Stream: wg-secure-code

Topic: (non-)constant time


Tony Arcieri (Jul 24 2019 at 17:14, on Zulip):

A fun case study I just encountered...

Tony Arcieri (Jul 24 2019 at 17:14, on Zulip):

here is some C code https://godbolt.org/z/FzRm5h

Tony Arcieri (Jul 24 2019 at 17:16, on Zulip):

here is an attempt to translate that code into Rust https://godbolt.org/z/HCFmjy

Tony Arcieri (Jul 24 2019 at 17:17, on Zulip):

now with more jump instructions

Tony Arcieri (Jul 24 2019 at 17:18, on Zulip):

context https://twitter.com/real_or_random/status/1154011131066929152

briansmith (Jul 24 2019 at 19:50, on Zulip):

Your Rust code is much different than the C code. Rewrite your Rust code using usize instead of bool and it may do the right thing.

briansmith (Jul 24 2019 at 19:50, on Zulip):

in particular, you're using short-circuiting && and || in the Rust code, instead of non-short-circuiting & and | in the C code.

briansmith (Jul 24 2019 at 19:52, on Zulip):

That said, I wouldn't use <, >, etc. in C either

Tony Arcieri (Jul 24 2019 at 19:54, on Zulip):

yeah, we already did that

Tony Arcieri (Jul 24 2019 at 19:54, on Zulip):

and it appears to be constant time

Tony Arcieri (Jul 24 2019 at 19:55, on Zulip):

https://godbolt.org/z/NDovea

briansmith (Jul 24 2019 at 20:31, on Zulip):

Nice. Lucky that LLVM hasn't gotten around to optimizing that the wrong way yet.

briansmith (Jul 24 2019 at 20:33, on Zulip):

Interestingly, there are passes in LLVM that do optimize similar things a bad way, recognizing patterns for constant-time conditionals and converting them into non-constant-time conditionals, with the goal (I think) of having the auto-vectorizer convert them into SIMD conditionals that accidentally happen to be constant time.

briansmith (Jul 24 2019 at 20:33, on Zulip):

...but, when the auto-vectorization doesn't happen, it ends up using the non-constant-time scalar version of the code.

Last update: Nov 11 2019 at 22:35UTC