Checking that functions are constant time with Valgrind
2 days ago
- #Cryptography
- #Valgrind
- #Security
- Information leaks via timing side channels can be deadly, allowing theft of RSA keys, kernel's dm_crypt keys, and AES keys over the network.
- Constant time functions require branches and memory accesses to be independent of secret inputs, but writing them is challenging and error-prone.
- Valgrind's memcheck can be repurposed to detect secret-dependent branches and memory accesses by treating secret data as uninitialized.
- A Valgrind patch intercepts calls to ct_poison and ct_unpoison to mark secret data, catching timing side channels in functions.
- Testing reveals that even functions like BN_mod_exp_mont_consttime in OpenSSL may not be fully constant time, highlighting the tool's utility.