Comments (16)
While not an exact match, valgrind's rules for uninitialized memory are very close to the constant-time computational model. For BoringSSL, we've found it very valuable for flagging non-constant-time code. It takes a bit of work, marking the right data is "secret" (uninitialized) and then "declassifying" (marking initialized) the right data at the right points. But it may help you all pinpoint the problem.
from openssl.
Hi @t8m. Thanks to you, @tomato42, and @GeorgePantelakis for this issue. Jaroslav Reznik brought this matter to our attention. So some questions. Are you looking for help from the IBM PPC crypto team? Is this problem specific to the new P-384 implementation? Do have already have recommendations on how we should modify the ppc64/ppc64le code? How can we test for this problem in house?
from openssl.
Are you looking for help from the IBM PPC crypto team?
yes, we don't have resources to fix it ourselves
Is this problem specific to the new P-384 implementation?
Probably, George will be able to say if any particular method is being called or not if you tell him what to look for
Do have already have recommendations on how we should modify the ppc64/ppc64le code?
No. Though at this point, the most likely reason for this leakage is a short-circuit in the scalar multiplication loop
How can we test for this problem in house?
You'll need to contact George for a the test harness and instructions how to execute it.
from openssl.
Hi @GeorgePantelakis. Can you help with some of the questions above? Is the matter all contained to the new P-384 implementation? How can we obtain the test harness?
from openssl.
Hello @gcwilson. Sorry for the big delay. To answer some of the questions. I do not know if it is the new implementation, we used the code for HEAD on 2024-04-16. As @tomato42 said if you tell me a specific function, I can search if it is called. Now for the test harness, sure, we will create tomorrow a toolkit so you can easily test it yourself. If there is anything else feel free to ask.
from openssl.
@davidben could you please provide more details?
from openssl.
Sure. Just tell valgrind that the secret data is "uninitialized". Then when you intentionally branch on or otherwise reveal data that is now public, you need to mark it "initialized" first.
https://boringssl.googlesource.com/boringssl/+/6ab7c1482bf4cdc91c87bc512aaf68ffb18975ec/crypto/internal.h#568
Valgrind will then do data flow analysis and flag when you index or branch based on "uninitialized" memory.
from openssl.
from openssl.
Just tell valgrind that the secret data is "uninitialized". Then when you intentionally branch on or otherwise reveal data that is now public, you need to mark it "initialized" first.
Nice trick!
from openssl.
@gcwilson, we have created a toolkit for Minerva. For now, it has only OpenSSL in it. You can find it at https://github.com/GeorgePantelakis/minerva-toolkit. For any questions or issues feel free to reach us.
from openssl.
Thanks very much for the toolkit @GeorgePantelakis. We plan to start investigating next week. And thank you @davidben for the Valgrind tips and tricks.
from openssl.
@gcwilson to provide a bit more information about using it: see the Marvin page for other general recommendations on running those tests, and if you'll need to figure out the precise location where the leak happens, you might want to use the technique I documented in the Debugging timing side-channel leaks post on my blog.
And just like George said, if you have questions, feel free to reach out to us.
from openssl.
Hi @GeorgePantelakis and @tomato42. Thanks for your help. We've successfully built the toolkit for Linux on Power and have gotten some initial results. We aren't seeing the same P-384 graph as you and want to understand why. We're going to do more tests on a POWER10 running only a single LPAR to ensure we aren't getting noise from other LPARs. Can you please tell us more about the test environment you used for your analysis? Was it on POWER8, POWER9, or POWER10?
from openssl.
@gcwilson not sure which machines @GeorgePantelakis used, if they were POWER9, then they most likely have been physical instances, if they were POWER10, then they would have been LPARs.
to see the same kind of graphs you will need to collect significant amount of data: all of the graphs above are statistics of over 300 million signatures. That's the amount necessary to get confidence intervals (the "error bars") to be as small as in those graphs: about or smaller than 1 ns. What confidence intervals do you see?
more generally: if the LPARs don't have dedicated CPU cores (you have CPU overprovisioning), then making sure the other LPARs do nothing before you run the test is a good idea. On the other hand, we've noticed that with dedicated cores, the POWER10 LPARs in general provide higher quality data (less noise) than bare-metal POWER9 machines, even if all the LPARs are collecting data at the same time.
from openssl.
@tomato42 thanks for the test environment information. You also anticipated our next question regarding sample size. We collected far fewer samples and our confidence intervals range from around 20-90 ns. We'll run with the number you recommend and will hopefully reproduce the results with that.
from openssl.
@gcwilson as written in the tlsfuzzer documentation the confidence interval is inversely proportional to the square root of the sample size. So for example, if you got a CI of 20 ns for the 383 bit nonce with P-384 curve, you'll need to collect about 400 times more signatures to get the CI to about 1 ns. (that's why it's so important to make sure the system setup minimizes noise, it's usually much easier to setup core isolation and stuff like this than to run a test with 100 times more measurements).
from openssl.
Related Issues (20)
- stricter parser for `ipv4_from_asc` HOT 1
- When building openssl with mingw64, `make test` is hang up HOT 12
- Unable to encrypt private key with encryption algo AES-256-CBC using i2d_PKCS8PrivateKey_nid_bio API
- [BUG] Curious on why QUIC works on 3.2 but not 3.3 in PUT on NonStop HOT 7
- There is a memory leak defect at line 495 in the /openssl/test/bad_dtls_test.c file.
- Question on RSA context of CA certificate clean up by x509_free HOT 2
- aix-cc: compilation error HOT 2
- Missing image on https://mta.openssl.org/mailman/listinfo/openssl-announce (low priority)
- There is a memory leak vulnerability at line 178 in the /openssl/crypto/x509/x_ietfatt.c file.
- There is a memory leak vulnerability at line 250 in the /openssl/crypto/pkcs12/p12_crt.c file.
- Provision to add complete record processing in OpenSSL HOT 3
- devcrypto.so file creation for openssl1.1.1f
- Is the way how you handle $CROSS_COMPILE and $CC really correct? HOT 2
- 3.3.0 build problem on VMS IA64 -- Defect in <stdlib.h> HOT 4
- There is a memory leak defect in line 112 of the /openssl/test/cmp_hdr_test.c file.
- There is a memory leak defect at line 83 in the file /openssl/test/cmp_hdr_test.c.
- There is a memory leak defect at line 141 in the file /openssl/test/cmp_hdr_test.c.
- There is a memory leak defect at line 304 in the file /openssl/test/cmp_hdr_test.c. HOT 2
- There is a memory leak defect at line 82 in the file /openssl/test/ecstresstest.c.
- Additional smaller build targets HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openssl.