[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update of nettle

Ola Lundqvist <ola@inguza.com> writes:

> However I was referring to the side-channel problem that was reported
> in the CVE and not to the unintended side-effect of the correction.

I see.

> Do you know a way to trigger the problem reported in the CVE, please
> let me know.

I'm afraid it's not so easy.

One approach is to try some attack tool to attack another process via
the cache, but I'd expect that to be a little research project to set

Another approach is to use valgrind. Insert valgrind annotations to mark
the secret exponent as uninitialized data prior to calling the
supposedly side-channel-silent operation. Then valgrind's memchecker
will complain on unsafe instructions, nameley branches and memory
addresses depending on the secret, and these are precisely the
operations that may leak via timing or via the cache. One would also
need to mark the output areas as valid and defined at the end of the
signature functions. Unfortunately, one might get some warnings even
after the fix, it probably doesn't make the computation *completely*


Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Reply to: