[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)

Subject: Re: [tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 10 Dec 2014 00:56:39 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 09 Dec 2014 19:56:47 -0500
In-reply-to: <044.8c947e23cb76f8beb775be9a08c0480c@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.8c947e23cb76f8beb775be9a08c0480c@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13912: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE
registers)
------------------------+--------------------------------
     Reporter:  teor    |      Owner:
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:  Tor: 0.2.???
    Component:  Tor     |    Version:  Tor: 0.2.6.1-alpha
   Resolution:          |   Keywords:  security
Actual Points:          |  Parent ID:
       Points:          |
------------------------+--------------------------------

Comment (by yawning):

 Ooof.  This is tricky to solve correctly, but the AES-NI case is probably
 not exploitable.  From talking with nickm on IRC about this, the only way
 for this to actually leak AES keys would be:

  * Bugs that allow arbitrary code execution (we've lost in that case
 regardless)
  * Something that reads from a uninitialized XMM register in a way that
 spits it out onto heap/stack/the network, while displaying "correct"
 behavior otherwise.
  * Your kernel is compromised (we've lost in that case regardless) since
 the registers get saved on context switch.

 These cases seem somewhat far fetched to me.  Skimming the OpenSSL code
 (Warning, not comprehensive), it looks like the round keys are stored in
 xmm0/xmm1 (xmm0-5 is used for the key expansion), so we don't actually
 need to scrub *everything* if we want to go down this path.  The compiler
 shouldn't be writing the contents of these registers out onto the
 stack/heap after a return back into our code.

 It's also worth a minor sidenote that recent glibc will use vectorized
 memcpy() for sufficiently large copies, and will obliterate the contents
 of these registers, though I have not checked to see if we memcpy() enough
 data to trigger the vectorized codepath with any large frequency.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13912#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #13718 [Tor]: Reachability Tests aren't conducted if there are no exit nodes
Next by Author: Re: [tor-bugs] #13839 [Tor]: Exit Policy says accept *:* but relay doesn't have Exit flag
Previous by thread: Re: [tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)
Next by thread: [tor-bugs] #13913 [Tor]: Undocumented HS behavior with relative paths
Index(es):
- Author
- Thread