[tor-bugs] #13912 [Tor]: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE registers)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 10 00:56:39 UTC 2014
#13912: Key Security: Zeroing Buffers Is Insufficient (AES-NI leaves keys in SSE
registers)
------------------------+--------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.???
Component: Tor | Version: Tor: 0.2.6.1-alpha
Resolution: | Keywords: security
Actual Points: | Parent ID:
Points: |
------------------------+--------------------------------
Comment (by yawning):
Ooof. This is tricky to solve correctly, but the AES-NI case is probably
not exploitable. From talking with nickm on IRC about this, the only way
for this to actually leak AES keys would be:
* Bugs that allow arbitrary code execution (we've lost in that case
regardless)
* Something that reads from a uninitialized XMM register in a way that
spits it out onto heap/stack/the network, while displaying "correct"
behavior otherwise.
* Your kernel is compromised (we've lost in that case regardless) since
the registers get saved on context switch.
These cases seem somewhat far fetched to me. Skimming the OpenSSL code
(Warning, not comprehensive), it looks like the round keys are stored in
xmm0/xmm1 (xmm0-5 is used for the key expansion), so we don't actually
need to scrub *everything* if we want to go down this path. The compiler
shouldn't be writing the contents of these registers out onto the
stack/heap after a return back into our code.
It's also worth a minor sidenote that recent glibc will use vectorized
memcpy() for sufficiently large copies, and will obliterate the contents
of these registers, though I have not checked to see if we memcpy() enough
data to trigger the vectorized codepath with any large frequency.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13912#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list