[Haskell-cafe] Tor project

[Antonio Nikishaev]

Tobias Florek <haskell at ibotty.net> writes:

> hi,
>
>> Just wanted to say that what I posted might give hope for such
>> "branchless" code (or in fact: code that may branch, but by
>> construction not in a detectable way).
>
> i don't have the papers handy, but on the same host you can observe
> cache line collisions. that means you cannot do something different
> that takes the same time and generates the same amount of heat. you
> will have to do _the same thing_.

For example Flush+Reload attack, https://eprint.iacr.org/2013/448.pdf.
Or branch prediction attacks (see refs in the paper above).
Absolutely beautiful stuff.

> of course packages like vincent hanquez securemem provide that kind of
> equality checks (and other very useful properties). so some building
> blocks are there. interaction with the garbage collector is still
> something to worry about though. in some gcs you can observe whether a
> string is in use somewhere in the program or not. i am not intimate
> with ghc's gc but i don't expect that particular vulnerability is a
> problem when using securemem (or even bytestring or text), but there
> might (and i assume will) be many other opportunities to observe some
> state from outside the program.
>
> don't let me discourage you though. every step to less side channels
> is a valuable step!
>
> tob

-- 
lelf