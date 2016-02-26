Security devs forced to hide Boolean logic from overeager optimizer:
The creators of security software have encountered an unlikely foe in their attempts to protect us: modern compilers.
Today's compilers boil down code into its most efficient form, but in doing so they can undo safety precautions.
"Modern software compilers are breaking our code," said René Meusel, sharing his concerns in a FOSDEM talk on February 1.
Meusel manages the Botan cryptography library and is also a senior software engineer at Rohde & Schwarz Cybersecurity.
As the maintainer of Botan, Meusel is cognizant of all the different ways encryption can be foiled. It's not enough to get the math right. Your software also needs to encrypt and decrypt safely.
Writing code to execute this task can be trickier than some might imagine. And the compilers aren't helping.
Meusel offered an example of the kind of problem he deals with implementing a simple login system.
The user types in a password, which gets checked against a database, character by character. Once the first character doesn't match, an error message is returned.
For a close observer trying to break in, the time it takes the system to return that error indicates how many letters of the guessed password the user has already entered correctly. A longer response time indicates more of the password has been guessed.
This side-channel leak has been used in the past to facilitate brute-force break-ins. It just requires a high-resolution clock that can tell the minuscule differences in response times.
Good thing cryptographers are a congenitally paranoid sort. They have already created preventive functions to equalize these response times to the user so they are not so revealing. These constant-time implementations "make the run time independent of the password," Meusel said.
The GNU C compiler is excellent with reasoning about Boolean values. It may be too clever. Like Microsoft Clippy-level clever.
Meusel ran a constant-time implementation through GCC 15.2 (with -std=c++23 -O3).
The loop to check the character exits early when the character is correct, so GCC assumed the rest of the function wasn't needed. But the rest of the code that actually fixed the timing was jettisoned, and the side-channel vulnerability was exposed once again. Thanks, GCC.
Meusel didn't get into why C optimizers have it in for Boolean comparisons, but good C programmers know to fear the aggressive optimization of Boolean logic, which can be hazardous to their finished products.
Boolean decisions mean branching, which is expensive for the hardware, so the compiler would just rather turn your branchful code into branchless control-flow logic anyway, and that's cool, right?
The trick is to hide the semantics of this little program from the compiler, Meusel advised.
The first step is to replace the Boolean value that the loop is given with a two-bit integer, and use some bit shift or bitwise operations to mask the input (Meusel supplies the requisite code in his talk, so check out the slides for all the geeky goodness).
You would think this would do the job.
But GCC is smarter than that. It can see when you are trying to make a sneaky Boolean comparison.
So you need to apply an obfuscation function to both the input and the output. But not for any benefit to the program itself, but just because these are other values that the compiler could use "to screw us over," Meusel said.
And, finally, you need to throw the value through some inline assembly code that does absolutely nothing but return the same value. In effect it warns the compiler, which doesn't understand assembly, to not mess with these values however Boolean they may appear.
[...] There are a number of takeaways from Meusel's talk, the chief one being: maybe just switch off the optimization button on GCC?
Nonetheless, compiler builders may want to consider factors other than code efficiency.
"They want to make your code fast, and they're really good at it, but they don't put any other qualitative requirements of your implementation into this consideration," Meusel said.
(Score: 2) by istartedi on Wednesday February 18, @12:04AM
That example of void doSomething1(int *x, int *y) where x and y point to the same thing? That's what the new restrict keyword is for. The code should not be dangerous if you told the compiler not to assume non-aliased pointers. Some people might get lazy and throw the "assume no aliasing" switch globally because it's usually not a problem, until it is.
(Score: 2) by HiThere on Wednesday February 18, @01:57AM (1 child)
If you don't want the routing aggressively optimized, don't ask for that to happen. An if a constant time delay is important, you *DON'T* want it aggressively optimized.
(Score: 2) by Bentonite on Wednesday February 18, @02:22AM
It really isn't an aggressive optimization to add an early return for a loop that can be completed early.
GCC in the future could do the same optimization for -O2 - as the developer found out, the only way to be sure passwords are insecurely checked in constant time is to use assembly (GCC optimization of assembly soon :D).
(Score: 2) by looorg on Wednesday February 18, @02:06AM (1 child)
So now you have to obfuscate your own code so you won't be compromised by your own compiler ... Makes sense ...
(Score: 2) by Bentonite on Wednesday February 18, @02:18AM
GCC's optimizer is so good that it will see through your petty obfuscation and manage to optimize anyway.
You need to disable optimizations, either globally or locally with a pragma, if you don't want GCC to optimize something.
Rather than rolling your own password-checking algorithm and failing, you should instead use one of the several available free software constant-time salting and hashing libraries and compare the hashes for password checking (yes, using memcmp() and not strcmp() to compare the hashes).
(Score: 2) by Bentonite on Wednesday February 18, @02:13AM
If you pass -O3, you are configuring GCC to make the software run as fast as possible, which includes optimizations that speed up slow constant time loops with early returns.
If you don't want that behavior, clearly you need to disable optimizations;
#pragma GCC push_options
#pragma GCC optimize ("O0")
int unoptimised (...) { .... }
#pragma GCC pop_options
Note that it is not guaranteed to work in the future, as the C compiler is allowed to output any assembler it wants, as long as that matches the defined behavior of the C logic flow (for undefined behavior, it can make daemons fly out of your nose).
If security is actually important, you wouldn't insecurely store the password and check it character-by-character.
Rather you would be salting and hashing passwords before comparing the resulting hashes (even if insecurely written with branches, hashing algorithms differ little in runtime and typically a optimized constant-time hash algorithm in assembly would be used).