[tor-bugs] #17983 [Core Tor/Tor]: Build tor with -ftrapv by default
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 26 15:38:48 UTC 2016
#17983: Build tor with -ftrapv by default
-------------------------------------------------+-------------------------
Reporter: teor | Owner: nickm
Type: enhancement | Status:
Priority: High | needs_revision
Component: Core Tor/Tor | Milestone: Tor:
Severity: Normal | 0.2.9.x-final
Keywords: TorCoreTeam201604, tor-sponsorS- | Version:
orphan | Resolution:
Parent ID: | Actual Points:
Reviewer: | Points: small
| Sponsor:
| SponsorS-can
-------------------------------------------------+-------------------------
Changes (by nickm):
* status: needs_review => needs_revision
Comment:
update: I've asked around in #llvm, and I've asked some crypto
implementers if they have any thoughts here.
So far the safest option seems to be to use fwrapv on the code that should
be constant-time, and ftrapv elsewhere. Additionally, out of an abundance
of caution, we should change --enable-expensive-hardening so that the
constant-time code is not built with any of the compiler sanitizers in
that case.
(I have not seen a conclusive argument that that the untaken branches
added by trapv and the sanitizers mess with constant-time properties, but
it does seem that the diversity of branch predictors is so great that it
is hard for me to call these branches "always harmless" with much
certainty. Maybe given more information.)
I've added a ticket to write testing logic to verify that our operations
run in constant time. (#18896) I've added another ticket about the
sanitizers (#18901). I'm going to needs_revision this ticket, with the
plan to use fwrapv on all constant-time modules, and trapv elsewhere.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17983#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list