Clarify that the Lucky 13 fix is quite general

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2020-08-26 10:10:11 +02:00
parent 53d216081c
commit 8f18d08fae

View file

@ -1,9 +1,11 @@
Security
* Fix a local timing side channel vulnerability in (D)TLS record decryption
when using a CBC ciphersuites without the Encrypt-then-Mac extension. In
those circumstances, a local attacker able to observe the state of the
cache could use well-chosen functions to measure the exact computation
time of the HMAC, and follow up with the usual range of Lucky 13 attacks,
including plaintext recovery and key recovery. Found and reported by Tuba
Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
* In (D)TLS record decryption, when using a CBC ciphersuites without the
Encrypt-then-Mac extension, use constant code flow memory access patterns
to extract and check the MAC. This is an improvement to the existing
countermeasure against Lucky 13 attacks. The previous countermeasure was
effective against network-based attackers, but less so against local
attackers. The new countermeasure defends against local attackers, even
if they have access to fine-grained measurements. In particular, this
fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
(University of Florida) and Dave Tian (Purdue University).