Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h

["Zack Weinberg" <zack@owlfolio.org>]

[cc list pruned for this tangent]

On Mon, Jul 10, 2023, at 6:09 PM, Paul Eggert wrote:
> On 2023-07-10 14:22, Zack Weinberg via Libc-alpha wrote:
>
>>> Why it's not OK if no externally visible side effects is between the
>>> two points?
>>
>> The short answer is that the C standard's definition of "externally
>> visible side effect" is insufficient for the needs of certain security-
>> critical programs. In particular, *how long it takes for the program
>> to crash* may be an exploitable timing channel. (Look up "bomb oracle
>> attack" in the cryptography literature if that seems impossible.)
>
> I thought bomb oracles by definition explode when they don't give
> an answer. Exploding is different from undefined behavior. (Or
> perhaps you meant "padding oracle attack"? or something else? I'm a
> bit lost here.)

An adversary doesn't typically care *why* the program crashes, only that
they can extract information from whether and when it crashed.  The
scenario I'm imagining is something like

if (pointer) {
   use(pointer);
}
expensive_computation();
use(pointer);

Making the initial 'if' unconditional means that the program will crash
before the expensive computation.  In this case that would remove a timing
channel, but you can see how it could just as easily be the other way around.

> As for timing channels - doesn't every optimization affect timing
> channels? What's special about this one?

Because making pointer dereferences unconditional (or conditional) is
the kind of optimization that can turn code that was *supposed* to
execute in constant time into code that doesn't.

zw