Hi all,
On Wed, Feb 5, 2014 at 7:20 PM, Pierre Joye <[email protected]> wrote:
> About the timing attack RFC, I have asked for some review and advice
> and here is a useful one already, thanks Alex :)
>
> Please keep him as CC as I do not know if he is on this list.
>
> Cheers,
>
> ---------- Forwarded message ----------
> From: Solar Designer <[email protected]>
> Date: Wed, Feb 5, 2014 at 10:46 AM
> Subject: Re: little request :)
> To: Pierre Joye <[email protected]>
>
>
> Hi,
>
> On Wed, Feb 05, 2014 at 09:18:25AM +0100, Pierre Joye wrote:
> > It would be great if you could review this RFC?
> >
> > https://wiki.php.net/rfc/timing_attack
> >
> > I am not totally convinced about the need of this new function, it
> > cannot hurt to have it but then the implementation has to be rock
> > solid.
>
> I think a function like this is needed, but you're right: it'd need to
> be let's say more solid, and it should be specified which properties are
> guaranteed and to what extent (tricky!)
>
> As it is, it tries to hide the length of known_str, but it fails to do
> so at least because integer division is commonly not constant time.
>
> Does zend_parse_parameters() figure out the string lengths in constant
> time? I hope so.
>
> Is MAX() implemented without branching? Hardly.
>
> "Do not optimize this for speed." - this is merely a source code
> comment, and while it might work on humans, it won't work on C
> compilers, which may indeed try to optimize the code in various ways.
> Currently, C compilers are not known to optimize this specific construct
> in a dangerous way, but there's nothing preventing them from doing so.
>
> For reference, here's what OpenBSD has:
>
>
> http://www.openbsd.org/cgi-bin/man.cgi?apropos=0&sektion=3&query=timingsafe_bcmp&manpath=OpenBSD+Current&arch=i386&format=html
>
> This is fixed-length, so the issue of hiding a length does not arise,
> and OpenBSD comes with and is built by a particular C compiler. I am
> not aware of them trying to introduce a similar function for variable
> length strings (OK, this may be in part because of the way strings are
> commonly stored in C, where even to determine the string length you'd
> have to be non-constant time already).
>
> Hiding a string length is really tricky, and only possible to a more
> limited extent than hiding byte value differences.
>
I agree that hiding string length is hard.
Another way to protect from timing attack is have a random sleep, but
this is tricky also. Too short or too long sleep doesn't help.
BSD has
int
timingsafe_bcmp(const void *b1, const void *b2, size_t n)
{
const unsigned char *p1 = b1, *p2 = b2;
int ret = 0;
for (; n > 0; n--)
ret |= *p1++ ^ *p2++;
return (ret != 0);
}
It's safer since there is no division.
If we create new string of the same length, length leaks.
However, there are codes using strlen(). With SSE, it hard to know
exact length, though.
Since we cannot assume particular CPU, it may be better to use
this kind of simple operation and ignore possible length leak.
I bet allocating the same amount of memory and compare like
above.
I would like to hear opinion from others.
Regards,
--
Yasuo Ohgaki
[email protected]