Re: Security update of nettle

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>, Andreas Metzler <ametzler@bebt.de>, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>, Magnus Holmgren <holmgren@debian.org>, Simon Josefsson <simon@josefsson.org>, James Westby <jw+debian@jameswestby.net>
Subject: Re: Security update of nettle
From: nisse@lysator.liu.se (Niels Möller)
Date: Tue, 09 Aug 2016 15:32:46 +0200
Message-id: <[🔎] nnbn12kqyp.fsf@armitage.lysator.liu.se>
In-reply-to: <[🔎] CABY6=0=+P7Hfe0CzSyCun4Zeet25t-GNsAQP69g7=Qe3izDfew@mail.gmail.com> (Ola Lundqvist's message of "Tue, 9 Aug 2016 14:58:50 +0200")
References: <[🔎] CABY6=0kr88T=FUPdhS6iaayixSCD1Ou6BaBGi-_Cpsid7AH+xg@mail.gmail.com> <[🔎] nnk2ftlp01.fsf@armitage.lysator.liu.se> <[🔎] CABY6=0=RkM=852Luhd90KTjaRFGL6Prmqe5UHF9Es7gDYEc3pQ@mail.gmail.com> <[🔎] 20160807060420.GA3409@argenau.bebt.de> <[🔎] CABY6=0nS0-1fBLW9mQW6xZqJGUAARjeDV+EWxd=Jk0kySif2KA@mail.gmail.com> <[🔎] CABY6=0=tenkhJ_-2=55FzV-aY2FjjUvV+Bb56auBP6EmwPw-OA@mail.gmail.com> <[🔎] nnfuqektyx.fsf@armitage.lysator.liu.se> <[🔎] CABY6=0=+P7Hfe0CzSyCun4Zeet25t-GNsAQP69g7=Qe3izDfew@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> However I was referring to the side-channel problem that was reported
> in the CVE and not to the unintended side-effect of the correction.

I see.

> Do you know a way to trigger the problem reported in the CVE, please
> let me know.

I'm afraid it's not so easy.

One approach is to try some attack tool to attack another process via
the cache, but I'd expect that to be a little research project to set
up.

Another approach is to use valgrind. Insert valgrind annotations to mark
the secret exponent as uninitialized data prior to calling the
supposedly side-channel-silent operation. Then valgrind's memchecker
will complain on unsafe instructions, nameley branches and memory
addresses depending on the secret, and these are precisely the
operations that may leak via timing or via the cache. One would also
need to mark the output areas as valid and defined at the end of the
signature functions. Unfortunately, one might get some warnings even
after the fix, it probably doesn't make the computation *completely*
silent.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Reply to:

Follow-Ups:
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Security update of nettle
  - From: nisse@lysator.liu.se (Niels Möller)
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Security update of nettle
  - From: Andreas Metzler <ametzler@bebt.de>
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Security update of nettle
  - From: nisse@lysator.liu.se (Niels Möller)
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Security update of nettle
Next by Date: Re: [SECURITY] [DLA 590-1] python-django security update
Previous by thread: Re: Security update of nettle
Next by thread: Re: Security update of nettle
Index(es):
- Date
- Thread