Re: Side-channel Attacks (Time)

[Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP>]

On 2014-04-25, Shark8 <OneWingedShark@gmail.com> wrote:
> On 24-Apr-14 23:09, Pascal J. Bourguignon wrote:
>> Shark8 <OneWingedShark@gmail.com> writes:
>>
>>> Considering the needs for a secure, verified security library [to
>>> replace OpenSSL] I was wondering about using the TASK construct in
>>> conjunction with DELAY UNTIL /OP_UPPERBOUND/* would be an acceptable
>>> countermeasure.
>>
>> It could help.
>>
>> Choosing an algorithm without branches, and with fixed count loops would
>> be better.
>
> Hm, there's a thought.
> I rather do like the DELAY UNTIL solution as it concisely states the 
> intention as a timing-attack countermeasure. (Though I've got pretty 
> much no experience in real-time systems, so I can't say if it's actually 
> appropriate.)
>

The problem is that you are making assumptions about the environment
your code is running in when you determine how long something is going
to take.

The static values you come up with for a 3GHz desktop processor will be
very different from the values you need for a 100MHz (or even less)
embedded system, which makes the values you choose fragile when they are
used in different environments.

If, OTOH, you try to calculate some dynamic values at program startup
time which reflect the system you are running on, then you are vulnerable
to bad values calculated due to varying system load.

I wonder if you could achieve what you want by introducing random
micro-delays into the calculations themselves ?

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world