2022-07-29 14:44:01 +02:00
|
|
|
## Reporting Vulnerabilities
|
2021-02-25 11:41:38 +01:00
|
|
|
|
|
|
|
If you think you have found an Mbed TLS security vulnerability, then please
|
|
|
|
send an email to the security team at
|
|
|
|
<mbed-tls-security@lists.trustedfirmware.org>.
|
|
|
|
|
|
|
|
## Security Incident Handling Process
|
|
|
|
|
2021-12-21 06:14:10 +01:00
|
|
|
Our security process is detailed in our
|
2021-03-16 12:04:44 +01:00
|
|
|
[security
|
2021-02-25 11:41:38 +01:00
|
|
|
center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/).
|
|
|
|
|
|
|
|
Its primary goal is to ensure fixes are ready to be deployed when the issue
|
|
|
|
goes public.
|
|
|
|
|
|
|
|
## Maintained branches
|
|
|
|
|
2021-03-16 12:04:44 +01:00
|
|
|
Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
|
|
|
|
get security fixes.
|
2021-02-25 11:41:38 +01:00
|
|
|
Users are urged to always use the latest version of a maintained branch.
|
2023-02-24 17:00:21 +01:00
|
|
|
|
|
|
|
## Threat model
|
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
We classify attacks based on the capabilities of the attacker.
|
2023-02-24 17:00:21 +01:00
|
|
|
|
|
|
|
### Remote attacks
|
|
|
|
|
2023-03-14 16:43:24 +01:00
|
|
|
In this section, we consider an attacker who can observe and modify data sent
|
|
|
|
over the network. This includes observing the content and timing of individual
|
|
|
|
packets, as well as suppressing or delaying legitimate messages, and injecting
|
|
|
|
messages.
|
2023-03-06 15:54:59 +01:00
|
|
|
|
2023-03-03 15:56:38 +01:00
|
|
|
Mbed TLS aims to fully protect against remote attacks and to enable the user
|
|
|
|
application in providing full protection against remote attacks. Said
|
|
|
|
protection is limited to providing security guarantees offered by the protocol
|
2023-03-14 13:47:27 +01:00
|
|
|
being implemented. (For example Mbed TLS alone won't guarantee that the
|
|
|
|
messages will arrive without delay, as the TLS protocol doesn't guarantee that
|
|
|
|
either.)
|
2023-02-24 17:00:21 +01:00
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
**Warning!** Block ciphers do not yet achieve full protection against attackers
|
|
|
|
who can measure the timing of packets with sufficient precision. For details
|
|
|
|
and workarounds see the [Block Ciphers](#block-ciphers) section.
|
2023-03-08 17:53:50 +01:00
|
|
|
|
2023-03-08 17:10:39 +01:00
|
|
|
### Local attacks
|
|
|
|
|
2023-03-14 16:43:24 +01:00
|
|
|
In this section, we consider an attacker who can run software on the same
|
|
|
|
machine. The attacker has insufficient privileges to directly access Mbed TLS
|
|
|
|
assets such as memory and files.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
|
|
|
#### Timing attacks
|
2023-02-24 17:00:21 +01:00
|
|
|
|
2023-03-14 15:49:34 +01:00
|
|
|
The attacker is able to observe the timing of instructions executed by Mbed TLS
|
|
|
|
by leveraging shared hardware that both Mbed TLS and the attacker have access
|
|
|
|
to. Typical attack vectors include cache timings, memory bus contention and
|
|
|
|
branch prediction.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
2023-03-03 15:56:38 +01:00
|
|
|
Mbed TLS provides limited protection against timing attacks. The cost of
|
|
|
|
protecting against timing attacks widely varies depending on the granularity of
|
|
|
|
the measurements and the noise present. Therefore the protection in Mbed TLS is
|
2023-03-08 17:10:39 +01:00
|
|
|
limited. We are only aiming to provide protection against **publicly
|
2023-03-14 15:49:34 +01:00
|
|
|
documented attack techniques**.
|
|
|
|
|
|
|
|
As attacks keep improving, so does Mbed TLS's protection. Mbed TLS is moving
|
|
|
|
towards a model of fully timing-invariant code, but has not reached this point
|
|
|
|
yet.
|
2023-03-08 21:07:59 +01:00
|
|
|
|
|
|
|
**Remark:** Timing information can be observed over the network or through
|
|
|
|
physical side channels as well. Remote and physical timing attacks are covered
|
|
|
|
in the [Remote attacks](remote-attacks) and [Physical
|
|
|
|
attacks](physical-attacks) sections respectively.
|
2023-02-24 17:00:21 +01:00
|
|
|
|
2023-03-03 15:16:12 +01:00
|
|
|
**Warning!** Block ciphers do not yet achieve full protection. For
|
2023-03-08 17:53:50 +01:00
|
|
|
details and workarounds see the [Block Ciphers](#block-ciphers) section.
|
2023-02-24 17:00:21 +01:00
|
|
|
|
2023-03-08 17:10:39 +01:00
|
|
|
#### Local non-timing side channels
|
|
|
|
|
|
|
|
The attacker code running on the platform has access to some sensor capable of
|
|
|
|
picking up information on the physical state of the hardware while Mbed TLS is
|
2023-03-14 13:47:27 +01:00
|
|
|
running. This could for example be an analogue-to-digital converter on the
|
2023-03-14 15:54:44 +01:00
|
|
|
platform that is located unfortunately enough to pick up the CPU noise.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
Mbed TLS doesn't make any security guarantees against local non-timing-based
|
2023-03-08 17:10:39 +01:00
|
|
|
side channel attacks. If local non-timing attacks are present in a use case or
|
2023-03-14 13:47:27 +01:00
|
|
|
a user application's threat model, they need to be mitigated by the platform.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
|
|
|
#### Local fault injection attacks
|
|
|
|
|
|
|
|
Software running on the same hardware can affect the physical state of the
|
2023-03-14 15:54:44 +01:00
|
|
|
device and introduce faults.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
Mbed TLS doesn't make any security guarantees against local fault injection
|
2023-03-08 17:10:39 +01:00
|
|
|
attacks. If local fault injection attacks are present in a use case or a user
|
2023-03-14 13:47:27 +01:00
|
|
|
application's threat model, they need to be mitigated by the platform.
|
2023-03-08 17:10:39 +01:00
|
|
|
|
2023-02-24 17:00:21 +01:00
|
|
|
### Physical attacks
|
|
|
|
|
2023-03-16 16:00:03 +01:00
|
|
|
In this section, we consider an attacker who has access to physical information
|
|
|
|
about the hardware Mbed TLS is running on and/or can alter the physical state
|
|
|
|
of the hardware (e.g. power analysis, radio emissions or fault injection).
|
2023-03-06 15:54:59 +01:00
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
Mbed TLS doesn't make any security guarantees against physical attacks. If
|
2023-03-03 15:56:38 +01:00
|
|
|
physical attacks are present in a use case or a user application's threat
|
2023-03-14 13:47:27 +01:00
|
|
|
model, they need to be mitigated by physical countermeasures.
|
2023-03-08 17:38:07 +01:00
|
|
|
|
|
|
|
### Caveats
|
|
|
|
|
2023-03-14 13:47:27 +01:00
|
|
|
#### Out-of-scope countermeasures
|
2023-03-08 17:38:07 +01:00
|
|
|
|
|
|
|
Mbed TLS has evolved organically and a well defined threat model hasn't always
|
|
|
|
been present. Therefore, Mbed TLS might have countermeasures against attacks
|
|
|
|
outside the above defined threat model.
|
|
|
|
|
|
|
|
The presence of such countermeasures don't mean that Mbed TLS provides
|
|
|
|
protection against a class of attacks outside of the above described threat
|
|
|
|
model. Neither does it mean that the failure of such a countermeasure is
|
|
|
|
considered a vulnerability.
|
2023-03-08 17:53:50 +01:00
|
|
|
|
|
|
|
#### Block ciphers
|
|
|
|
|
|
|
|
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
|
|
|
|
DES. The pure software implementation in Mbed TLS implementation uses lookup
|
|
|
|
tables, which are vulnerable to timing attacks.
|
|
|
|
|
|
|
|
These timing attacks can be physical, local or depending on network latency
|
|
|
|
even a remote. The attacks can result in key recovery.
|
|
|
|
|
|
|
|
**Workarounds:**
|
|
|
|
|
|
|
|
- Turn on hardware acceleration for AES. This is supported only on selected
|
|
|
|
architectures and currently only available for AES. See configuration options
|
|
|
|
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
|
|
|
|
- Add a secure alternative implementation (typically hardware acceleration) for
|
|
|
|
the vulnerable cipher. See the [Alternative Implementations
|
|
|
|
Guide](docs/architecture/alternative-implementations.md) for more information.
|
|
|
|
- Use cryptographic mechanisms that are not based on block ciphers. In
|
|
|
|
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
|
|
|
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
2023-09-01 17:22:25 +02:00
|
|
|
|
|
|
|
#### Everest
|
|
|
|
|
|
|
|
The HACL* implementation of X25519 taken from the Everest project only protects
|
|
|
|
against remote timing attacks. (See their [Security
|
|
|
|
Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
|
|
|
|
|
|
|
|
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
|
|
|
|
configuration option is defined. This option is off by default.
|