[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13912 [Core Tor/Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)



#13912: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE
registers)
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.6.1-alpha
 Severity:  Normal                               |     Resolution:
 Keywords:  security registers aesni memwipe     |  Actual Points:
  tor-relay                                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by cypherpunks):

 Replying to [comment:5 yawning]:
 > Ooof.  This is tricky to solve correctly, but the AES-NI case is
 probably not exploitable.  From talking with nickm on IRC about this, the
 only way for this to actually leak AES keys would be:
 >
 >  * Bugs that allow arbitrary code execution (we've lost in that case
 regardless)
 >  * Something that reads from a uninitialized XMM register in a way that
 spits it out onto heap/stack/the network, while displaying "correct"
 behavior otherwise.
 >  * Your kernel is compromised (we've lost in that case regardless) since
 the registers get saved on context switch.

 What about ROP gadgets that do not provide turing complete behavior (so no
 "arbitrary" code execution), but still expose the sensitive registers?
 There will certainly be gadgets for reading from these registers.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13912#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs