[PATCH v2] memcmp.3: Recast security caveat

[PATCH v2] memcmp.3: Recast security caveat

[G. Branden Robinson]

[-- Attachment #1: Type: text/plain, Size: 1700 bytes --]

Use terminology more carefully.

* Refer to the info sec property of confidentiality instead of saying,
  vaguely, "security-critical".
    https://informationsecurity.wustl.edu/items/\
    confidentiality-integrity-and-availability-the-cia-triad/
* Try not to confuse anyone who's studied the analysis of algorithms:
  don't say "constant time" when "deterministic time" is meant.  The
  time to perform the memory comparison remains linear (O(n)), not
  constant (O(1)).
* Tighten wording.

Signed-off-by: G. Branden Robinson <g.branden.robinson@gmail.com>
---
 man3/memcmp.3 | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/man3/memcmp.3 b/man3/memcmp.3
index 9a2aad353..67ebe392e 100644
--- a/man3/memcmp.3
+++ b/man3/memcmp.3
@@ -67,9 +67,17 @@ .SH HISTORY
 .SH CAVEATS
 Do not use
 .BR memcmp ()
-to compare security critical data, such as cryptographic secrets,
-because the required CPU time depends on the number of equal bytes.
-Instead, a function that performs comparisons in constant time is required.
+to compare confidential data,
+such as cryptographic secrets,
+because the CPU time required for the comparison
+depends on the contents of the addresses compared,
+this function is subject to timing-based side-channel attacks.
+In such cases,
+a function that performs comparisons in deterministic time,
+depending only on
+.I n
+(the quantity of bytes compared)
+is required.
 Some operating systems provide such a function (e.g., NetBSD's
 .BR consttime_memequal ()),
 but no such function is specified in POSIX.
-- 
2.30.2

v2: Tweak phrasing per suggestions from Alex Colomar.

Regards,
Branden

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2] memcmp.3: Recast security caveat

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 2217 bytes --]

Hi Branden,

On 2023-07-30 17:31, G. Branden Robinson wrote:
> Use terminology more carefully.
> 
> * Refer to the info sec property of confidentiality instead of saying,
>   vaguely, "security-critical".
>     https://informationsecurity.wustl.edu/items/\
>     confidentiality-integrity-and-availability-the-cia-triad/
> * Try not to confuse anyone who's studied the analysis of algorithms:
>   don't say "constant time" when "deterministic time" is meant.  The
>   time to perform the memory comparison remains linear (O(n)), not
>   constant (O(1)).
> * Tighten wording.

I prefer 2 spaces between the bullet and the list contents.  See
man-pages(7).  Anyway, I accepted it this time.  :)


> 
> Signed-off-by: G. Branden Robinson <g.branden.robinson@gmail.com>

You need to quote your name with '"' due to the '.'.  I've found
some software has issues with it.  git-send-email(1) is one of them
(due to the perl library it uses).

Anyway, patch applied.  Thanks!

Cheers,
Alex

> ---
>  man3/memcmp.3 | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/man3/memcmp.3 b/man3/memcmp.3
> index 9a2aad353..67ebe392e 100644
> --- a/man3/memcmp.3
> +++ b/man3/memcmp.3
> @@ -67,9 +67,17 @@ .SH HISTORY
>  .SH CAVEATS
>  Do not use
>  .BR memcmp ()
> -to compare security critical data, such as cryptographic secrets,
> -because the required CPU time depends on the number of equal bytes.
> -Instead, a function that performs comparisons in constant time is required.
> +to compare confidential data,
> +such as cryptographic secrets,
> +because the CPU time required for the comparison
> +depends on the contents of the addresses compared,
> +this function is subject to timing-based side-channel attacks.
> +In such cases,
> +a function that performs comparisons in deterministic time,
> +depending only on
> +.I n
> +(the quantity of bytes compared)
> +is required.
>  Some operating systems provide such a function (e.g., NetBSD's
>  .BR consttime_memequal ()),
>  but no such function is specified in POSIX.

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2] memcmp.3: Recast security caveat

[G. Branden Robinson]

[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]

Hi Alex,

At 2023-07-30T19:31:39+0200, Alejandro Colomar wrote:
> On 2023-07-30 17:31, G. Branden Robinson wrote:
> > Use terminology more carefully.
> > 
> > * Refer to the info sec property of confidentiality instead of saying,
> >   vaguely, "security-critical".
> >     https://informationsecurity.wustl.edu/items/\
> >     confidentiality-integrity-and-availability-the-cia-triad/
> > * Try not to confuse anyone who's studied the analysis of algorithms:
> >   don't say "constant time" when "deterministic time" is meant.  The
> >   time to perform the memory comparison remains linear (O(n)), not
> >   constant (O(1)).
> > * Tighten wording.
> 
> I prefer 2 spaces between the bullet and the list contents.  See
> man-pages(7).  Anyway, I accepted it this time.  :)

This had me confused for a while, since I had no tagged paragraphs in
the patch.  You must mean in the commit message, too.  I don't think
that's documented...?  I guess it should go in the "CONTRIBUTING" file.

> You need to quote your name with '"' due to the '.'.  I've found
> some software has issues with it.  git-send-email(1) is one of them
> (due to the perl library it uses).

Thanks--I fixed my vi ":ab" command to take care of this.

Regards,
Branden

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2] memcmp.3: Recast security caveat

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 2409 bytes --]

Hi Branden,

On 2023-07-31 13:06, G. Branden Robinson wrote:
> Hi Alex,
> 
> At 2023-07-30T19:31:39+0200, Alejandro Colomar wrote:
>> On 2023-07-30 17:31, G. Branden Robinson wrote:
>>> Use terminology more carefully.
>>>
>>> * Refer to the info sec property of confidentiality instead of saying,
>>>   vaguely, "security-critical".
>>>     https://informationsecurity.wustl.edu/items/\
>>>     confidentiality-integrity-and-availability-the-cia-triad/
>>> * Try not to confuse anyone who's studied the analysis of algorithms:
>>>   don't say "constant time" when "deterministic time" is meant.  The
>>>   time to perform the memory comparison remains linear (O(n)), not
>>>   constant (O(1)).
>>> * Tighten wording.
>>
>> I prefer 2 spaces between the bullet and the list contents.  See
>> man-pages(7).  Anyway, I accepted it this time.  :)
> 
> This had me confused for a while, since I had no tagged paragraphs in
> the patch.  You must mean in the commit message, too.

Yup; sorry; I did mean the commit message, yes.

>  I don't think
> that's documented...?  I guess it should go in the "CONTRIBUTING" file.

I didn't document it in CONTRIBUTING, because usually I don't receive
bulleted lists in commit messages.  Only you and Paul Eggert seem to
send of those (no problem with that, though; they are fine).

The only documentation is in man-pages(7), since man(7) source is the
only place where they are commonly used in the project:

   Lists
       There are different kinds of lists:

       [...]

       Bullet lists
              Elements are preceded by bullet symbols  (\[bu]).   Any‐
              thing  that  doesn’t fit elsewhere is usually covered by
              this type of list.

       [...]

       There should always be exactly 2 spaces between the list symbol
       and the elements.  This doesn’t apply to  "tagged  paragraphs",
       which use the default indentation rules.


> 
>> You need to quote your name with '"' due to the '.'.  I've found
>> some software has issues with it.  git-send-email(1) is one of them
>> (due to the perl library it uses).
> 
> Thanks--I fixed my vi ":ab" command to take care of this.

Nice; I didn't know of :ab :)

Cheers,
Alex

> 
> Regards,
> Branden

-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]