Add BlackBox
#123
Merged
Add BlackBox
#123
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tarcieri
commented
Jun 19, 2024
| // Unsafe is ok, because: | ||
| // - &input is not NULL; | ||
| // - size of input is not zero; | ||
| // - u8 is neither Sync, nor Send; |
isislovecruft
approved these changes
Jun 19, 2024
|
Edit: added in c0774e9 |
tarcieri
force-pushed
the
black-box
branch
3 times, most recently
from
45f03d4
to
068de49
Compare
Adds a `VolatileCell`-like struct which introduces an optimization barrier on all accesses. The `*Cell`-like `get()` method is the only accessor for the inner value and uses a more generalized (i.e. for all `Copy` types) `black_box` to preclude optimizations. This is useful for things like bitwise mask values to ensure LLVM doesn't try to optimize around special cases like `0`, especially in the context of loops. For an example use case, see: https://rustsec.org/advisories/RUSTSEC-2024-0344.html
isislovecruft
merged commit 3e8d92b
into
dalek-cryptography:develop
3 of 4 checks passed
tarcieri
added a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 20, 2024
Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline `black_box` using the recently added `subtle::BlackBox` newtype (see dalek-cryptography/subtle#123) Internally `BlackBox` uses a volatile read by default (i.e. same strategy which was used before) or when the `core_hint_black_box` feature of `subtle` is enabled, it uses `core::hint::black_box` (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703) This PR goes ahead and uses `BlackBox` for both `mask` and `underflow_mask` where previously it was only used on `underflow_mask`. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future. Below are godbolt inspections of the generated assembly, which are free of the `jns` instructions originally spotted in #659/#661: - 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4 - 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET - 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f - 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
tarcieri
added a commit
to tarcieri/subtle
that referenced
this pull request
Jun 21, 2024
Seems some changes I force pushed to dalek-cryptography#123 didn't wind up getting merged. In that PR, I noted that `pub const fn new` was MSRV breaking and got rid of the `const` but that didn't end up in `develop`. I also encountered a build failure on `develop` since the legacy `black_box` function wasn't gated on the `core_hint_black_box` feature and thus clashed with `core::hint::black_box` when it was imported: ``` Compiling subtle v2.6.0 (/Users/tarcieri/src/subtle) error[E0255]: the name `black_box` is defined multiple times --> src/lib.rs:223:1 | 100 | use core::hint::black_box; | --------------------- previous import of the value `black_box` here ... 223 | fn black_box<T: Copy>(input: T) -> T { | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ `black_box` redefined here | = note: `black_box` must be defined only once in the value namespace of this module help: you can use `as` to change the binding name of the import | 100 | use core::hint::black_box as other_black_box; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ warning: unused import: `core::hint::black_box` --> src/lib.rs:100:5 | 100 | use core::hint::black_box; | ^^^^^^^^^^^^^^^^^^^^^ | = note: `#[warn(unused_imports)]` on by default ``` This is a breaking change since we shipped a `const fn` for `BlackBox::new` already, so I'd suggest releasing this as 2.6.1 and yanking 2.6.0 for being unintentionally MSRV breaking.
tarcieri
added a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 24, 2024
Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline `black_box` using the recently added `subtle::BlackBox` newtype (see dalek-cryptography/subtle#123) Internally `BlackBox` uses a volatile read by default (i.e. same strategy which was used before) or when the `core_hint_black_box` feature of `subtle` is enabled, it uses `core::hint::black_box` (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703) This PR goes ahead and uses `BlackBox` for both `mask` and `underflow_mask` where previously it was only used on `underflow_mask`. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future. Below are godbolt inspections of the generated assembly, which are free of the `jns` instructions originally spotted in #659/#661: - 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4 - 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET - 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f - 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
rozbb
pushed a commit
to dalek-cryptography/curve25519-dalek
that referenced
this pull request
Jun 24, 2024
Replaces the security mitigation added in #659 and #661 for masking-related timing variability which used an inline `black_box` using the recently added `subtle::BlackBox` newtype (see dalek-cryptography/subtle#123) Internally `BlackBox` uses a volatile read by default (i.e. same strategy which was used before) or when the `core_hint_black_box` feature of `subtle` is enabled, it uses `core::hint::black_box` (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703) This PR goes ahead and uses `BlackBox` for both `mask` and `underflow_mask` where previously it was only used on `underflow_mask`. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future. Below are godbolt inspections of the generated assembly, which are free of the `jns` instructions originally spotted in #659/#661: - 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4 - 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET - 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f - 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
jmwample
pushed a commit
to jmwample/curve25519-dalek
that referenced
this pull request
Jun 26, 2024
…y#662) Replaces the security mitigation added in dalek-cryptography#659 and dalek-cryptography#661 for masking-related timing variability which used an inline `black_box` using the recently added `subtle::BlackBox` newtype (see dalek-cryptography/subtle#123) Internally `BlackBox` uses a volatile read by default (i.e. same strategy which was used before) or when the `core_hint_black_box` feature of `subtle` is enabled, it uses `core::hint::black_box` (whose documentation was recently updated to reflect the nuances of potential cryptographic use, see rust-lang/rust#126703) This PR goes ahead and uses `BlackBox` for both `mask` and `underflow_mask` where previously it was only used on `underflow_mask`. The general pattern of bitwise masking inside a loop seems worrisome for the optimizer potentially inserting branches in the future. Below are godbolt inspections of the generated assembly, which are free of the `jns` instructions originally spotted in dalek-cryptography#659/dalek-cryptography#661: - 32-bit (read_volatile): https://godbolt.org/z/TKo9fqza4 - 32-bit (hint::black_box): https://godbolt.org/z/caoMxYbET - 64-bit (read_volatile): https://godbolt.org/z/PM6zKjj1f - 64-bit (hint::black_box): https://godbolt.org/z/nseaPvdWv
redshiftzero
added a commit
to redshiftzero/subtle-ng
that referenced
this pull request
Aug 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a
VolatileCell-like struct which introduces an optimization barrier on all accesses.The
*Cell-likeget()method is the only accessor for the inner value and uses a more generalized (i.e. for allCopytypes)black_boxto preclude optimizations.This is useful for things like bitwise mask values to ensure LLVM doesn't try to optimize around special cases like
0, especially in the context of loops.For an example use case, see:
https://rustsec.org/advisories/RUSTSEC-2024-0344.html