[tor-dev] memcmp() & co. timing info disclosures?
Robert Ransom
rransom.8774 at gmail.com
Sat May 7 06:50:23 UTC 2011
On Fri, 6 May 2011 23:16:14 -0700
Chris Palmer <chris at eff.org> wrote:
> On May 6, 2011, at 10:25 PM, Robert Ransom wrote:
>
> > I would expect GCC (and most other C compilers) to use a
> > non-constant-time implementation of (v1 == v2).
>
> Are there machines that implement uint8_t comparison in a data-dependent way? What's an example?
That comparison expression can be implemented in non-constant time on
IA-32 processors:
; ECX = v1; EDX = v2; result in EAX
XOR EAX, EAX
CMP ECX, EDX
JE done
INC EAX
done:
I think I've seen GCC emit something similar to that within the last
few years, and I assume that some compilers still emit code containing
a conditional branch for that expression. In general, we don't want to
assume that conditional expressions are safe to use, even if a compiler
*could* implement them in a safe way (e.g. by compiling Nick's function
into something resembling mine).
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110506/0b8c2ee1/attachment.pgp>
More information about the tor-dev
mailing list