Side Channel Attacks

[defuse]

passgen appears vulnerable to cache side channel attacks. For example, when generating a standard character password:

// Discard the random byte if it isn't in range.
if(c < setLength) {
    password[i] = set[c];
    i++;
}

And when generating a random word password:

printf("%s", words[random]);

These should be replaced with constant-time lookups.

[defuse]

Also, do another pass checking for other side channels (keep FLUSH+RELOAD etc. in mind).

[defuse]

FLUSH+RELOAD would leak what type of password is being generated (hex, ascii, alpha, word, etc). I don't see an easy way to defend against that.

[defuse]

Fixed the cache side channels for characer-based passwords in 212a623b81dce49b8b15852dff21387f2795b5aa onward. Fixed cache side channels for word-based passwords in 2237ad267d5385731a116b0b0f48c7d9e1b13223.

[defuse]

Left to do:

• Explain in the help output why word passwords end with dots (I like dots because it's obvious that they're there).
• Look for other side channels.
• Verify fixes for side channels.

[defuse]

We can probably make a script that outputs all of the branch (if, while, etc.) conditions and all of the array accesses, (and maybe even non-constant-time operations like shifts) and we can go over each one and give a reason why it doesn't leak useful information.

Actually, something like that could be a useful tool on its own.

Edit: More thoughts: It could be a simple C parser, that just spits out all of the variables of which information is leaked. We could also define a macro like safe(variable) which would whitelist that variable as being non-sensitive information that's OK to leak and could be automatically excluded from the output. Then, if all of the code is good, the output should be empty.