[tor-dev] memcmp() & co. timing info disclosures?
Marsh Ray
marsh at extendedsubset.com
Fri May 6 23:13:38 UTC 2011
Greetings all,
I happened to download the tor-0.2.2.25-alpha.tar.gz source yesterday
and I noticed something. Apologies in advance if this has already been
discussed and resolved, I did a cursory web search and didn't see anything.
There are a lot of places in the code where memcmp() is called on memory
buffers that look like they might contain various hashes or digests:
~/tor-0.2.2.25-alpha$ grep -r memcmp . | grep -i digest | wc -l
137
~/tor-0.2.2.25-alpha$ grep -r memcmp . | grep -i key | wc -l
14
The built-in memcmp typically runs in time proportional to the common
prefix of the two memory buffers being compared. In networked
applications, this is often a significant source of timing information.
Sometimes these are severe enough to result in disclosure of secret key
material. A good resource for remote timing attacks is Nate Lawson's blog:
http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
Some cases look particularly concerning. For example, in the following
code 'handshake_reply' appears to be supplied by the remote party and it
is compared with something called "key material".
src/or/onion.c:331:
if (memcmp(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
/* H(K) does *not* match. Something fishy. */
log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
"Bug or attack.");
goto err;
}
In the worst-case, the attacker could simply supply different values of
handshake_reply, observe how long each takes to compare, and figure out
the value of key_material statistically byte-by-byte.
Perhaps this key material is never used again, or there are other
reasons this timing informaion is not useful. But in general, it's very
difficult to determine whether or not such a timing info disclosure
represents a vulnerability or how difficult it would be to exploit.
Expert programmers seem to consistently underestimate the severtiy of
these weaknesses, perhaps because they are so subtle. I've just started
learning about Tor so it's not possible for me to review every instance.
I think the quickest and easiest solution would be to replace every
usage of memcmp and str*cmp in the source with an alternate version that
guarantees a constant time comparison.
I'd expect this could be done with negligible performance impact,
especially for short comparisons like 20-byte hash values.
Regards,
- Marsh
More information about the tor-dev
mailing list