From: "Zack Weinberg" <zack@owlfolio.org>
To: "Paul Eggert" <eggert@cs.ucla.edu>
Cc: "GNU libc development" <libc-alpha@sourceware.org>
Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h
Date: Tue, 11 Jul 2023 15:18:58 -0400 [thread overview]
Message-ID: <ea6add87-2372-45b6-bdc0-7137f6c87d4c@app.fastmail.com> (raw)
In-Reply-To: <7088282f-1720-6dc5-586d-3f1b2ffdece8@cs.ucla.edu>
[cc list pruned for this tangent]
On Mon, Jul 10, 2023, at 6:09 PM, Paul Eggert wrote:
> On 2023-07-10 14:22, Zack Weinberg via Libc-alpha wrote:
>
>>> Why it's not OK if no externally visible side effects is between the
>>> two points?
>>
>> The short answer is that the C standard's definition of "externally
>> visible side effect" is insufficient for the needs of certain security-
>> critical programs. In particular, *how long it takes for the program
>> to crash* may be an exploitable timing channel. (Look up "bomb oracle
>> attack" in the cryptography literature if that seems impossible.)
>
> I thought bomb oracles by definition explode when they don't give
> an answer. Exploding is different from undefined behavior. (Or
> perhaps you meant "padding oracle attack"? or something else? I'm a
> bit lost here.)
An adversary doesn't typically care *why* the program crashes, only that
they can extract information from whether and when it crashed. The
scenario I'm imagining is something like
if (pointer) {
use(pointer);
}
expensive_computation();
use(pointer);
Making the initial 'if' unconditional means that the program will crash
before the expensive computation. In this case that would remove a timing
channel, but you can see how it could just as easily be the other way around.
> As for timing channels - doesn't every optimization affect timing
> channels? What's special about this one?
Because making pointer dereferences unconditional (or conditional) is
the kind of optimization that can turn code that was *supposed* to
execute in constant time into code that doesn't.
zw
next prev parent reply other threads:[~2023-07-11 19:19 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 16:13 Xi Ruoyao
2023-07-10 17:12 ` Zack Weinberg
2023-07-10 17:27 ` Xi Ruoyao
2023-07-10 19:06 ` Zack Weinberg
2023-07-10 19:31 ` Xi Ruoyao
2023-07-10 17:51 ` Siddhesh Poyarekar
2023-07-10 18:41 ` Xi Ruoyao
2023-07-10 20:14 ` _Nullable and _Nonnull in GCC's analyzer (was: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h) Alejandro Colomar
2023-07-10 20:16 ` Alejandro Colomar
2023-08-08 10:01 ` Martin Uecker
2023-08-09 0:14 ` enh
2023-08-09 1:11 ` Siddhesh Poyarekar
2023-08-09 7:26 ` Martin Uecker
2023-08-09 10:42 ` ISO C's [static] (was: _Nullable and _Nonnull in GCC's analyzer) Alejandro Colomar
2023-08-09 12:03 ` Martin Uecker
2023-08-09 12:37 ` Alejandro Colomar
2023-08-09 14:24 ` Martin Uecker
2023-08-09 13:46 ` Xi Ruoyao
2023-08-11 23:34 ` _Nullable and _Nonnull in GCC's analyzer (was: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h) enh
2023-07-10 18:56 ` [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h Zack Weinberg
2023-07-10 19:31 ` Siddhesh Poyarekar
2023-07-10 19:35 ` Xi Ruoyao
2023-07-10 19:46 ` Siddhesh Poyarekar
2023-07-10 20:23 ` Xi Ruoyao
2023-07-10 20:33 ` Jeff Law
2023-07-10 20:44 ` Xi Ruoyao
2023-07-10 20:55 ` Zack Weinberg
2023-07-10 21:03 ` Xi Ruoyao
2023-07-10 21:22 ` Zack Weinberg
2023-07-10 21:33 ` Xi Ruoyao
2023-07-11 19:12 ` Zack Weinberg
2023-07-11 20:12 ` Siddhesh Poyarekar
2023-07-12 8:59 ` Xi Ruoyao
2023-07-10 22:09 ` Paul Eggert
2023-07-11 19:18 ` Zack Weinberg [this message]
2023-07-11 20:45 ` Jeff Law
2023-07-11 23:59 ` Paul Eggert
2023-07-12 2:40 ` Jeff Law
2023-07-10 22:48 ` Siddhesh Poyarekar
2023-07-11 0:45 ` Sam James
2023-07-10 21:51 ` Jeff Law
2023-07-11 13:03 ` Cristian Rodríguez
2023-07-10 22:34 ` Siddhesh Poyarekar
2023-07-10 22:59 ` Jeff Law
2023-07-11 0:51 ` Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea6add87-2372-45b6-bdc0-7137f6c87d4c@app.fastmail.com \
--to=zack@owlfolio.org \
--cc=eggert@cs.ucla.edu \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).