Side-channel vulnerability in libgcrypt - the Marvin Attack

Hubert Kario hkario at redhat.com
Wed Mar 20 14:18:28 CET 2024


On Wednesday, 20 March 2024 02:44:51 CET, Jacob Bachmeyer wrote:
> Hubert Kario via Gcrypt-devel wrote:
>> On Saturday, 16 March 2024 00:43:58 CET, NIIBE Yutaka wrote: ...
>
> The method to harden a USB device against this type of attack 
> is to work out the worst-case computation time, and always hold 
> the response until that time (measured in USB time slots) has 
> elapsed.  To use numbers from your example, the device performs 
> the operation, completing it in 18 to 22 time slots, but holds 
> the response until 24 time slots have elapsed from the request.
>
> This of course requires actually knowing how your program works 
> and its worst-case running time, which sadly is probably rare in 
> modern commercial programming.
>
> The device also must guard against a malicious host by having 
> its own clock (which is needed for its processor and USB 
> interface anyway) and shutting down if the time slots it sees on 
> the bus do not align with the USB spec.  (If I remember 
> correctly, the USB spec requires each time slot to be some 
> number of milliseconds, but the USB host determines the precise 
> timing.)  Otherwise, a non-standard malicious host could "bend" 
> the slot timing enough that the fixed response delay is not 
> always sufficient for the operation to complete.

IIUC, there are ways to do polling more often... some gaming mice advertise
that as a feature.

But, yes, if there is no differentiation in the reply times, or they don't
depend on the secret data, then you will fix the timing side-channel.
It should be noted that this will protect only against timing
side-channel.

There are other side-channels, like sound:
https://arstechnica.com/information-technology/2013/12/new-attack-steals-e-mail-decryption-keys-by-capturing-computer-sounds/
or power related (using remote CCTV cameras):
https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/

Fixing it so that the timing of the actual operation is actually 
independent
of secret data is a first step in fixing the power side channels.

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic




More information about the Gcrypt-devel mailing list