On Mon, Nov 09, 2009 at 06:46:16PM +0100, Duboucher Thomas wrote: > > Ok, I typed this in a few minutes and I'm not confident either with > what I wrote; I would check that it works first. ;) > But the point here is that whatever the user gives as an input, it is > executed exactly n-th times, n being the length of the user input; and > that whatever the result of the 'if' statement is, the CPU realizes the > same amount of operations. By doing so, the attacker will only find out > how long it takes to make the comparison with a n caracters long input.
Actually, modern CPUs are very complex and the number of operations (or time taken by them) isn't easy to predict. -- Robert Millan The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and how) you may access your data; but nobody's threatening your freedom: we still allow you to remove your data and not access it at all." _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
