[tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 10 00:56:39 UTC 2014


#13912: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE
registers)
------------------------+--------------------------------
     Reporter:  teor    |      Owner:
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:  Tor: 0.2.???
    Component:  Tor     |    Version:  Tor: 0.2.6.1-alpha
   Resolution:          |   Keywords:  security
Actual Points:          |  Parent ID:
       Points:          |
------------------------+--------------------------------

Comment (by yawning):

 Ooof.  This is tricky to solve correctly, but the AES-NI case is probably
 not exploitable.  From talking with nickm on IRC about this, the only way
 for this to actually leak AES keys would be:

  * Bugs that allow arbitrary code execution (we've lost in that case
 regardless)
  * Something that reads from a uninitialized XMM register in a way that
 spits it out onto heap/stack/the network, while displaying "correct"
 behavior otherwise.
  * Your kernel is compromised (we've lost in that case regardless) since
 the registers get saved on context switch.

 These cases seem somewhat far fetched to me.  Skimming the OpenSSL code
 (Warning, not comprehensive), it looks like the round keys are stored in
 xmm0/xmm1 (xmm0-5 is used for the key expansion), so we don't actually
 need to scrub *everything* if we want to go down this path.  The compiler
 shouldn't be writing the contents of these registers out onto the
 stack/heap after a return back into our code.

 It's also worth a minor sidenote that recent glibc will use vectorized
 memcpy() for sufficiently large copies, and will obliterate the contents
 of these registers, though I have not checked to see if we memcpy() enough
 data to trigger the vectorized codepath with any large frequency.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13912#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list