fyi. i'll work on this
---------- Forwarded message ---------
From: Florian Sieck <[email protected]>
Date: Fri, Dec 11, 2020 at 05:57
Subject: Side-Channel Vulnerability in base64 PEM file decoding
To: <[email protected]>
CC: Jan Wichelmann <[email protected]>, Sebastian Berndt <
[email protected]>, Thomas Eisenbarth <
[email protected]>
Dear Yu Ding,
we are researchers from the Institute for IT security at the University
of Lübeck, and are contacting you because of a side-channel security
vulnerability we found in your library.
We performed a systematic analysis of several cryptographic libraries
and investigated the base64 decoding functions for non-constant time
behavior. We showed that most libraries leak key information, which can
be exploited with high resolution cache measurements, e.g. through a
single-stepped cache attack in SGX. This information can be used to
reduce the security of RSA keys by about one level. We believe that
every function processing sensitive data should perform its computations
in constant-time, to ensure that no secret information leaks via any
side-channels.
The core problem is caused by the usage of lookup tables in presence of
microarchitectural structures like caches, which introduce non-constant
timing behavior for memory accesses. The amount of leaked information
depends on the distribution of the lookup table entries over cache
lines, which is influenced by the table's memory alignment. We found
that none of the analyzed libraries forces a 64 byte-alignment, and in
some cases the compiler used unfortunate placement, leading to a high
and exploitable leakage.
We describe the details in our paper, which we attached. The paper as
well includes a section proposing a possible mitigation with a
constant-time lookup-table approach. We also reference the
implementation used in BoringSSL, which is the only library we found
implementing base64 decoding and encoding in constant time and without
using lookup tables.
Specifically for the base64 decoding/encoding implementation in RustSGX
we found that the base64 decoding code is pulled in from the package
base64, version 0.13.0. Affected files are:
* rust-base64/src/decode.rs
* rust-base64/src/tables.rs
However, as far as we can tell the library is forked and changes
specific to RustSGX would be feasible.
We submitted our paper to the IEEE Symposium on Security & Privacy 2021,
where it will be under anonymous review until February. Please keep it
confidential in the meantime, as other libraries are also affected.
Please let us know if you have questions.
Kind regards,
Florian Sieck, Sebastian Berndt, Jan Wichelmann and Thomas Eisenbarth
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
