7bd1550195
* Checkpoint * cpu cycle ffi * Rename * mixnode feature * Bundle libcpucycles
123 lines
6.6 KiB
HTML
123 lines
6.6 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<style type="text/css">
|
|
html{overflow-y:scroll}
|
|
body{font-family:sans-serif}
|
|
p,ul,ol,blockquote,pre{font-size:0.9em;line-height:1.6em}
|
|
li p{font-size:1.0em}
|
|
blockquote p{font-size:1.0em}
|
|
tt{font-size:1.2em}
|
|
code{font-size:1.2em}
|
|
h1{font-size:1.5em}
|
|
h2{font-size:1.3em}
|
|
h3{font-size:1.0em}
|
|
h1 a{text-decoration:none}
|
|
table{border-collapse:collapse}
|
|
th,td{border:1px solid black}
|
|
table a{text-decoration:none}
|
|
table tr{font-size:0.9em;line-height:1.6em}
|
|
.links a:hover{text-decoration:underline}
|
|
.links a:active{text-decoration:underline}
|
|
.links img{width:200px;padding-left:1em}
|
|
.links td{border:0px;padding-top:0.5em;padding-bottom:0.5em}
|
|
.headline{padding:0;font-weight:bold;font-size:1.5em;vertical-align:top;padding-bottom:0.5em;color:#125d0d}
|
|
.navt{display:inline-block;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;
|
|
min-width:14%;margin:0;padding:0;padding-left:0.5em;padding-right:0.5em;vertical-align:center;
|
|
font-weight:bold;font-size:1.1em;text-align:center;border:1px solid black}
|
|
.here{border-bottom:0px;background-color:#ffffff}
|
|
.away{background-color:#125d0d;}
|
|
.away a{text-decoration:none;display:block;color:#ffffff}
|
|
.away a:hover,.away a:active{text-decoration:underline}
|
|
.main{margin:0;padding-top:0em;padding-bottom:1%;clear:both}
|
|
</style>
|
|
<title>
|
|
Security</title>
|
|
</head>
|
|
<body>
|
|
<div class=headline>
|
|
libcpucycles
|
|
</div>
|
|
<div class=nav>
|
|
<div class="navt away"><a href=index.html>Intro</a>
|
|
</div><div class="navt away"><a href=download.html>Download</a>
|
|
</div><div class="navt away"><a href=install.html>Install</a>
|
|
</div><div class="navt away"><a href=api.html>API</a>
|
|
</div><div class="navt away"><a href=counters.html>Counters</a>
|
|
</div><div class="navt away"><a href=selection.html>Selection</a>
|
|
</div><div class="navt here">Security
|
|
</div></div>
|
|
<div class=main>
|
|
<p>Many security systems have been shown to be breakable by "timing
|
|
attacks". These attacks extract secrets by analyzing timings of the
|
|
legitimate user's operations on secret data. See the June 2022 survey
|
|
page <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
|
|
for an overview and further references.</p>
|
|
<p>Sometimes these attacks are used as motivation to disable the attacker's
|
|
access to various timing mechanisms. For example, Firefox rounds its
|
|
<code>performance.now</code> timer to 1-millisecond resolution
|
|
<a href="https://developer.mozilla.org/en-US/docs/Web/API/Performance/now">"to mitigate potential security threats"</a>.</p>
|
|
<p>As another example, reducing <code>/proc/sys/kernel/perf_event_paranoid</code>
|
|
under Linux to 2 (from 3 or higher), so that libcpucycles has access to
|
|
the best available Intel/AMD cycle counter (RDPMC), also means making
|
|
this cycle counter and other performance-monitoring counters available
|
|
to any attacker-controlled software running on the computer. Perhaps
|
|
this helps timing attacks, not to mention the possibility of opening up
|
|
other vulnerabilities via the complicated <code>perf_event</code> interface.</p>
|
|
<p>As yet another example, ARM CPUs disable user access to the main CPU
|
|
cycle counter by default. Installing a kernel module to enable user
|
|
access to the cycle counter could help attacks.</p>
|
|
<p>Given the availability of simple mechanisms to disable RDPMC etc., it is
|
|
easy to recommend using those mechanisms. To avoid creating unnecessary
|
|
tension between those recommendations and the use of libcpucycles,
|
|
applications that use libcpucycles should be structured so that
|
|
high-resolution timers are used only on controlled development and
|
|
benchmarking machines, not on general end-user machines.</p>
|
|
<p>This structure might seem incompatible with using cycle counts to
|
|
automatically select the best of multiple options, as in FFTW. However,
|
|
new infrastructure introduced in <a href="https://lib25519.cr.yp.to">lib25519</a>
|
|
automatically selects options on end-user machines based on cycle counts
|
|
that were <em>collected on benchmarking machines</em>.</p>
|
|
<p>The above text should not be understood as endorsing the idea that
|
|
disabling timers is an <em>effective</em> defense against timing attacks.
|
|
Certainly disabling high-resolution timers is not sufficient for
|
|
security: there are many ways for attackers to amplify timing signals
|
|
and to statistically filter out noise from low-resolution timers.
|
|
Disabling <em>every</em> standard timing mechanism on the machine does not stop
|
|
the attacker from accessing a remote timer or a counter maintained by
|
|
the attacker's software. Perhaps disabling timers sometimes makes the
|
|
difference between a feasible attack and an infeasible attack, but
|
|
evaluating this is extremely difficult.</p>
|
|
<p>Meanwhile there is an auditable methodology available to stop timing
|
|
attacks: constant-time programming, which systematically cuts off data
|
|
flow from secrets to timings.</p>
|
|
<p>For example, secrets affect a CPU's power consumption, and Turbo Boost
|
|
creates data flow from power consumption to timings, as illustrated by
|
|
the <a href="https://www.hertzbleed.com">Hertzbleed attack</a> extracting secret
|
|
keys from the SIKE cryptosystem (before SIKE was broken in other ways),
|
|
and an <a href="https://arxiv.org/abs/2206.07012">independent attack</a>
|
|
extracting secret AES keys. Consequently, the constant-time methodology
|
|
does not allow Turbo Boost.</p>
|
|
<p>This is why <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
|
|
recommends turning off Turbo Boost "right now", and explains the
|
|
mechanisms available to do this. One non-security reason that it was
|
|
already normal (although not universal) for manufacturers to provide
|
|
these mechanisms to end users is that Turbo Boost has a reputation for
|
|
causing premature hardware failures. Turbo Boost also provides very
|
|
little speed benefit for modern multithreaded vectorized applications.</p>
|
|
<p>Another reaction to timing attacks is to apply "masking" techniques.
|
|
These techniques <em>seem</em> to make it more difficult for attackers to
|
|
extract secrets from power consumption and other side channels. However,
|
|
as <a href="https://timing.attacks.cr.yp.to">https://timing.attacks.cr.yp.to</a>
|
|
explains, it is "practically impossible for an auditor to obtain any
|
|
real assurance that these techniques are secure". See the December 2022
|
|
paper
|
|
<a href="https://eprint.iacr.org/2022/1713">"Breaking a fifth-order masked implementation of CRYSTALS-Kyber by copy-paste"</a>
|
|
for a newer example of a security failure in a masked implementation.</p><hr><font size=1><b>Version:</b>
|
|
This is version 2023.01.05 of the "Security" web page.
|
|
</font>
|
|
</div>
|
|
</body>
|
|
</html>
|