On 12/08/13 14:02, Ben Laurie wrote: > On 12 August 2013 06:14, Ximin Luo <[email protected]> wrote: >> How is it possible to defend against timing attacks in JS? Any language >> theoretically can be complied into anything, but the JS runtime does not >> give you much control in what the CPU actually executes. The webcrypto WG >> you linked to looks interesting, if browsers will provide a native crypto >> API to JS, preinstalled (at least the mathy bits that you need direct >> execution control over) as opposed to loaded on-demand by a remote server. >> Did you ever think about having the cryptocat browser extension using a >> lower-level language? Firefox at least can run binary extensions; I don't >> know about Chrome. > > It is possible to defend against timing attacks by writing inherently > constant time code. For example: > > https://github.com/openssl/openssl/commit/a693ead6dc75455f7f5bbbd631b3a0e7ee457965 > > is full of such code. >
But does this still necessarily hold after the JS compiler has had its way with it? I can imagine some optimisers perhaps turning code like return a op b into something like if a == 0: return 0; elif b == 0: return 0; else return a op b X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
