Hi Niels Thank you for the information.
// Ola On Tue, Aug 9, 2016 at 3:32 PM, Niels Möller <ni...@lysator.liu.se> wrote: > Ola Lundqvist <o...@inguza.com> writes: > >> However I was referring to the side-channel problem that was reported >> in the CVE and not to the unintended side-effect of the correction. > > I see. > >> Do you know a way to trigger the problem reported in the CVE, please >> let me know. > > I'm afraid it's not so easy. > > One approach is to try some attack tool to attack another process via > the cache, but I'd expect that to be a little research project to set > up. > > Another approach is to use valgrind. Insert valgrind annotations to mark > the secret exponent as uninitialized data prior to calling the > supposedly side-channel-silent operation. Then valgrind's memchecker > will complain on unsafe instructions, nameley branches and memory > addresses depending on the secret, and these are precisely the > operations that may leak via timing or via the cache. One would also > need to mark the output areas as valid and defined at the end of the > signature functions. Unfortunately, one might get some warnings even > after the fix, it probably doesn't make the computation *completely* > silent. > > Regards, > /Niels > > -- > Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. > Internet email is subject to wholesale government surveillance. -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
