feb 2014 23:32:44 +0000
            • Tjerk MeestersFri, 07 Feb 2014 00:32:10 +0000
              • Yasuo OhgakiFri, 07 Feb 2014 01:01:45 +0000
            • Lester CaineFri, 07 Feb 2014 05:17:41 +0000
              • Sanford WhitemanFri, 07 Feb 2014 07:41:32 +0000
                • Pádraic BradyFri, 07 Feb 2014 10:54:16 +0000
              • Pádraic BradyFri, 07 Feb 2014 10:41:29 +0000
                • Lester CaineFri, 07 Feb 2014 11:20:08 +0000
                  • Lester CaineFri, 07 Feb 2014 22:10:12 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 22:45:28 +0000
                    • Pádraic BradyFri, 07 Feb 2014 23:06:28 +0000
                      • Yasuo OhgakiSat, 08 Feb 2014 03:50:17 +0000
                    • Sanford WhitemanFri, 07 Feb 2014 23:56:29 +0000
                  • Sanford WhitemanFri, 07 Feb 2014 22:24:51 +0000
  • Solar DesignerThu, 06 Feb 2014 14:24:48 +0000Re: Fwd: little request :)
    • Yasuo OhgakiThu, 06 Feb 2014 21:45:41 +0000Re: Re: Fwd: little request :)
    • Pádraic BradyThu, 06 Feb 2014 23:44:58 +0000Re: Re: Fwd: little request :)
    • Tjerk MeestersMon, 10 Feb 2014 10:36:18 +0000Re: Re: Fwd: little request :)
      • Solar DesignerMon, 10 Feb 2014 11:45:22 +0000
      • Yasuo OhgakiMon, 10 Feb 2014 19:50:15 +0000
        • Yasuo OhgakiMon, 10 Feb 2014 20:09:42 +0000
        • Tjerk MeestersMon, 10 Feb 2014 23:55:41 +0000
          • Lester CaineTue, 11 Feb 2014 00:39:55 +0000
            • Robert ParkerTue, 11 Feb 2014 17:55:12 +0000
            • Robert ParkerTue, 11 Feb 2014 17:57:49 +0000
          • Solar DesignerTue, 11 Feb 2014 07:43:13 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 09:39:32 +0000
              • Solar DesignerWed, 12 Feb 2014 12:47:33 +0000
                • Pierre JoyeWed, 12 Feb 2014 14:49:38 +0000
                  • Lester CaineWed, 12 Feb 2014 16:34:14 +0000