Defeating Memory Comparison Timing Oracles (Red Hat Security Blog)

Over at the Red Hat Security Blog, Florian Weimer looks at timing oracles in memory comparison functions and how to stop them. Timing oracles can allow attackers to extract keys or other secret data by timing code that compares input data to the secret. “Of course, there are other architectures (and x86 implementations), so we will have to perform further research to see if we can remove the timing oracle from their implementations at acceptable (read: zero) cost. For architectures where super-scalar, pipelined implementations are common, this is likely the case. But the GNU C library will probably not be a in a position to commit to an oracle-free memcmp by default (after all, future architectures might have different requirements). But I hope that we can promise that in -D_FORTIFY_SOURCE=2 mode, memcmp is oracle-free.“

RELATED ARTICLESMORE FROM AUTHOR

Maintainer Confidential: Challenges and Opportunities One Year On

Bridging Design and Runtime Gaps: AsyncAPI in Event-Driven Architecture

Implementing OpenTelemetry Natively in an Event Broker

Innovation as a Catalyst in Telecommunications

Linux 6.8 Brings More Sound Hardware Support For Intel & AMD, Including The Steam Deck

RELATED ARTICLES MORE FROM AUTHOR