Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Leaking control-flow (Frontal attack) #3394

Closed
raoulstrackx opened this issue Jun 4, 2020 · 3 comments · Fixed by #3398
Closed

Leaking control-flow (Frontal attack) #3394

raoulstrackx opened this issue Jun 4, 2020 · 3 comments · Fixed by #3398
Assignees
Labels
bug component-crypto Crypto primitives and low-level interfaces

Comments

@raoulstrackx
Copy link
Contributor

Description

  • Type: Bug
  • Priority: Minor

Bug

mbed TLS build:
Version: 2.16.6
OS version: SGX


Discoverers: Ivan Puddu, Moritz Schneider, Miro Haller, Srdjan Capkun, ETH Zurich (i.e., not me)
*Short description: The authors describe in their paper a way to determine control flow in SGX enclaves by precisely timing interrupt latency. This succeeds even in balanced branches such as:

if (secret == 'a') {
  var1 = 1 + var1;
  var2 = 1 + var2;
} else {
  var1 = 2 + var1;
  var2 = 2 + var2;
}

The root cause of this is that the front-end of the processor fetches instructions with a 16 byte well-aligned window. The time to resume an instruction will depend on its location within this fetch window (and thus its virtual address) and instructions near it.
Full description: https://arxiv.org/abs/2005.11516

Solution:

  • Remove the secret dependent branch altogether

*Code locations that require fixes:

  • mpi_montmul (bignum.c: 1924):
    if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
        mpi_sub_hlp( n, N->p, A->p );
    else
        /* prevent timing attacks */
        mpi_sub_hlp( n, A->p, T->p );
@gilles-peskine-arm
Copy link
Contributor

Thanks for letting us know! We do consider secret-dependent branches in private-key operations to be bugs when they are not protected by blinding, which this one isn't. We'll fix this one as soon as possible.

@gilles-peskine-arm gilles-peskine-arm added bug component-crypto Crypto primitives and low-level interfaces labels Jun 4, 2020
@raoulstrackx
Copy link
Contributor Author

Thanks!

@gilles-peskine-arm gilles-peskine-arm self-assigned this Jun 4, 2020
@gilles-peskine-arm gilles-peskine-arm added this to the June 2020 Sprint milestone Jun 4, 2020
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Jun 4, 2020
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Jun 4, 2020
@gilles-peskine-arm
Copy link
Contributor

It turns out that the leak was originally analyzed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim, Georgia Institute of Technology; Marcus Peinado, Microsoft Research (cited in Puddu et al.). As far as I can tell, the Mbed TLS team was not aware of that 2017 paper until now.

gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Jun 9, 2020
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Jun 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug component-crypto Crypto primitives and low-level interfaces
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants