microsoft / cheriot-ibex

cheriot-ibex is a RTL implementation of CHERIoT ISA based on LowRISC's Ibex core.
Apache License 2.0
78 stars 15 forks source link

Potential timing side channel #38

Closed kangoojim closed 5 months ago

kangoojim commented 5 months ago

We detected a potential timing side channel. We received a counterexample that shows:

  1. a CJAL instruction setting the PC to an address outside of the PCC bounds,
  2. an instruction is then fetched from outside the bounds, and
  3. due to the bound violation an exception and a pipeline flush is triggered.

This is normal, legal behavior in our understanding.

However, the timing of the exception depends on the bits [17:16] of the fetched data: if the bits are not equal "11", the exception is triggered earlier. The reason is that the core assumes the upper halfword holds a compressed instruction.

An attacker could potentially exploit this issue by measuring overall execution time or by reading a performance counter to probe if the two bits are equal to "11" for any word outside the PCC bounds. However, we did not write SW to exploit the vulnerability to confirm if the CHERIoT HW/SW model would allow exploitation in such a case.

We will check now if commit 876a46a solves the issue.

Best regards, Anna and Johannes

kangoojim commented 5 months ago

According to our proofs, commit 876a46a solves the issue, thanks!

kliuMsft commented 5 months ago

Great, thanks for confirming.

Get Outlook for Androidhttps://aka.ms/AAb9ysg


From: kangoojim @.> Sent: Monday, May 13, 2024 5:09:38 AM To: microsoft/cheriot-ibex @.> Cc: Subscribed @.***> Subject: Re: [microsoft/cheriot-ibex] Potential timing side channel (Issue #38)

Closed #38https://github.com/microsoft/cheriot-ibex/issues/38 as completed.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/cheriot-ibex/issues/38 or unsubscribehttps://github.com/notifications/unsubscribe-auth/A3V7IMCWIO7DCOMWLJP2EMTZCCUQFBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTLDTOVRGUZLDORPXI6LQMWSUS43TOVS2M5DPOBUWG44SQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJVHEYDCMZWGU4DTAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEMRYGUYTSNZYHEZ2O5DSNFTWOZLSUZRWY33TMVSA. You are receiving this email because you are subscribed to this thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.